Re: How to report a spam botnet
On Fri, 2012-11-23 at 02:25 +, Chih-Cherng wrote: > Martin Gregorie gregorie.org> writes: > > > > > On Tue, 2012-11-20 at 01:26 +, Chih-Cherng wrote: > > > > > Notification help raise victims' security > > > awareness, and motivate them to fix vulnerabilites within their computers. > > > > > I have my doubts about this. I have friends who help at retiree's > > computer clubs and with disinfecting their friend's computers. > > > > The message I hear from them is that there are significant numbers of > > users who refuse to help themselves: they don't/won't update their > > system or their AV software, will click on anything, open any and all > > mail and who won't learn that this is stupid behaviour. The reinfection > > time for such gentry is about two weeks: it takes about that long before > > they show up whining that their computer has become very slow again so > > please do something about it. > > Having one's own computer compromised is not the privilege of old people. > Companies like Google, RSA, etc. all have been hacked and got their computers > infected with malware. > ...and they have corporate policies, blacklists, AV licenses and sysadmins to keep software and AV stuff updated and, hopefully, to notice the changed mail pattern due to a resident bot. Besides "getting hacked" != cluelessly opening an infected e-mail that got into your inbox because your AV software is out of date or nonexistent. > Did they discover that immediately after being > compromised? No. And no current anti-virus can detect every malware in > existence. > Yes, but you evidently didn't read what I wrote: that there are PC users out there that are not only too clueless to make any attempt to protect their computer, but don't even take precautions after their PC has been infected and cleaned up. They typically don't even realise it was infected, just that "its got very slow: can't you make it go faster". > I think more reporting/notifications should be done, which inform the victims > , > computer-literate or not, of something wrong with their computers. There > have > already been many data collection about botnets and other security threats, > but > not enough information sharing and event reporting is being done. > How does that work then? If they won't install service packs or keep their AV software licensed and updated, what makes you think they'll change their habits enough read or act on warnings about malware? Bear in mind that some of these are educated people: one of the worst repeat offenders I know is a retired teacher. Martin
Re: How to report a spam botnet
Martin Gregorie gregorie.org> writes: > > On Tue, 2012-11-20 at 01:26 +, Chih-Cherng wrote: > > > Notification help raise victims' security > > awareness, and motivate them to fix vulnerabilites within their computers. > > > I have my doubts about this. I have friends who help at retiree's > computer clubs and with disinfecting their friend's computers. > > The message I hear from them is that there are significant numbers of > users who refuse to help themselves: they don't/won't update their > system or their AV software, will click on anything, open any and all > mail and who won't learn that this is stupid behaviour. The reinfection > time for such gentry is about two weeks: it takes about that long before > they show up whining that their computer has become very slow again so > please do something about it. Having one's own computer compromised is not the privilege of old people. Companies like Google, RSA, etc. all have been hacked and got their computers infected with malware. Did they discover that immediately after being compromised? No. And no current anti-virus can detect every malware in existence. I think more reporting/notifications should be done, which inform the victims , computer-literate or not, of something wrong with their computers. There have already been many data collection about botnets and other security threats, but not enough information sharing and event reporting is being done. Chih-Cherng Chin
Re: How to report a spam botnet
> It would likely be a good idea to block IP's in this list from using > authenticated SMTP to relay not? Definitely not. We did so one week for testing. And had a lot of trouble with customers espacially using mobile/smartphones. Don't do this. This rbl does only make sense if you have different servers for receiving from external and for customer access. Then - only then - you this list makes sense on external receiving smtp servers, but never on hosts with authenticated customer access.
Re: How to report a spam botnet
On 11/21/2012 01:44 AM, Matt wrote: Spamhaus already do this. It's called the Exploits Block List (XBL): http://www.spamhaus.org/xbl/ To quote: The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits. /end quote It would likely be a good idea to block IP's in this list from using authenticated SMTP to relay not? Is there a way in apache .htaccess to block access based on xbl.spamhaus.org? I want to block exploited IP's from webmail etc as well. http://www.modsecurity.org/
Re: How to report a spam botnet
At 16:44 20-11-2012, Matt wrote: authenticated SMTP to relay not? Is there a way in apache .htaccess to block access based on xbl.spamhaus.org? I want to block exploited IP's from webmail etc as well. http://www.lucaercoli.it/mod_spamhaus.html Regards, -sm
Re: How to report a spam botnet
> Spamhaus already do this. It's called the Exploits Block List (XBL): > > http://www.spamhaus.org/xbl/ > > To quote: > > The Spamhaus Exploits Block List (XBL) is a realtime database of IP > addresses of hijacked PCs infected by illegal 3rd party exploits, including > open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with > built-in spam engines, and other types of trojan-horse exploits. > > /end quote It would likely be a good idea to block IP's in this list from using authenticated SMTP to relay not? Is there a way in apache .htaccess to block access based on xbl.spamhaus.org? I want to block exploited IP's from webmail etc as well.
Re: How to report a spam botnet
On 11/20/12 4:51 PM, Dave Warren wrote: Don't get me wrong, outbound spam filtering is a great idea, but it should be done by the MSA, not at the ISP level as ISPs have no clue as to what type of activity is legitimate or not for a particular user. ___ *Well said:-)*
Re: How to report a spam botnet
On 20/11/12 20:26, Cathryn Mataga wrote: Easy enough to block #25 by default -- turn it on for anyone who asks. Indeed. I think the idea of a botnet black hole list is great, really. Spamhaus already do this. It's called the Exploits Block List (XBL): http://www.spamhaus.org/xbl/ To quote: The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits. /end quote Spamassassin already queries the Spamhaus lists, including the XBL - feel free to increase the scores to "black hole" any hits. Alternatively, many mail admins query Spamhaus lists during the smtp transaction and reject mail outright.
Re: Stopping abusive machiens (was Re: How to report a spam botnet)
On 11/20/2012 07:17, David F. Skoll wrote: Would you approve of a Ralph Nader-like approach of suing Microsoft for knowingly producing defective and insecure software? Detroit was shamed, bullied and sued into improving the safety of its cars; do you think that could work with Microsoft? Given that Microsoft Windows security is pretty decent these days, I doubt you'd do much good suing Microsoft. Going after Java and Adobe would be far more productive since they make products with significant security flaws. Unfortunately the biggest problem these days is that users willingly agree and install whatever crosses their path without understanding the implications of running third party code. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
Re: How to report a spam botnet
On 11/20/2012 04:29, Jason Ede wrote: However, ISP's blocking smtp ports for suspected spammers would help... Ideally they'd block all traffic on port 25 or 587 not sent through their SMTP engine which would do some basic spam checks... Please don't ever suggest blocking port 587. Using port 587 is the solution, not part of the problem. Don't get me wrong, outbound spam filtering is a great idea, but it should be done by the MSA, not at the ISP level as ISPs have no clue as to what type of activity is legitimate or not for a particular user. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
Re: How to report a spam botnet
On 11/20/2012 4:29 AM, Jason Ede wrote: However, ISP's blocking smtp ports for suspected spammers would help... Ideally they'd block all traffic on port 25 or 587 not sent through their SMTP engine which would do some basic spam checks... Easy enough to block #25 by default -- turn it on for anyone who asks. I think the idea of a botnet black hole list is great, really. Best if support could be integrated into routers, though maybe enough to start just to make a linux/unix program to do this to prove the concept. Would be handy for online forums where the bots are posting comment spam all the time. https://www.projecthoneypot.org/ I think this site, projecthoneypot is similar? Though maybe something that targets the bot nets specifically would be useful? I'm not sure. Really I'm just an end user here.
