Re: [Asrg] "worm spam" and SPF

Vipul Ved Prakash wrote:
> The worm attack on authentication schemes is a particularly bad one. I have recently joined the list, so I apologize if this has been discussed previously. But consider the following scenario: A new worm come out that uses infected machine's designated servers to send out mail.  Say these mail servers have a SPF or DK record and further they enjoy good reputations on the various reputation services (since they mostly send out good mail). The recipient machines do a SPF/DK check, it passes, they lookup the reputation, which checks out too, and deliver the mail bypassing all content-based filtration sub-systems. The recipient systems get infected.  The smarter users start reporting the worm to reputation services, who in turn punish the senders. After a while the senders reputation drops so much that they are unable to send out legit mail. 
>
> This is bit of an extreme scenario, but a plausable one. Once it happens, spammers will adopt it and change the payload (worm + spam). 
Actually, it usually goes that way today.

Spammers use many methods to send out their annoying viagra email 
messages. They mostly rely on methods that allow them to send the spam 
out of somebody else's machine.
Drone armies are just the next logical step, and it happened a few years 
ago.
Last year, AV companies pretty much publicly ignored the existence of 
drone armies. A couple of us kept yelling "wolf" and indeed - this year, 
they are all finally jumping on the PR wagon. This time not with a new 
worm they can hype the death out of, but with an actual threat.
They are still rather careful with their estimates.. I just read on CSI 
that SYMC saw 20,000 drones at one time, together.
Fact of the matter is, that we have seen 10K, 20K and a 100K drone 
armies (multiple) many times, and the fact that we are just now becoming 
publicly aware of it is silly.
Spammers first became interested in this method of sending out s**t at 
around 1997. Cheap, expendable and in huge amounts - it was just calling 
to them.
I remember one particular spammer who went on IRC to "help" users get 
"cured" in one of the many help channels over there (Trojan horses made 
their huge comeback on IRC at around 1996-7, not that they ever really 
disappeared). After learning the subject and investing in it, he 
disappeared. If I remember right he owned nekkidchicks.something.
Whether they buy the collection from a kid (and believe me, the kids 
trade these like candy, as a friend of mine likes to comment), or 
collect them on their own - they have them.
Trojan horse and worm development jumped a few notches up in direct link 
with spammers getting interested (there is the issue of organized crime, 
but it's off-topic, kinda).
Nowadays most of these machines are on Cable/DSL lines, and most of them 
are infected with several "viruses" - making them members of several armies.
Spammers now spam for two reasons:
1. Get their word out.
2. Find new users to infect who would get the word out.

An example on Yahoo!:
Yahoo! is one of the most uncaring provider there is when it comes to 
abuse. On Yahoo!, you can find huge amounts of infected machines who 
send you a URL of their own IP, which re-directs you to another URL with 
a Trojan horse, which in turn infects you and you go on Yahoo! doing the 
same.
Spammers never get tired of collecting, and building a 10K drone army on 
Yahoo! would take just a few days.
But we are discussing email, right?

Thing is - even if every client/end user in the world would be able to 
send, say - 1000 legit messages before the ISP blocks it.. 1000 * 50000 
* 365 * S (where 50000 is number of drones and S is number of spammers) 
is still a huge amount of spam per day.
        Gadi.

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg