>ISPs like to blocks ports and they love dynamic IP blocklists because it
>allows them to remove jobs in their abuse departments, and keep costs low.
I haven't seen that they "like" or "love" either. From what I've
seen, they've mostly had to be dragged kicking and screaming to
utilize either of them.
>It's just not profitable to enforce their TOS the right way. There's
>probably hundreds of thousands of zombie hosts that can't spew because of the
>port blockage, however the ISP doesn't want to terminate them because it's
>profitable to leave them online - $39.95 per month.
>
>So they try to "prevent" abuse by blocking ports and submitting to dymanic IP
>blocklists. What's there to prevent spammers from setting up another port?
>another port blockage?
Blocking inbound access _to_ the zombied systems is, I agree, rather
futile, as the zombie software can open up any inbound port, and
because you can't block a very wide range of inbound ports without
disabling useful and valuable services such as FTP.
Spam has to be sent _out_ from the zombied hosts, _to_ a well-known
port (e.g. SMTP for Port 25). Blocking outbound access from zombies
to (e.g.) port 25 or 8080 can act as a significant barrier to the flow
of outbound spam from compromised systems.
I agree that it's far from being a perfect or complete solution.
It does seem to be one of the more effective stop-gap measures to
mitigate the flood of debris from compromised systems.
> That's just like slapping another band-aid on a 30
>year old bloody wound. Sooner or later the wound is going to ooze once
>again. ISPs: Do the right thing. Remove your spammers, enforce your TOS -
Removing spammers is one thing - the number of them on any given
network isn't horribly high.
Removing zombies is a much larger problem, both because of the scale
(there are many more per network) and because of the fact that the
system owners themselves probably aren't directly violating the
TOS/AUP as it's written today. The system owners are, arguably,
victims just as much as the ultimate recipients of the spam.
>Heal the wound. Sadly, it will take federal regulation for this to happen.
>Because it will be federal law, only then will it become profitable to
>enforce the TOS.
What sort of Federal regulations would you propose? What sort of
terms would you insist be written into the TOS/AUP for a
consumer-grade broadband network connection?
--
Dave Platt <dpl...@radagast.org> AE6EO
Hosting the Jade Warrior home page: http://www.radagast.org/jade-warrior
I do _not_ wish to receive unsolicited commercial email, and I will
boycott any company which has the gall to send me such ads!
>ISPs like to blocks ports and they love dynamic IP blocklists because it
>allows them to remove jobs in their abuse departments, and keep costs low.
>It's just not profitable to enforce their TOS the right way. There's
>probably hundreds of thousands of zombie hosts that can't spew because of the
>port blockage, however the ISP doesn't want to terminate them because it's
>profitable to leave them online - $39.95 per month.
True.
>So they try to "prevent" abuse by blocking ports and submitting to dymanic IP
>blocklists. What's there to prevent spammers from setting up another port?
>another port blockage?
The fact that spammers run SMTP clients instead of SMTP servers prevents
that problem. If a spammer's target is not listen for mail on a TCP
port, then there is nothing that the spammer can do to send mail to
that target.
You can think of situation as having all ports except 25 and 587 blocked
at practically all spam targets. (Port 587 requires authentication
and authorization, and so is useless for receiving mail from strangers,
including spammers.)
Or from another direction, there's not much spam that a WebTV user
can send. Those $30/month consumer grade accounts are evolving
into "web connectivity" accounts that allow customers to do anything
they want as long as it is surfin' da web, including using HTTP to
send and receive email through their ISP's systems.
> That's just like slapping another band-aid on a 30
>year old bloody wound. Sooner or later the wound is going to ooze once
>again. ISPs: Do the right thing. Remove your spammers, enforce your TOS -
>Heal the wound. Sadly, it will take federal regulation for this to happen.
>Because it will be federal law, only then will it become profitable to
>enforce the TOS.
Fat chance for any of that.
Vernon Schryver v...@rhyolite.com
>>Heal the wound. Sadly, it will take federal regulation for this to
>>happen. Because it will be federal law, only then will it become
>>profitable to enforce the TOS.
>
> What sort of Federal regulations would you propose?
Outlawry for spammers, spyware authors and distributors, and virus writers
and distributors. That is: Remove the "protection of law" from anyone who is
convicted of any of the above-named crimes. This allows anyone - absolutely
*ANYONE* - to do anything they wish to the criminal, without burdening the
State with the care, feeding, and housing of the perp.
Of course, leaving the corpse in the public streets does constitute
littering.
--
Tired of spam in your mailbox?
Come to http://www.spamblocked.com
. . .
Who is Brad Jesness? http://www.wilhelp.com/bj_faq/
What would that do? My server isn't listening for email on another port.
--
McWebber
"Richter points to the lack of legal action against his company as proof
that he's operating appropriately."
Information Week, November 10, 2003
> What's there to prevent spammers from setting up another port?