Re: Stopping abusive machiens (was Re: How to report a spam botnet)
On 11/20/2012 12:37 PM, David F. Skoll wrote: Ignorance is no defence, at least in the UK. In Canada, ignorance of the law is no defence, but ignorance of the facts is. In other words, if you're completely ignorant of the fact that your computer is a botnet member, it could be a defence. I would say that many laws in the US require intent. Similar concept I think in perhaps a slightly different logic. Regards, KAM
Re: How to report a spam botnet
On Tue, 20 Nov 2012, Robert A. Ober wrote: On 11/20/12 6:29 AM, Jason Ede wrote: However, ISP's blocking smtp ports for suspected spammers would help... Ideally they'd block all traffic on port 25 or 587 not sent through their SMTP engine which would do some basic spam checks... Which might block my legitimate server and some of my clients who are on Comcast Business. This has been brought up frequently but is a bad idea. Too often folks in larger organizations forget about us little guys. Comcast Business would probably have different default policies than Comcast Residential. Also, ISP's doing this *should* have an exception-by-request policy. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Men by their constitutions are naturally divided in to two parties: 1. Those who fear and distrust the people and wish to draw all powers from them into the hands of the higher classes. 2. Those who identify themselves with the people, have confidence in them, cherish and consider them as the most honest and safe, although not the most wise, depository of the public interests. -- Thomas Jefferson --- 173 days since the first successful private support mission to ISS (SpaceX)
Re: Stopping abusive machiens (was Re: How to report a spam botnet)
On Tue, 20 Nov 2012 17:09:27 + Ned Slider wrote: > >> Personally I'd like to see some large corporates go after some > >> infected home users in the courts for wilful damage. > > I think they'd lose. Most home users could make a compelling case > > that they were unaware of the infection and lacked the technical > > know-how to prevent it or clean it up. > Ignorance is no defence, at least in the UK. In Canada, ignorance of the law is no defence, but ignorance of the facts is. In other words, if you're completely ignorant of the fact that your computer is a botnet member, it could be a defence. > I lack the technical > skills to ensure my car is safe to drive on public highways but the > law compels me to make it so regardless. Why should the Information > Superhighway be treated any differently? The damage caused is just as > costly to the victims, if not life threatening. I agree to some extent, but the situations are not exactly comparable. Would you propose requiring people who want to use the Internet to first take an "Internet Driving Test"? > > Would you approve of a Ralph Nader-like approach of suing Microsoft > > for knowingly producing defective and insecure software? Detroit > > was shamed, bullied and sued into improving the safety of its cars; > > do you think that could work with Microsoft? > I don't know who Ralph Nader is. He's a consumer-rights crusader who led a high-profile campaign against unsafe cars. http://en.wikipedia.org/wiki/Ralph_nader [...] > Equally though, I am in absolutely no doubt that ISPs will never fine > their own users unless they are legally required to do so - it would > simply be bad business. Ah, well... there's a good opening for legislation. > Probably a better proposition would be to fine the ISP for every > infected PC on their network - that would get their attention. Proving that would be tough. Anyway, I think we're dreaming here and drifting somewhat OT... Regards, David.
Re: Stopping abusive machiens (was Re: How to report a spam botnet)
On 20/11/12 15:17, David F. Skoll wrote: On Tue, 20 Nov 2012 15:10:57 + Ned Slider wrote: Personally I'd like to see some large corporates go after some infected home users in the courts for wilful damage. I think they'd lose. Most home users could make a compelling case that they were unaware of the infection and lacked the technical know-how to prevent it or clean it up. Ignorance is no defence, at least in the UK. I lack the technical skills to ensure my car is safe to drive on public highways but the law compels me to make it so regardless. Why should the Information Superhighway be treated any differently? The damage caused is just as costly to the victims, if not life threatening. You wouldn't be allowed to take a vehicle unfit for purpose on the public highway and cause damage to others without facing some form of recompense. So why do we allow PCs unfit for purpose on the public Internet and let the owners get away with the damage they cause? They need to be held responsible. Would you approve of a Ralph Nader-like approach of suing Microsoft for knowingly producing defective and insecure software? Detroit was shamed, bullied and sued into improving the safety of its cars; do you think that could work with Microsoft? I don't know who Ralph Nader is. I believe that case has already been fought and lost - I believe a judge has already ruled that it's unreasonable to expect something as complex as a modern OS (with many millions of lines of code) not to have flaws. Not saying I necessarily agree, but... And who would you go after to improve the safety of open-source systems like Linux? I would suspect the above ruling sets a precedent that would similarly apply to Linux, but I'm not a lawyer. I think ISPs imposing penalties for abusers is more realistic than any options through the courts. You are probably right. Major copyright holders have very publicly pursued members of the public guilty of downloading copyrighted material but yet that seems to have done little to change attitudes or stop the offense so I doubt my proposal would fair any better. Equally though, I am in absolutely no doubt that ISPs will never fine their own users unless they are legally required to do so - it would simply be bad business. ISPs simply do not care if their home users are infected - it makes absolutely no difference to them. They have the tools to detect and prevent wide scale abuse yet very few do because it adds a cost implication with little or no perceivable benefit to the customer. Probably a better proposition would be to fine the ISP for every infected PC on their network - that would get their attention. Then they are free to pass on that cost to the infected user should they wish. Or they could just choose to run a tighter ship in the first place to minimize fines/costs.
