Re: Spammers Skirt IP Authentication Attempts [operational content at end]

[Rich Kulawiec <rsk () gsp org>]

[ Two replies in one.  Last point has operational content. ]

On Wed, Sep 08, 2004 at 01:52:59PM +0100, Michael.Dillon () radianz com wrote:
> I see that 56trf5.com is a real domain. Does this mean that
> the domain name registries and DNS are now being polluted
> with piles of garbage entries in the same way that Google
> searches have been polluted with tons of pages full of
> nothing but search keywords and ads?

Absolutely.   As one example out of thousands, there are at
least 350 domains names of the form:

        aaefelb.info
        abbbafd.info
        acdfiaj.info
        aclbkcdc.info
        adkehgi.info
        aeamdgi.info

that have been burned through by one currently-active group of spammers.
Another group has about 16,700 domains (and counting) that I'm aware of.

Note also the relationship betwen this proliferation, the zombies,
and rapidly-updating DNS -- see below.

On Wed, Sep 08, 2004 at 01:26:27PM -0500, Robert Bonomi wrote:
> I _do_ think that it is _a_step_ 'in the right direction'. I'd *love* to
> see SPF-type data returned on rDNS queries -- that would practically put 
> the zombie spam-sending machines out of business.

Not even close, I'm afraid.  Yes, it would deal, to some extent, with
direct-to-MX spam from them (*if* all the domain they were forging
cooperated), but:

1. Nothing stops those zombies from sending out spam via the mail
servers on the networks on which they're located.  (And in the process,
forging either the address of the former owner of the zombie or another
user on the same network.)

Before you say "but the network operators would detect and fix that"
let me point out that zombie-generated spam has been epidemic for
going on two years and many -- MANY --ISPs have yet to perform basic
network triage that could mitigate much of this very quickly.  It's
reaching, I think, to expect that those same ISPs, who by now have grown
quite comfortable sitting on their hands, would do anything about this.

(I recently speculated n Spam-L that I was willing to bet that at
least one such ISP would respond by plugging in more mail servers
in order to alleviate the resulting congestion.  Bruce Gingery promptly
pointed out that this is a sucker bet: it's already happened.)

2A. Nothing stops those zombies from embedding spam payloads in
ordinary messages sent by their [putative] users.  Mail grandma?
Spam grandma.

2B. Nothing stops those zombies from accepting spam payloads on port
XXXX and writing it directly to disk in the place and format expected
by the end user's mail client.  No SMTP.  No DNS.  And with optional
forged headers "proving" SPF/DomainKeys/etc. validity, just in case
tools for checking those are in use.

3. Spammers have been using rapidly-updating DNS for quite some time
in order to spread out their zombie-hosted web sites.  With today's
change they can now extend that up a level: nothing is stopping them
from, say, registering 1000 domains, using 100,000 zombies to host
copies of the content, and using rapidly-updating DNS to distribute
the traffic (as well as making shutting it all down tedious).

And as if that won't be enough fun (and here's the operational bit):

4. This is the point that I think a lot of us tend to overlook: arguably,
SMTP spam from those zombies is the *least* of our problems.  Those
systems are under the control of an unknown number of unknown persons, and
can be put to many more uses -- and already have.  They've already been
observed hosting spamvertised web sites [1], probing for open proxies,
and participating in DDoS attacks.   They represent an enormous computing
resource that's effectively in the hands of The Bad Guys.  (To put this
in perspective, compare the estimated size of the zombie farm to the
much-vaunted Google cluster in terms of CPU count, aggregate bandwidth,
and network diversity.)

And as I said previously, none of the three entities who could do anything
about it (the zombies' former owners, consumer broadband ISPs, Microsoft)
are willing to step up, admit there's a problem, and do whatever it takes
to fix it.  There is thus no reason at all to expect the problem to decrease;
on the contrary, there is every reason (given the miserable track records
of all concerned) to expect it to increase.


---Rsk

[1] Including some with content of interest to the FTC, DEA, FBI, RIAA,
MPAA, BSA, SPA and other people who have lawyers, guns and/or money.
Makes sense from spammy's point of view: it's free, it's fault-tolerant
and scalable (thanks to rapidly-updating DNS), and maybe someone else
will get clobbered for it.