Um, the fact that they can send all the spam that they want to my MX over
port 2500? My MTA is not listening on port 2500, so all of that spam will go
exactly nowhere. I know spammers are stupid, but are they really that
stupid?
--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint
>In article <Yp_Cc.1353$aJ3...@nwrdny02.gnilink.net>, mr.john says...
>
>> What's there to prevent spammers from setting up another port?
>
>Um, the fact that they can send all the spam that they want to my MX over
>port 2500? My MTA is not listening on port 2500, so all of that spam will go
>exactly nowhere. I know spammers are stupid, but are they really that
>stupid?
That was a rhtorical question, right?
If not, allow me to remind you of Russell's Corollary to Rule #3:
Never underestimate the stupidity of spammers.
The Rules-Keeper
--
Patricia
Proud Citizen of the Commonwealth of Virginia
ever wonder about all those probes to seemingly useless ports? :-)
Dr.X
> Um, the fact that they can send all the spam that they want to my MX over
> port 2500? My MTA is not listening on port 2500, so all of that spam will go
> exactly nowhere. I know spammers are stupid, but are they really that
> stupid?
Never question spammer (or human, for that matter) stupidity. They'll
always strive to exceed your expectations.
But it does zilch to prevent these zombies from infecting still more systems,
perpetrating DDoS attacks, etc.
Compromised systems MUST be removed from the 'net, period. And the ONLY
reason that's not happening at a decent pace is short-sighted greed and
stupidity on the part of the "consumer broadband" providers.
> Removing zombies is a much larger problem, both because of the scale
> (there are many more per network)
[snip]
Tough beans. The ISP's perceived "difficulty" does not relieve them of the
*responsibility* to mitigate the damage done by their network -- *especially*
now that they unquestionably know about it.
> ...and because of the fact that the
> system owners themselves probably aren't directly violating the
> TOS/AUP as it's written today.
[snip]
I'm not so sure about that; remember that an essential part of ANY worthwhile
TOS/AUP is the "we may terminate anyone for any cause, without notice" clause.
But even your contention is correct, the answer is simple: Those TOS/AUPs
need to be re-written, pronto. And you can't credibly tell me that an outfit
the size of Comcrap doesn't have enough landsharks on full-time staff to knock
that out in an afternoon or two.
> The system owners are, arguably,
> victims just as much as the ultimate recipients of the spam.
>
[snip]
NO!
They may be "victims" to *some* extent, but they are victims mostly of their
own ignorance and stupidity. Yes, both of those: Ignorance for being unaware
of the specific risks inherent in connecting their computer to almost every
other computer in the world; stupidity for assuming that such risks don't
exist and/or they don't *need* to learn about them.
Either way, it's *their* failing, not mine; and I am sick and tired of paying
the freight for it.
--
Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.
>On Fri, 25 Jun 2004 20:06:50 -0000, in <news.admin.net-abuse.email>,
>dpl...@radagast.org (Dave Platt) wrote:
> >
> [snip]
> >
> > Blocking inbound access _to_ the zombied systems is, I agree, rather
> > futile, as the zombie software can open up any inbound port, and
> > because you can't block a very wide range of inbound ports without
> > disabling useful and valuable services such as FTP.
> >
> > Spam has to be sent _out_ from the zombied hosts, _to_ a well-known
> > port (e.g. SMTP for Port 25). Blocking outbound access from zombies
> > to (e.g.) port 25 or 8080 can act as a significant barrier to the flow
> > of outbound spam from compromised systems.
> >
> [snip]
>
>But it does zilch to prevent these zombies from infecting still more systems,
>perpetrating DDoS attacks, etc.
Hmm. Besides Blast and Sasser, doesn't shutting down port 25 remove
the infection vector?
>Compromised systems MUST be removed from the 'net, period. And the ONLY
>reason that's not happening at a decent pace is short-sighted greed and
>stupidity on the part of the "consumer broadband" providers.
I dunno. I don't see that simply defanging the spamming potential is
all that short-sighted. The dialup providers did it and it worked a
treat.
> > Removing zombies is a much larger problem, both because of the scale
> > (there are many more per network)
> [snip]
>
>Tough beans. The ISP's perceived "difficulty" does not relieve them of the
>*responsibility* to mitigate the damage done by their network -- *especially*
>now that they unquestionably know about it.
OK, you got a point with the DDOS potential.
> > ...and because of the fact that the
> > system owners themselves probably aren't directly violating the
> > TOS/AUP as it's written today.
> [snip]
>
>I'm not so sure about that; remember that an essential part of ANY worthwhile
>TOS/AUP is the "we may terminate anyone for any cause, without notice" clause.
>But even your contention is correct, the answer is simple: Those TOS/AUPs
>need to be re-written, pronto. And you can't credibly tell me that an outfit
>the size of Comcrap doesn't have enough landsharks on full-time staff to knock
>that out in an afternoon or two.