Re: How to report a spam botnet
On Tue, 2012-11-20 at 10:14 -0600, Robert A. Ober wrote: > Which might block my legitimate server and some of my clients who are on > Comcast Business. This has been brought up frequently but is a bad > idea. Too often folks in larger organizations forget about us little guys. > So you think that, just because you're a 'little guy', you should be allowed to go on running your business from infected computers without cleaning them up? Martin
Re: How to report a spam botnet
On 11/20/12 6:29 AM, Jason Ede wrote: However, ISP's blocking smtp ports for suspected spammers would help... Ideally they'd block all traffic on port 25 or 587 not sent through their SMTP engine which would do some basic spam checks... Which might block my legitimate server and some of my clients who are on Comcast Business. This has been brought up frequently but is a bad idea. Too often folks in larger organizations forget about us little guys. Robert A. Ober
Stopping abusive machiens (was Re: How to report a spam botnet)
On Tue, 20 Nov 2012 15:10:57 + Ned Slider wrote: > Personally I'd like to see some large corporates go after some > infected home users in the courts for wilful damage. I think they'd lose. Most home users could make a compelling case that they were unaware of the infection and lacked the technical know-how to prevent it or clean it up. > You wouldn't be allowed to take a vehicle unfit for purpose on the > public highway and cause damage to others without facing some form > of recompense. So why do we allow PCs unfit for purpose on the > public Internet and let the owners get away with the damage they > cause? They need to be held responsible. Would you approve of a Ralph Nader-like approach of suing Microsoft for knowingly producing defective and insecure software? Detroit was shamed, bullied and sued into improving the safety of its cars; do you think that could work with Microsoft? And who would you go after to improve the safety of open-source systems like Linux? I think ISPs imposing penalties for abusers is more realistic than any options through the courts. Regards, David.
Re: How to report a spam botnet
On 20/11/12 14:30, David F. Skoll wrote: On Tue, 20 Nov 2012 14:26:49 + Martin Gregorie wrote: Nah, prevent all connections except HTML and SMTP/POP3 to the ISPs help desk and set of 'clean your act up' pages, so they can't ignore the mess their computer is in. And have escalating charges for reinstating Internet access after a machine has been compromised: First time: Free Second time: $25 Third time: $50 Subsequently: $100 Wait... are those flying pigs I see out my window? Regards, David. and therein lies the gulf between ideal and reality :-) Personally I'd like to see some large corporates go after some infected home users in the courts for wilful damage. You wouldn't be allowed to take a vehicle unfit for purpose on the public highway and cause damage to others without facing some form of recompense. So why do we allow PCs unfit for purpose on the public Internet and let the owners get away with the damage they cause? They need to be held responsible. JMHO
Re: How to report a spam botnet
On Tue, 20 Nov 2012 14:26:49 + Martin Gregorie wrote: > Nah, prevent all connections except HTML and SMTP/POP3 to the ISPs > help desk and set of 'clean your act up' pages, so they can't ignore > the mess their computer is in. And have escalating charges for reinstating Internet access after a machine has been compromised: First time: Free Second time: $25 Third time: $50 Subsequently: $100 Wait... are those flying pigs I see out my window? Regards, David.
