[Infowarrior] - More on - Spam is back, and worse than ever

Mon Jan 22 09:31:38 EST 2007

(c/o RSK)

------ Forwarded Message

On Sun, Jan 21, 2007 at 11:44:56AM -0500, Richard Forno wrote:

> Spam is back, and worse than ever

What this doesn't appear to mention (just read it after a run and
so oxygen deprivation may be in play) is this:

 "The spam problem" today pretty much equates to "the Microsoft
 Window insecurity problem".

If you use passive OS fingerprinting on your incoming port 25 connections
(a la the "pf" firewall in OpenBSD), then you'll find that the incoming
spam stream pretty much divides into two classes:

 1. Spam from dedicated spammer server farms.  The originating
 OS's vary widely.  It's pretty easy to block almost all of this
 just be using a sensible combination of DNSBLs, because the
 number of source IPs is relatively small, they don't change
 that quickly, and they tend to be clustered.

 2. Spam from millions upon millions upon millions of zombie'd
 systems located all over the planet, including huge numbers of
 systems on dialup, DSL, cable, FIOS, etc. connections.  The
 originating OS is almost always Windows.  (Out of the last
 million hosts I looked at, I can count the possibly-non-Windows
 systems without running out of fingers.)  It's considerably harder
 to block much of this because of the scalability issues involved,
 because hosts move around (DHCP, laptops, etc.), and because they
 can turn up anywhere.

The amount of spam showing up from (2) swamps that showing up from (1),
and with good reason: it works better (for spammers).   And note that
while today those systems primarily send spam directly to target
systems, there's little, if anything, stopping them from sending spam
through any mail server for which the zombies' former owners possess
mail credentials.

 [ Consider as well that some of those former owners have a
 number of email accounts on a number of different servers.
 Maybe one for home, one for work, one at Hotmail, one at Yahoo,
 whatever.  Those all belong to spammers now.  Which means, among
 other things, that spammers can "harvest" any email address found
 in any traffic sent to them, and send forged email as any of them. ]

Estimates of the number of zombies vary.  Markoff's NYTimes article a
couple of weeks ago cites an esimate of about 70M.  I think that's way too
small; I think we passed 100M a couple of years ago and that something
around 300M is probably in the ballpark.  But regardless of who's right
about that, (a) it's a big number, on the order of 10e9, and (b) it's
getting bigger every day.  I see no reason at all to think that the
trend will reverse or even slow down; in fact, I expect it to accelerate
with the deployment of Vista.

By the way, this situation also renders all supposed email "anti-forgery"
systems moot.

So we're kinda screwed.

---Rsk