Yeah, but removing a substantial bit of their revenue stream ain't
gonna go over well at any level. I predict that broadband providers
will, in the not too distant future, have default blocks on most
outgoing and incoming SYNS, and UDP, because that'll be the only way to
deal with the zombie situation. Most everybody uses MS stuff, and the
infection vectors just aren't going away for a while. It isn't
reasonable to expect an ISP to handhold all those poor slobs, nor to
cut off the revenue stream provided by all those poor slobs.
> > The system owners are, arguably,
> > victims just as much as the ultimate recipients of the spam.
> >
> [snip]
>
>NO!
YES!
>They may be "victims" to *some* extent, but they are victims mostly of their
>own ignorance and stupidity. Yes, both of those: Ignorance for being unaware
>of the specific risks inherent in connecting their computer to almost every
>other computer in the world; stupidity for assuming that such risks don't
>exist and/or they don't *need* to learn about them.
Eh, we're just talking ignorance there.
>Either way, it's *their* failing, not mine; and I am sick and tired of paying
>the freight for it.
I thought you knew how to do router stuff? No?
Joe
> ISPs like to blocks ports and they love dynamic IP blocklists because it
> allows them to remove jobs in their abuse departments, and keep costs low.
Yep.
> It's just not profitable to enforce their TOS the right way. There's
> probably hundreds of thousands of zombie hosts that can't spew because of the
> port blockage, however the ISP doesn't want to terminate them because it's
> profitable to leave them online - $39.95 per month.
It is slightly more complex than that. For many people, there's not a
lot of choice in high-speed providers, because the ILEC's and the cable
companies have worked very hard to limit competition and increase the
difficulty of switching providers. In many cases, this is combined with
corporate mentalities and experience where service termination is alien:
the incumbent phone and cable monopolists *can't* terminate their
traditional services except in very strictly regulated ways, so they
have never really considered the concept of permanent ISP service
termination. So instead they will occasionally turn down a customer on a
temporary basis, but even then they will be willing to talk to that
customer and be persuaded to restore service. The result of that is
their strongest responses to customer misbehavior is a huge cost for
them: they take the calls to their support desks from and provide
support to users who have been negligently involved in abuse and
reconnect them.
I have been told explicitly by an abuse handler for one such ISP that
his employer has in place the ability to detect compromised machines at
a rate which would completely swamp their support resources if they were
to turn them off as detected but do so with a presumption of the cutoff
being a temporary measure. Their support operations, which are pure cost
centers, are too small to deal with fixing their compromised network.
They would need to either reconcile themselves to terminations being
permanent or spend a multiple of what they are spending on support
staff, and they would need to pass that cost along to customers because
in fact ISP services are NOT very profitable for them as it stands, and
support is a large slice of their costs already.
> So they try to "prevent" abuse by blocking ports and submitting to dymanic IP
> blocklists. What's there to prevent spammers from setting up another port?
SMTP servers accept mail on port 25. That's how mail works. A machine
that cannot talk to the outside world on port 25 is completely useless
for spamming.
> another port blockage? That's just like slapping another band-aid on a 30
> year old bloody wound. Sooner or later the wound is going to ooze once
> again. ISPs: Do the right thing. Remove your spammers, enforce your TOS -
> Heal the wound. Sadly, it will take federal regulation for this to happen.
> Because it will be federal law, only then will it become profitable to
> enforce the TOS.
That simply will not happen. The federal government does not enforce
existing laws that would stop the zombie-abusing spammers. They have
refused for a decade to do so. New laws are not needed. A government
that is willing to enforce the laws evenly and as written even when it
means putting people who call themselves small businessmen and the
arrested-development offspring of the rich into jail. On another level,
such an approach to law enforcement would mean that a notable slice of
the Spamhaus top ten would never have started spamming, because they are
convicted criminals whose convictions would have landed anyone but an
upper-middle-cloass white guy in prison for a long time.
--
Now where did I hide that website...
I think there's a sig in there somewhere.
> Tough beans. The ISP's perceived "difficulty" does not relieve them of the
> *responsibility* to mitigate the damage done by their network -- *especially*
> now that they unquestionably know about it.
For these people, money speaks louder than responsibility. That's the
whole spam problem wrapped up in a single sentence.
> I'm not so sure about that; remember that an essential part of ANY worthwhile
> TOS/AUP is the "we may terminate anyone for any cause, without notice" clause.
> But even your contention is correct, the answer is simple: Those TOS/AUPs
> need to be re-written, pronto. And you can't credibly tell me that an outfit
> the size of Comcrap doesn't have enough landsharks on full-time staff to knock
> that out in an afternoon or two.
I thought most TOS/AUP documents already forbid the stuff we accuse the
network operators of allowing in the first place. It's not AUP itself,
it's the enforcement - or lack of - that is the problem. Again, for these
people, money is more important than responsibility. Comcast said so
itself.
