http://australianit.news.com.au/articles/0,7204,8901975%5e15388%5e%5enbv%5e,
00.html
Spam zombies on the rise
Anick Jesdanun
MARCH 08, 2004
NEXT time you're looking for a culprit for all that junk mail flooding your
inbox, have a glance in the mirror.
Spammers are increasingly exploiting home computers with high-speed internet
connections into which they've cleverly burrowed.
Email security companies estimate that between one-third and two-thirds of
unwanted messages are relayed unwittingly by PC owners who set up software
incorrectly or fail to secure their machines.
David Lawrence, 43, owns such a computer, which turned into a "spam zombie"
when a virus infected it in October. Five or six spammers were using his
cable modem to remotely send pitches for products like Viagra and boosters
for mobile phone signals.
"Spammers and the people who write these viruses ... is their life so void
that they feel they have to mess up other people?" said Lawrence. "To me,
it's criminal."
The self-employed American businessman from Georgia said he learned of his
computer's culpability when his internet service got suspended. "I called to
find out what was going on because I knew I had the bill paid," he said.
Lawrence is by no means alone.
Hundreds of thousands of computers worldwide have been infected by SoBig
and other viruses that are programmed to spawn gateways, known technically
as proxies, to relay spam. Though Lawrence had antivirus software, he hadn't
kept it updated.
It's ironic to the president of the security website myNetWatchman.com,
Lawrence Baldwin, that those afflicted by spam are also often its couriers.
"That's further encouragement, justification for taking responsibility for
your own system," said Baldwin. "If you don't, you can be part of the very
problem you're complaining about."
Any internet-connected computer could be running a proxy spam relay, but
most of the malicious programs are written specifically for PCs that run
Windows.
In the past, some spammers had sought out and exploited internet-connected
computers with misconfigured networking software. The latest and growing
threat is code purposely written to create spam relay proxies as it is
spread by malicious viruses.
"It's just going to get worse," said Ken Schneider, chief technology
officer at spam-filtering company Brightmail. "Traditionally, virus writers
were driven more by reputation and trying to impress each other. Now there's
an economic motive."
In February, a proxy program called Mitglieder began installing itself on
computers infected by January's Mydoom outbreak, said Mikko Hypponen,
manager of antivirus research at F-Secure Corp in Finland. He said such
programs can also sneak in if computer owners fail to install patches to fix
known Windows flaws.
The shift in spamming methods even prompted the US Federal Trade Commission
to issue a consumer alert in January. The advisory encouraged consumers to
use antivirus and firewall programs and to check "sent mail" folders for
suspicious messages.
Others say home Windows users should also keep their operating systems up
to date by visiting windowsupdate.microsoft.com.
"If your computer has been taken over by a spammer, you could face serious
problems," the FTC advisory wrote. "Your Internet Service Provider (ISP) may
prevent you from sending any email at all until the virus is treated, and
treatment could be a complicated, time-consuming process."
In the early days, spammers sent out junk messages directly from their
machines. ISPs easily found them and closed their accounts.
Spammers then looked for so-called open relays.
These are typically mail servers at ISPs, often in Asia or South America,
carelessly configured so that anyone on the internet can send mail through
them without needing a password. The relays make messages appear to have
come from an ISP, not the spammer.
But ISPs and anti-spam activists soon identified many of the open-relay
machines and either pressured their owners to stop or blocked messages from
them.
Stymied by a more concerted effort by ISPs to lock down their internet mail
servers, the spammers turned to the less vigorously protected home machines.
They are abundant and simple to find. Spammers can cover their tracks and
become virtually untraceable.
"It pains me to say it, but it's very clever of the spammer to have thought
of this, getting legitimate PCs to send spam on their behalf," said Andrew
Lochart, director of product marketing at email security company Postini
Inc.
Steve Atkins, chief technology officer at the anti-spam consultancy Word to
the Wise LLC, said some ISPs continue to be plagued by open-relay
techniques, but spammers generally don't bother with them anymore because
it's so much easier to have success with home machines.
Where much of the spam previously flowed through China, South Korea, Brazil
and other countries whose ISPs left many relays open, it's now being
hastened by a North American trend: more high-speed cable and DSL
connections at home.
Such proxies are especially frustrating for ISPs to identify and block,
said Mary Youngblood, abuse team manager at EarthLink Inc. She said some
stay open only for a few hours and disappear by the time ISPs catch on,
while newer ones reconfigure themselves constantly like chameleons on a
single machine.
The more versatile the open proxy, the longer it takes to isolate.
John Levine, co-author of Fighting Spam for Dummies, said the proliferation
of proxies could force ISPs to take such measures as limiting how many
messages a customer can send in a given time period.
In the meantime, ISPs are often being forced to cut off their own
customers.
"As a customer, to have someone just arbitrarily shut me off, that would
more than mildly displease me," said Walt Wyndroski, network operations
manager for CityNet, which had shut down Lawrence. "We try to think from the
customer's standpoint, but we also have to look at the larger view of the
health of the network itself."
The Associated Press
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
