Operation Spam Zombies

2 views
Skip to first unread message

Marc Brett

unread,
Jun 2, 2005, 4:12:39 AM6/2/05
to
What's Demon's response to this?

Ref: http://www.ftc.gov/bcp/conline/edcams/spam/zombie/

"As part of a worldwide effort to prevent these abuses, the FTC announces
"Operation Spam Zombies." In partnership with 20 members of the London Action
Plan and 16 additional government agencies from around the world, the Commission
is sending letters to more than 3000 Internet service providers (ISPs)
internationally, encouraging them to take the following zombie-prevention
measures:

* block port 25 except for the outbound SMTP requirements of authenticated users
of mail servers designed for client traffic. Explore implementing Authenticated
SMTP on port 587 for clients who must operate outgoing mail servers.

* apply rate-limiting controls for email relays.

* identify computers that are sending atypical amounts of email, and take steps
to determine if the computer is acting as a spam zombie. When necessary,
quarantine the affected computer until the source of the problem is removed.

* give your customers plain-language advice on how to prevent their computers
from being infected by worms, trojans, or other malware that turn PCs into spam
zombies, and provide the appropriate tools and assistance.

* provide, or point your customers to, easy-to-use tools to remove zombie code
if their computers have been infected, and provide the appropriate assistance.

In a later phase, the Operation plans to notify Internet providers worldwide
that apparent spam zombies were identified on their systems, and urge them to
implement measures to prevent that problem."

Richard Clayton

unread,
Jun 2, 2005, 11:09:52 PM6/2/05
to
In article <34ft915jnkcgpebq1...@4ax.com>, Marc Brett
<ma...@fordson.demon.co.uk> writes

>What's Demon's response to this?

I've no idea (I expect I'll be asked to comment sometime or other though)

:) see the .sig !

>* block port 25 except for the outbound SMTP requirements of authenticated users
>of mail servers designed for client traffic.

it is naive to believe this would be more than a temporary fix

>Explore implementing Authenticated
>SMTP on port 587 for clients who must operate outgoing mail servers.

this is not something under the control of an ISP (I think they intended
to say something different anyway, which is that roaming customers should
be using home servers only via 587 because 25 would be blocked. However,
the current state of Microsoft's software means that this is not the best
of recommendations anyway)

>* apply rate-limiting controls for email relays.

this is also naive and shows a lack of knowledge of how email is used by
e-businesses. Many Demon customers send very large amounts of email per
day and rate-limiting this would seriously impact their businesses

there are possible types of limiting, but this would be on failures
rather than volume per se. There's technical challenges doing this on
distributed systems -- again it's a naive recommendation :(

>* identify computers that are sending atypical amounts of email, and take steps
>to determine if the computer is acting as a spam zombie. When necessary,
>quarantine the affected computer until the source of the problem is removed.

Demon is way ahead of the game on this one. If other ISPs deployed the
type of systems that Demon uses then the problem would be somewhat
reduced! That's why James was indicating in another article how busy he
is at the moment -- the automated system are already flagging up the 60
or so customers a day being infected by this week's virus...

... way ahead of incoming reports from recipients

>In a later phase, the Operation plans to notify Internet providers worldwide
>that apparent spam zombies were identified on their systems,

Demon could do that today :) I doubt most other ISP's abuse teams could
deal with the volume of reports :(

--
richard writing to inform and not as company policy

"Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM

Message has been deleted

Anthony

unread,
Jun 3, 2005, 7:59:35 AM6/3/05
to
On Fri, 3 Jun 2005 04:09:52 +0100, Richard Clayton <ric...@highwayman.com>
wrote:

> In article <34ft915jnkcgpebq1...@4ax.com>, Marc Brett
><ma...@fordson.demon.co.uk> writes
>
>>What's Demon's response to this?
>
> I've no idea (I expect I'll be asked to comment sometime or other though)

In addition to your well put and well thought out comments, I would add
that, if the FTC are really serious about taking real, effective action
concerning the spam problem, they could start much closer to home.

They need look no further than:

http://www.spamhaus.org/rokso/index.lasso

And highlight those professional spam operations listed who are based
in the United States (by far the majority), and take steps in respect
of those.

They may also want to take a look at:

http://www.spamhaus.org/statistics.lasso

And, specifically, those four out of the top five "Top 10 Worst Spam
Service ISPs" who are based in the USA.

The use of zombie computers to transmit Unsolicited Bulk Email is
a symptom. The ROKSO spammers listed (and the Internet Service
Providers who knowingly support them) are the epicentre of the disease.

--
Anthony
ant...@catfish.demon.co.uk

David G. Bell

unread,
Jun 3, 2005, 3:08:59 AM6/3/05
to
On Friday, in article <ba8Vw8AAo8nCFA5$@highwayman.com>
ric...@highwayman.com "Richard Clayton" wrote:

> In article <34ft915jnkcgpebq1...@4ax.com>, Marc Brett
> <ma...@fordson.demon.co.uk> writes
>

> >* identify computers that are sending atypical amounts of email, and take steps
> >to determine if the computer is acting as a spam zombie. When necessary,
> >quarantine the affected computer until the source of the problem is removed.
>
> Demon is way ahead of the game on this one. If other ISPs deployed the
> type of systems that Demon uses then the problem would be somewhat
> reduced! That's why James was indicating in another article how busy he
> is at the moment -- the automated system are already flagging up the 60
> or so customers a day being infected by this week's virus...
>
> ... way ahead of incoming reports from recipients

I'm afraid that my experience of communication with Demon leaves me
feeling that it isn't worth the effort of trying to tell anyone. I
know, intellectually, that the Abuse Team is different, but I look at
all the badly addressed viral email this week (it's doing the message-ID
thing again), and I think of the work I'd have to do to make a report,
and my emotional reaction is fuck this for a game of soldiers. So I
just delete the crap.

If you want reports from recipients, Demon as a whole is going to have
to improve its communication image.

> >In a later phase, the Operation plans to notify Internet providers worldwide
> >that apparent spam zombies were identified on their systems,
>
> Demon could do that today :) I doubt most other ISP's abuse teams could
> deal with the volume of reports :(

Announce that you intend to carry out a trial. Then flood their
systems. You'll have evidence against at least one naive solution.

--
David G. Bell -- SF Fan, Filker, and Punslinger.

"I am Number Two," said Penfold. "You are Number Six."

Richard Clayton

unread,
Jun 4, 2005, 1:03:02 PM6/4/05
to
In article <20050603.07...@zhochaka.demon.co.uk>, David G. Bell
<db...@zhochaka.demon.co.uk> writes

>On Friday, in article <ba8Vw8AAo8nCFA5$@highwayman.com>
> ric...@highwayman.com "Richard Clayton" wrote:
>
>>the automated system are already flagging up the 60
>> or so customers a day being infected by this week's virus...
>>
>> ... way ahead of incoming reports from recipients
>

>If you want reports from recipients,

it's not especially useful for virulent email worms... either the email
will have come from another ISP (in which case the Demon abuse team
cannot do very much, you should report it to the source) or the chances
are very high that it will have already been detected

>> >In a later phase, the Operation plans to notify Internet providers worldwide
>> >that apparent spam zombies were identified on their systems,
>>
>> Demon could do that today :) I doubt most other ISP's abuse teams could
>> deal with the volume of reports :(
>
>Announce that you intend to carry out a trial. Then flood their
>systems. You'll have evidence against at least one naive solution.

that is, frankly, pretty dumb. Demon's abuse systems (and log
processing) are anything but that.

Reply all
Reply to author
Forward
0 new messages