> NO!
> They may be "victims" to *some* extent, but they are victims mostly of their
> own ignorance and stupidity. Yes, both of those: Ignorance for being unaware
> of the specific risks inherent in connecting their computer to almost every
> other computer in the world; stupidity for assuming that such risks don't
> exist and/or they don't *need* to learn about them.
> Either way, it's *their* failing, not mine; and I am sick and tired of paying
> the freight for it.
I can certainly understand this sentiment. (search for a thread during the
heyday of SWEN in which I call for mandatory prison sentences for zombie
owners)
However at the same time, it's not that simple. As we've seen again and
again, one can be running with all the latest patches, a virus scanner, a
responsible mail-client (ie, NOT outlook), and STILL get infected with
garbage from websites and such.
Even then, things like a virus scanner are just band-aids for the real
problem - the buggy applications that ignore security conventions, and the
even buggier OS that not only allows them, but considers them A FEATURE.
Computers aren't nearly the idiot proof devices most folks make them out
to be, and the virus writers, phishers, spammers and conmen are taking
advantage of stupid people online.
And there's no real good answer to this whole mess. Like it or not,
Windows is the most recognized system out there. The fact that it's
written by a company that puts profits before security (and robustness,
functionality, usability...) is the real issue.
No.
The various trojans are now using all manner of different ports, for all sorts
of different purposes (remember, they have more than 65,000 of them to choose
from!); and they near-constantly morph from one to another, precisely because
this makes them harder to detect/block via remote scans and such. These
purposes include such things as proxy-chaining, remote control of the hijacked
systems, planting "phantom" DNS servers, which in turn point to "phantom" web
servers (not necessarily running on port 80) planted on still other hijacked
systems, and "phantom" FTP servers (typically for "warez" exchange; and again,
not necessarily running on port 21), and of course launching various forms of
DDoS attacks (again, on a wide variety of ports) against the more visible
"anti-spam" domains, etc. -- and I'm pretty sure I've left out some other
significant "stuff". We have gotten to the point where there is effectively a
fully formed and well-entrenched "phantom internet", running mostly over the
same hardware as the "real" internet and using hijacked systems as their
servers and routers. In the face of all this, the actual spamming (on port
25) is, if anything, now a relatively minor part of the overall picture.
> >Compromised systems MUST be removed from the 'net, period. And the ONLY
> >reason that's not happening at a decent pace is short-sighted greed and
> >stupidity on the part of the "consumer broadband" providers.
>
> I dunno. I don't see that simply defanging the spamming potential is
> all that short-sighted. The dialup providers did it and it worked a
> treat.
>
[snip]
Oh really? Has spam stopped?
Blocking (actually, "rerouting" is more accurate) outbound port 25 on dial-up
lines effectively treated only one small aspect of "The Spam Problem"; and it
created a raft of problems (albeit, generally not insurmountable ones) for
*legitimate* users in the process. Blocking INbound port 25 on dial-ups makes
somewhat more sense, but doesn't really accomplish much since it is inherently
so impractical to run a significant-capacity mail *server* off a dial-up.
Much the same fundamental problem applies to "consumer broadband" connections.
The spammers don't need inbound port 25 to use them as zombie spam-spewers;
and blocking/re-routing OUTbound port 25 creates hassles for at least some
legitimate users. This is not to say that it *shouldn't* be blocked; but only
that this won't really solve the problem. I say again: compromised systems
MUST be removed from the 'net, period.
> Yeah, but removing a substantial bit of their revenue stream ain't
> gonna go over well at any level.
[snip]
Again, "tough beans". To paraphrase a popular old saying, "The expectation of
(or desire for) profit on their part does NOT constitute an obligation on my
part to tolerate their willfully inflicting harm on me or anyone else."
> I predict that broadband providers
> will, in the not too distant future, have default blocks on most
> outgoing and incoming SYNS, and UDP, because that'll be the only way to
> deal with the zombie situation.
[snip]
That directly contradicts what at least one such "broadband provider" has
explicitly stated:
<http://news.com.com/2102-1034_3-5218178.html?tag=st.util.print>
> Most everybody uses MS stuff, and the
> infection vectors just aren't going away for a while. It isn't
> reasonable to expect an ISP to handhold all those poor slobs, nor to
> cut off the revenue stream provided by all those poor slobs.
>
[snip]
Of *course* it's reasonable to expect them to do one or the other (I really
don't care which). It is wholly UNreasonable to accept their refusal to do
otherwise. The rest of the 'net is *not* there for *their* exclusive benefit;
nor should it have to jump through hoops in order to enable such ISPs' broken
business model to succeed. If their business model is contingent on the rest
of the world tolerating their willful abuse, then the only proper course of
events is for them to fail spectacularly -- and the sooner, the better.