Re: How to report a spam botnet
On Tue, 2012-11-20 at 12:29 +, Jason Ede wrote: > However, ISP's blocking smtp ports for suspected spammers would > help... Ideally they'd block all traffic on port 25 or 587 not sent > through their SMTP engine which would do some basic spam checks... > Nah, prevent all connections except HTML and SMTP/POP3 to the ISPs help desk and set of 'clean your act up' pages, so they can't ignore the mess their computer is in. You'll note that I said this would require concerted action from all ISPs so the clueless punter can't simply swap their provider without cleaning their act up. Martin
Re: How to report a spam botnet
On 11/20/12 1:29 PM, Jason Ede wrote: > However, ISP's blocking smtp ports for suspected spammers would help... > Ideally they'd block all traffic on port 25 or 587 not sent through their > SMTP engine which would do some basic spam checks... > >> -Original Message- >> From: Martin Gregorie [mailto:mar...@gregorie.org] >> Sent: 20 November 2012 11:29 >> To: users@spamassassin.apache.org >> Subject: Re: How to report a spam botnet >> >> On Tue, 2012-11-20 at 01:26 +, Chih-Cherng wrote: >> >>> Notification help raise victims' security awareness, and motivate them >>> to fix vulnerabilites within their computers. >>> >> I have my doubts about this. I have friends who help at retiree's computer >> clubs and with disinfecting their friend's computers. >> >> The message I hear from them is that there are significant numbers of users >> who refuse to help themselves: they don't/won't update their system or >> their AV software, will click on anything, open any and all mail and who >> won't >> learn that this is stupid behaviour. The reinfection time for such gentry is >> about two weeks: it takes about that long before they show up whining that >> their computer has become very slow again so please do something about it. >> >> I'm not sure what, if anything, can be done about such computer owners >> apart from repairing their machine with a 5 kg lump hammer, though a >> general ISP agreement to auto-disconnect infected computers may well >> help. Fat chance of that, though. >> At my previous $dayjob I handled incoming abuse complaints for consumer-grade DSL/fiber customers. Problematic lines would get their SMTP traffic cut (outgoing port 25) along with educational e-mails/phone calls. Repeating offenders without any clue ended up on this list long-term, simply because they didn't understand our messages to them, and they never cared because they used in stead of desktop MUAs anyway. This way, the problem ended under the carpet. Not very satisfactory, but ending contracts was indeed no real option, if only because the customer simply does not understand the problem he's being accused of (no matter how much time you spend on educating). -- Tom
Re: How to report a spam botnet
On Tue, 20 Nov 2012 12:29:00 + Jason Ede wrote: > However, ISP's blocking smtp ports for suspected spammers would > help... Ideally they'd block all traffic on port 25 or 587 not sent > through their SMTP engine which would do some basic spam checks... They shouldn't (and typically don't) block 587 (or 465), since that's used for mail submission to third-party ESPs. It's in no-ones interest to block that.
RE: How to report a spam botnet
However, ISP's blocking smtp ports for suspected spammers would help... Ideally they'd block all traffic on port 25 or 587 not sent through their SMTP engine which would do some basic spam checks... > -Original Message- > From: Martin Gregorie [mailto:mar...@gregorie.org] > Sent: 20 November 2012 11:29 > To: users@spamassassin.apache.org > Subject: Re: How to report a spam botnet > > On Tue, 2012-11-20 at 01:26 +, Chih-Cherng wrote: > > > Notification help raise victims' security awareness, and motivate them > > to fix vulnerabilites within their computers. > > > I have my doubts about this. I have friends who help at retiree's computer > clubs and with disinfecting their friend's computers. > > The message I hear from them is that there are significant numbers of users > who refuse to help themselves: they don't/won't update their system or > their AV software, will click on anything, open any and all mail and who won't > learn that this is stupid behaviour. The reinfection time for such gentry is > about two weeks: it takes about that long before they show up whining that > their computer has become very slow again so please do something about it. > > I'm not sure what, if anything, can be done about such computer owners > apart from repairing their machine with a 5 kg lump hammer, though a > general ISP agreement to auto-disconnect infected computers may well > help. Fat chance of that, though. > > Martin >
Re: How to report a spam botnet
