"Rumplestiltskin worm" on the loose?

[David Farber <dave () farber net>]

Begin forwarded message:

From: Brett Glass <brett () lariat org>
Date: May 7, 2005 12:15:03 AM EDT
To: Farber Dave <dave () farber net>, Ip ip <ip () v2 listbox com>
Subject: "Rumplestiltskin worm" on the loose?


Dave:

This week, I have begun to see evidence -- in the form of "bounced" e- 
mails and error
messages in our servers' log files -- that "zombie" machines which  
are infected by
malware (either worms or spyware) are launching aggressive  
"Rumplestiltskin attacks"
against mail servers throughout the Internet.

What is a "Rumplestiltskin attack?" As described in a paper I wrote  
several years ago
(where I coined the term for lack of a better existing one), it is an  
e-mail address
harvesting attack in which a machine attempts to send e-mail messages  
to randomly
guessed addresses at a domain. It might try common first names -- for  
example,
"john () domain com", "joe () domain com," and "mike () domain com" -- and  
then proceed to
common last names and combinations of names and initials. (In some  
cases, we've
seen some very unusual guesses that appear to have been extracted  
from lists of
AOL screen names.)

If mail for a guessed address is accepted, the "zombie" machine  
records the address
and sends it back to its "master" -- a controlling machine which adds  
it to a
database of addresses which will become targest for spam.

Because the address guessing process is expensive (both in terms of  
computing time and
in terms of bandwidth), the best way to achieve results is via a  
rogue form of
distributed computing, in which large numbers of "zombies" (machines  
co-opted via
malware) are pressed to the task.

On our servers, these attacks and other traffic from spammers are now  
consuming
approximately ten times more resources than all of our legitimate  
mail combined.

Because the "zombies" are generally not mail servers, the most  
effective way to
mitigate these attacks -- though it might offend the sensibilities of  
the
"Orthodox End-to-Endians" -- is for ISPs and enterprised to block  
outgoing port 25
traffic from client computers that are not designated as, or intended  
to be, mail
servers. These computers should send outgoing mail only through a  
designated mail
server, which in turn monitors them for excessive outgoing traffic.

ISPs' firewalls should monitor and log attempts to send such traffic,  
so that
infected machines can be spotted and cleansed of their infections.

As I've mentioned above, there will be some people who are  
philosophically opposed
to the notion of restricting Internet traffic so as to limit abuse.  
Alas, such
idealism is inappropriate for the real world, where spam is now  
consuming so many
resources that it threatens not only to choke off not only legitimate  
e-mail but
to consume the lion's share of ISPs' bandwidth.

--Brett Glass



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/