> >They may be "victims" to *some* extent, but they are victims mostly of
> >their own ignorance and stupidity. Yes, both of those: Ignorance for
> >being unaware of the specific risks inherent in connecting their computer
> >to almost every other computer in the world; stupidity for assuming that
> >such risks don't exist and/or they don't *need* to learn about them.
>
> Eh, we're just talking ignorance there.
>
[snip]
No.
First, the "ignorance" excuse simply doesn't go anywhere near as far as it
used to. But beyond that, it is not "ignorance" to completely stop thinking
AT ALL, and therefore "assume" that if they are unaware of something, it must
not exist; *that* is stupidity -- as is blindly accepting the marketeers'
claims that computers in general (and the internet in particular) are
toaster-like "appliances" that they can simply plug in and use blindly with no
concern whatsoever for the now LONG well-publicized risks.
> >Either way, it's *their* failing, not mine; and I am sick and tired of
> >paying the freight for it.
>
> I thought you knew how to do router stuff? No?
>
[snip]
True. And I use it, to the extent that I can. But even at that, my router
has to put up with the constant barrage of crap spewed by the zombies -- to
the point that my (admittedly cheap and crappy, but that's beside the point)
router sometimes gets so bogged down with the stuff that I have to reboot it
in order to keep my connection viable (and this is over a dial-up, yet; I
shudder to think how much worse it would be if that router was facing a fatter
pipe). Much the same thing applies to the (much more robust) router which
sits in front of my mail server; tho' thankfully, it seems to put up with the
noise somewhat more elegantly -- and still, the *vast* majority of my server
logs are comprised of attempts by these jackasses to spew crap at me. Ditto
for my webserver logs, which are ALWAYS chock full of "script kiddie was here"
entries.
So... Exactly *why* should I put up with this nonsense for the benefit of
Comcrap, et al...?
AFAIK, you are correct.
> It's not AUP itself,
> it's the enforcement - or lack of - that is the problem. Again, for these
> people, money is more important than responsibility. Comcast said so
> itself.
>
[snip]
Exactly. And Comcrap in particular has explicitly stated that they have made
a conscious decision to be openly hostile to the rest of the 'net and everyone
connected to it. Given that, I really don't understand why anyone is still
accepting ANY traffic from them.
> > Either way, it's *their* failing, not mine; and I am sick and tired of
> > paying the freight for it.
>
> I can certainly understand this sentiment. (search for a thread during the
> heyday of SWEN in which I call for mandatory prison sentences for zombie
> owners)
>
[snip]
Heh. I'm *still* getting hit with Swen.A on a regular basis. About 99% of it
gets auto-rejected by the mail server; but every once in awhile, one leaks
through far enough to be caught by either the AV scanner or one of the
content-based filters. When that happens, I LART the operator of the sending
SMTP server (Swen.A either always or nearly always uses the "legitimate" SMTP
server defined in the infected system's copy of Outleak Excuse), with the
notation that since they just proved themselves to be utterly incompetent (or
malicious) by letting it out the door in the first place, their entire known
netspace is now hard-blocked from my server.
> However at the same time, it's not that simple. As we've seen again and
> again, one can be running with all the latest patches, a virus scanner, a
> responsible mail-client (ie, NOT outlook), and STILL get infected with
> garbage from websites and such.
>
[snip]
As a general rule, that can only happen if your system is misconfigured in at
least one other very critical way: You have permitted MSIE to remain
installed (or worse, actively use it).
> Even then, things like a virus scanner are just band-aids for the real
> problem - the buggy applications that ignore security conventions, and the
> even buggier OS that not only allows them, but considers them A FEATURE.
>
[snip]
While Windows itself does certainly resemble swiss cheese in the context of
any serious "security" concerns; the *vast* majority of what it gets blamed
for are really failings specific to MSIE/OE (and perhaps to a somewhat lesser
extent, it's ugly stepchild, Outleak itself). Remove that one "buggy
application", and you instantly improve the overall security of any WinBox by
at least an order of magnitude.
> Computers aren't nearly the idiot proof devices most folks make them out
> to be, and the virus writers, phishers, spammers and conmen are taking
> advantage of stupid people online.
>
[snip]
Correct.
And also I hold the folks (at all levels, from the largest manufacturers to
the individual dolts on the CompUSA sales floors) fraudulently selling these
devices as worry-free "toasters" responsible for a large part of the problem.
After all, they largely *created* the problem through their massive
disinformation campaign (a.k.a. "sales pitch").
> And there's no real good answer to this whole mess. Like it or not,
> Windows is the most recognized system out there. The fact that it's
> written by a company that puts profits before security (and robustness,
> functionality, usability...) is the real issue.
>
It's one of the issues, but not the only one.
And this is *our* (yes, there is an "our", in this context) problem, how?