On Tue, 2012-11-20 at 01:26 +, Chih-Cherng wrote: > Notification help raise victims' security > awareness, and motivate them to fix vulnerabilites within their computers. > I have my doubts about this. I have friends who help at retiree's computer clubs and with disinfecting their friend's computers. The message I hear from them is that there are significant numbers of users who refuse to help themselves: they don't/won't update their system or their AV software, will click on anything, open any and all mail and who won't learn that this is stupid behaviour. The reinfection time for such gentry is about two weeks: it takes about that long before they show up whining that their computer has become very slow again so please do something about it. I'm not sure what, if anything, can be done about such computer owners apart from repairing their machine with a 5 kg lump hammer, though a general ISP agreement to auto-disconnect infected computers may well help. Fat chance of that, though. Martin
Re: How to report a spam botnet
Michael Monnerie is.it-management.at> writes: > > [crosspost postfix-users and spamassassin-users] > > Am Sonntag, 18. November 2012, 14:08:08 schrieb Michael Monnerie: > > How should we report those IPs, is there a "anti botnet unit" > > somewhere? > > Lets concentrate back on the subject, I got this answer: > > > normally it makes no sense to report botnets > > And this is what makes me worry. Botnets are todays biggest source of > spam, and nobody has ever started to fight it really? There are tons of > tools for every small issue, but nothing to cope with the biggest shit? > I have been reporting suspected botnets' IPs to ISPs/CERTs for 3 years. I have listed the numbers of bots detected and notified, top 10 countries and networks every day at http://botnet-tracker.blogspot.com/ You won't expect security companies to do this. Their businesses depend on cyber security events taking place. As botnets are cyber criminal's favorite tool, reducing number of infected computers does no good for security companies. Contrary to many posts here, I believe botnet notification is a very effective anti-botnet measures. The scaring power of botnets comes from their staggering number. The reason why they could grow so huge is because the victims have no idea that their computers have been infected, so as time pass, botnets get to attain to their formidable size. Notification help raise victims' security awareness, and motivate them to fix vulnerabilites within their computers. On the contrary, merely taking down C&C servers of botnets will not be effective. Software vulnerabilities remain unfixed, so it's easy for the victims' computers to get re-infected. There is no central botnet reporting site, as far as I know. You have to collect abuse contacts from the WHOIS database, and send your notification to each corresponding contacts. Sometimes you can send aggregated notifications to national CERTs instead. I have to rely on shell scripts to automate this task, as sending each notification manually is not possible for me. Chih-Cherng Chin
Re: How to report a spam botnet
On 19/11/12 06:18, Michael Monnerie wrote: [crosspost postfix-users and spamassassin-users] Am Sonntag, 18. November 2012, 14:08:08 schrieb Michael Monnerie: How should we report those IPs, is there a "anti botnet unit" somewhere? Lets concentrate back on the subject, I got this answer: normally it makes no sense to report botnets And this is what makes me worry. Botnets are todays biggest source of spam, and nobody has ever started to fight it really? There are tons of tools for every small issue, but nothing to cope with the biggest shit? As others have stated, there are many very effective ways to fight botnet spam, it's just that reporting individual IP addresses isn't one of them. To fight the spam at the recipient's end, things like Postscreen/Postgrey are hugely effective as are DNSBLs such as Spamhaus' PBL and XBL. At source, many investigators have had great success taking down botnets by targeting command and control infrastructure or by bringing legal measures against those in control of them. ISPs are also more commonly blocking outbound smtp traffic from domestic IP ranges by default forcing users to use the ISP provided smarthosts. To specifically address your query regarding reporting IP addresses - any ISP should be able to immediately see one of their hosts is spewing inordinate amounts of spam without you having to report the IP address - if they can't see this (and do something about it) then they will very quickly find their way onto DNSBLs at which point the problem generally takes care of itself. So generally there are better uses of one's time than reporting tens of thousands of infected IP addresses to their ISPs who should already have this information at their disposal.