It still does not relieve them of their fundamental *duty* to cut off those
customers who are spewing spam, trojans, viruses, etc., *regardless* of
whether they subsequently decide it would be too expensive to invite those
particular "problem children" back. Those *are* two separate decisions; and
the "abuse handler" you spoke to was dissembling (or, just maybe, naively
repeating his/her employer's line of bull; but that still doesn't say much for
the "abuse handler") to imply otherwise. If they are aware of (or have the
means to quickly/easily become aware of) a particular "compromised machine" on
their network, yet still fail to remove same from the 'net in a timely manner,
then they are being willfully malicious. There is simply no other
possibility.
> ...and they would need to pass that cost along to customers because
> in fact ISP services are NOT very profitable for them as it stands, and
> support is a large slice of their costs already.
>
[snip]
Empty scare tactics, on the part of either the "abuse handler" or his/her
employer. They *couldn't* successfully "pass the cost along", as long as
their competitors manage to provide a similarly abuse-free service without
hiking the rates; and if their competitors are also forced into hiking the
rates, it's a moot point.
If their (broken) business model cannot withstand that reality, so be it.
It is long past time to stop accepting the notion that you, and me, and the
next guy must endure a constant barrage of crap, simply because some business
entity is too inept/greedy/whatever to function in a responsible manner. They
do NOT have an inherent right to "succeed", regardless.
>On Sat, 26 Jun 2004 10:59:01 -0400, in <news.admin.net-abuse.email>, Munger
>Joe <munge...@bigfoot.com> wrote:
> >
> > On Sat, 26 Jun 2004 09:18:18 -0400, Jay T. Blocksom
> > <not.delivera...@appropriate-tech.net> wrote:
> >
> [snip]
> > >
> > >But it does zilch to prevent these zombies from infecting still more
> > >systems, perpetrating DDoS attacks, etc.
> >
> > Hmm. Besides Blast and Sasser, doesn't shutting down port 25 remove
> > the infection vector?
> >
> [snip]
>
>No.
>
>The various trojans are now using all manner of different ports, for all sorts
>of different purposes (remember, they have more than 65,000 of them to choose
>from!);
Yes, but those ports used by zombies aren't infection vectors. Those
ports are used by zombies only *after* they've been zombified. The main
infection vector is via email.
> and they near-constantly morph from one to another, precisely because
>this makes them harder to detect/block via remote scans and such. These
>purposes include such things as proxy-chaining, remote control of the hijacked
>systems, planting "phantom" DNS servers, which in turn point to "phantom" web
>servers (not necessarily running on port 80) planted on still other hijacked
>systems, and "phantom" FTP servers (typically for "warez" exchange; and again,
>not necessarily running on port 21), and of course launching various forms of
>DDoS attacks (again, on a wide variety of ports) against the more visible
>"anti-spam" domains, etc. -- and I'm pretty sure I've left out some other
>significant "stuff". We have gotten to the point where there is effectively a
>fully formed and well-entrenched "phantom internet", running mostly over the
>same hardware as the "real" internet and using hijacked systems as their
>servers and routers. In the face of all this, the actual spamming (on port
>25) is, if anything, now a relatively minor part of the overall picture.
I agree that the potential for damage is immense, and that spam is
actually a small player in the *potential* for damage. Taking out a few
web sites here and there is nothing compared to what could be done with
the zombie army. But I'm just talking about the spam aspect.
> > >Compromised systems MUST be removed from the 'net, period. And the ONLY
> > >reason that's not happening at a decent pace is short-sighted greed and
> > >stupidity on the part of the "consumer broadband" providers.
> >
> > I dunno. I don't see that simply defanging the spamming potential is
> > all that short-sighted. The dialup providers did it and it worked a
> > treat.
> >
> [snip]
>
>Oh really? Has spam stopped?
>
>Blocking (actually, "rerouting" is more accurate) outbound port 25 on dial-up
>lines effectively treated only one small aspect of "The Spam Problem"; and it
>created a raft of problems (albeit, generally not insurmountable ones) for
>*legitimate* users in the process. Blocking INbound port 25 on dial-ups makes
>somewhat more sense, but doesn't really accomplish much since it is inherently
>so impractical to run a significant-capacity mail *server* off a dial-up.
The only thing blocking inbound port 25, in addition to outbound,
does is make using the "asymetrical routing" spamware useless.
OK. But don't hold your breath waiting for it to happen.
> > >They may be "victims" to *some* extent, but they are victims mostly of
> > >their own ignorance and stupidity. Yes, both of those: Ignorance for
> > >being unaware of the specific risks inherent in connecting their computer
> > >to almost every other computer in the world; stupidity for assuming that
> > >such risks don't exist and/or they don't *need* to learn about them.
> >
> > Eh, we're just talking ignorance there.
> >
> [snip]
>
>No.
>
>First, the "ignorance" excuse simply doesn't go anywhere near as far as it
>used to. But beyond that, it is not "ignorance" to completely stop thinking
>AT ALL, and therefore "assume" that if they are unaware of something, it must
>not exist; *that* is stupidity -- as is blindly accepting the marketeers'
>claims that computers in general (and the internet in particular) are
>toaster-like "appliances" that they can simply plug in and use blindly with no
>concern whatsoever for the now LONG well-publicized risks.
OK, call it what you want. Doesn't change the situation that 90% of
Internet users are using MS stuff that is vulnerable to exploits, and
that situation isn't going to change anytime soon.
> > >Either way, it's *their* failing, not mine; and I am sick and tired of
> > >paying the freight for it.
> >
> > I thought you knew how to do router stuff? No?
> >
> [snip]
>
>True. And I use it, to the extent that I can. But even at that, my router
>has to put up with the constant barrage of crap spewed by the zombies -- to
>the point that my (admittedly cheap and crappy, but that's beside the point)
>router sometimes gets so bogged down with the stuff that I have to reboot it
>in order to keep my connection viable (and this is over a dial-up, yet; I
>shudder to think how much worse it would be if that router was facing a fatter
>pipe). Much the same thing applies to the (much more robust) router which
>sits in front of my mail server; tho' thankfully, it seems to put up with the
>noise somewhat more elegantly -- and still, the *vast* majority of my server
>logs are comprised of attempts by these jackasses to spew crap at me. Ditto
>for my webserver logs, which are ALWAYS chock full of "script kiddie was here"
>entries.
>
>So... Exactly *why* should I put up with this nonsense for the benefit of
>Comcrap, et al...?
Because you have no choice? I'm not saying that's how it should be,
but that's just the way it is at this point in time.
It seems the zombification of the Internet is mostly perpetrated by
spammers these days. When zombies become useless to spammers, the
zombification will cease, the current zombies will get fixed, and the
zombification state will revert back to the pre-Sobig days when writing
viruses was done by script kiddies for sport. Hopefully. Removing the
spamming potential of infected users is a step in that direction.
Joe
> >
> >The various trojans are now using all manner of different ports, for all
> >sorts of different purposes (remember, they have more than 65,000 of them
> >to choose from!);
>
> Yes, but those ports used by zombies aren't infection vectors.
[snip]
Sure they are. One zombie system can *directly* infect other unprotected
systems, using any number of well-known exploits. That's what perhaps 90% of
the crap constantly hitting my router/firewall *is*: Already-infected zombies
looking for new victim systems to invade, on a wide assortment of "other"
ports. And BTW... Most of it is coming from *within* my own ISP's network,
which pisses me off even moreso.
> Those
> ports are used by zombies only *after* they've been zombified.
[snip]
Or, as pointed out above, as a means of *becoming* zombified -- which is a
major part of the problem, these days.
> The main
> infection vector is via email.
>
[snip]
*One* major infection vector, to be sure -- perhaps still the biggest one
even, but that is by no means certain. In addition to the above-noted
direct-infection approach, drive-by downloads of malware to MSIE-using
web-surfers is right up there too.
> The only thing blocking inbound port 25, in addition to outbound,
> does is make using the "asymetrical routing" spamware useless.
>
[snip]
Does it, really? (Serious question... This is getting deep enough into the
nitty gritty details of TCP/IP that I'm not comfortable making bold sweeping
pronouncements; but I *thought* that "asymmetrical routing" involved forging
the source IP in an outgoing packet transported on the high-bandwidth leg, so
the returning ACK on the low-bandwidth leg isn't really an "incoming
connection", per se.)
> It seems the zombification of the Internet is mostly perpetrated by
> spammers these days. When zombies become useless to spammers,
[snip]
s/When/If/
And if Comcrap, et al, get their way, that day will never come.
> ...the
> zombification will cease, the current zombies will get fixed, and the
> zombification state will revert back to the pre-Sobig days when writing
> viruses was done by script kiddies for sport. Hopefully.
[snip]
This presumes that the "zombie army" does not concurrently prove useful to
some other forms of miscreants.
>On Thu, 01 Jul 2004 01:26:22 -0400, in <news.admin.net-abuse.email>, Munger
>Joe <munge...@bigfoot.com> wrote:
> >
> > On Wed, 30 Jun 2004 18:57:10 -0400, Jay T. Blocksom
> > <not.delivera...@appropriate-tech.net> wrote:
> >
> [snip]
>
> > >
> > >The various trojans are now using all manner of different ports, for all
> > >sorts of different purposes (remember, they have more than 65,000 of them
> > >to choose from!);
> >
> > Yes, but those ports used by zombies aren't infection vectors.
> [snip]
>
>Sure they are. One zombie system can *directly* infect other unprotected
>systems, using any number of well-known exploits.
Yes, that's true, but there has to be a service running on that port
to *be* exploited. Like MS SQL running on port 1433 in the case of
Slammer, or the default Windoze services running on ports 135 and 445
in the cases of Blast and Sasser.
> That's what perhaps 90% of
>the crap constantly hitting my router/firewall *is*: Already-infected zombies
>looking for new victim systems to invade, on a wide assortment of "other"
>ports.
Not really. Infection attempts are looking for services to exploit on
well known ports, but the probes to "other" ports are scanners looking
for already infected systems with backdoors installed by the virus. If
there's no service running on a port, probes to that port are harmless.
...
> > The only thing blocking inbound port 25, in addition to outbound,
> > does is make using the "asymetrical routing" spamware useless.
> >
> [snip]
>
>Does it, really? (Serious question... This is getting deep enough into the
>nitty gritty details of TCP/IP that I'm not comfortable making bold sweeping
>pronouncements; but I *thought* that "asymmetrical routing" involved forging
>the source IP in an outgoing packet transported on the high-bandwidth leg, so
>the returning ACK on the low-bandwidth leg isn't really an "incoming
>connection", per se.)
Exactly. So merely bocking SYNs wouldn't defeat that type of
spamware, but so what?
> > It seems the zombification of the Internet is mostly perpetrated by
> > spammers these days. When zombies become useless to spammers,
> [snip]
>
>s/When/If/
>
>And if Comcrap, et al, get their way, that day will never come.
Well, its not like they *like* this situation. All this stuff is bad
for business.
> > ...the
> > zombification will cease, the current zombies will get fixed, and the
> > zombification state will revert back to the pre-Sobig days when writing
> > viruses was done by script kiddies for sport. Hopefully.
> [snip]
>
>This presumes that the "zombie army" does not concurrently prove useful to
>some other forms of miscreants.
True. I think the National Security types should be having fits over
this situation, but businesses are going to make decisions based on the
bottom line. The thread about the recent attack on Spamhaus indicates
the law enforcement is starting to take the threat seriously.
Joe
And by default, all standard-issue Winboxen have MANY such (often useless and
unnecessary, like Windows Messenger) services running, and MANY "open" ports
which shouldn't be.
> Like MS SQL running on port 1433 in the case of
> Slammer, or the default Windoze services running on ports 135 and 445
> in the cases of Blast and Sasser.
>
[snip]
Exactly, And then some. And let's not forget such "gems" as AnalogX, which
by default plants an abusable proxy trojan wherever it is installed, and all
manner of other abusable services/ports created by putatively "innocent"
software installations. Also, each new generation of zombie trojan can take
advantage of all the holes created by "prior art" trojans (BackOrifice, for
example), and use *them* as infection vectors; which is why permitting
(wittingly or not) *one* parasite onto the system so often opens the
floodgates for dozens or hundreds of others. I'd bet it is a rare zombie
indeed that has only *one* infection.
> > > The only thing blocking inbound port 25, in addition to outbound,
> > > does is make using the "asymetrical routing" spamware useless.
> > >
> > [snip]
> >
> >Does it, really? (Serious question... This is getting deep enough into
> >the nitty gritty details of TCP/IP that I'm not comfortable making bold
> >sweeping pronouncements; but I *thought* that "asymmetrical routing"
> >involved forging the source IP in an outgoing packet transported on the
> >high-bandwidth leg, so the returning ACK on the low-bandwidth leg isn't
> >really an "incoming connection", per se.)
>
> Exactly. So merely bocking SYNs wouldn't defeat that type of
> spamware, but so what?
>
[snip]
Wasn't "defeat[ing] that type of spamware" your point?
> >This presumes that the "zombie army" does not concurrently prove useful to
> >some other forms of miscreants.
>
> True. I think the National Security types should be having fits over
> this situation,
[snip]
Well, the fit certainly seems to have hit the shan now that CERT/CC finally
woke up, smelled the coffee, and told the world to abandon MSIE. Of course,
I've been saying the same thing for upwards of ten years -- but what do I
know? <~>
> > > > The only thing blocking inbound port 25, in addition to outbound,
> > > > does is make using the "asymetrical routing" spamware useless.
> > > >
> > > [snip]
> > >
> > >Does it, really? (Serious question... This is getting deep enough into
> > >the nitty gritty details of TCP/IP that I'm not comfortable making bold
> > >sweeping pronouncements; but I *thought* that "asymmetrical routing"
> > >involved forging the source IP in an outgoing packet transported on the
> > >high-bandwidth leg, so the returning ACK on the low-bandwidth leg isn't
> > >really an "incoming connection", per se.)
> >
> > Exactly. So merely bocking SYNs wouldn't defeat that type of
> > spamware, but so what?
> >
> [snip]
>
>Wasn't "defeat[ing] that type of spamware" your point?
Yeah, my point was that blocking inbound port 25, in addition to
blocking outbound port 25, doesn't do much except to defeat that type
of spamware. You mentioned the "incoming connection" (aka SYNs) bit,
which isn't really relevant. I should have been more clear in my
followup to that. Blocking incoming connection attempts wouldn't defeat
that type of spamware, but blocking *all* incoming packets would.
Joe