Re: How to report a spam botnet
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We are probably a little bit off topic here but it is an interesting subject. My experience is that reporting a suspected bot is only effective if the receiver is a larger university or similair institution. If some RBL provider wants to accept my lists with ssh and rdp scanners and bots which tries to logon with stolen passwords I would be happy to provide. But in 95% of the cases the ipadresses are already listed somewhere else when I get hit. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQqfWnAAoJEOVOmoKjmKMkUEQH/19gZoBwAY3+N+pRzB5medX4 Oh7rBW0d7WCPeL4wconcmNMkWl4gIKWOW6soLYikdIox9rKAiOC+QQzCDoKedg5V 1hLrWVvKgJlrtBbCHjLdu+0wR43cLy0hVrFYWPb6rjl5TMiXXxfzePwz/xLYvpXz Vt7atcJvIj3g7iPwUz3+WtgiC880aIrFQrM8xVnQUEG/BhPX2nU0cdAcc8V64DhF wmt0yrpk+w+s/GKbksc2ju2IqGwNFa9YoGTFUcOfjRPT+T/p2DLIqfRbyT+Uj3/R pGRx59Pl6vUeCbmEjXhwHltVOk3WhkqtpUvklBjbFe74QbsM6D+73IYv6zsWp7c= =JvhB -END PGP SIGNATURE-
Re: How to report a spam botnet
Michael Monnerie wrote: >> > normally it makes no sense to report botnets >> >> And this is what makes me worry. Botnets are todays biggest source of >> spam, and nobody has ever started to fight it really? There are tons of >> tools for every small issue, but nothing to cope with the biggest shit? A botnet is, first of all, a large collection of independent computers, often from all over the world. Many will be home machines, and a large proportion of these will have changing IP addresses. Now, if you get access to the bot herder, you could probably have that one disconnected, and there is a vague change that - as a last job - that system could try to inform all of the affected machines that they have been hacked. Normally, you would have to deal with this issue on a per-provider basis, that is collect all evidence that many customers of, e.g. aon.at are affected and try to convince their abuse department to inform their clients about the problem. Now consider real-life providers: one local tv cable company obviously sends all abuse mail to /dev/null (according to their chief security person they cannot find out who got a specific ip ... although it was still the same machine after 3 months), and former german telecom monopoly does send out messages after they receive repeated complaints in plain words you notify them, allow 4 or 5 days for them to act, repeat and again, and after a minimum of 2 or 3 weeks a notice might reach the victim. BTW: the cable tv company I mentioned takes part into an anti-malware initiative sponsored by providers and the government - not sure what they are actually doing there. Wolfgang Hamann
Re: How to report a spam botnet
Am 19.11.2012 07:18, schrieb Michael Monnerie: > [crosspost postfix-users and spamassassin-users] > > Am Sonntag, 18. November 2012, 14:08:08 schrieb Michael Monnerie: >> How should we report those IPs, is there a "anti botnet unit" >> somewhere? > > Lets concentrate back on the subject, I got this answer: > >> normally it makes no sense to report botnets > > And this is what makes me worry. Botnets are todays biggest source of > spam, and nobody has ever started to fight it really? There are tons of > tools for every small issue, but nothing to cope with the biggest shit? > split up the problem, first try to solve your specific problem analyse your logs, choose the tools which might might help you fixing "your" botnet problem . search list archives meanwhile watch i.e security news lists etc, what security threads related to botnets are recent, and what is done to fight them. Most botnets are based on security holes in software and operating systems used by criminals, it makes rare sense to punish users for it , cause they are victims too. However smtp people see a lot of botnet spam, this is only one part of the problem, postfix etc has few stuff to fight incomming spam, other questions are not really topic of the postfix or spamassassin list , cause they are based in more complex and different reasons. Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Re: How to report a spam botnet
On 11/19/2012 07:18 AM, Michael Monnerie wrote: [crosspost postfix-users and spamassassin-users] Am Sonntag, 18. November 2012, 14:08:08 schrieb Michael Monnerie: How should we report those IPs, is there a "anti botnet unit" somewhere? Lets concentrate back on the subject, I got this answer: normally it makes no sense to report botnets And this is what makes me worry. Botnets are todays biggest source of spam, and nobody has ever started to fight it really? There are tons of tools for every small issue, but nothing to cope with the biggest shit? There are hundreds of entities fighting botnets (use Google). It's just that, afaik, none will accept a list of IPs from anybody and do much with them unless you become a trusted source. You need to get affiliated with one of these entities and help with whatever they require/use/do. Axb
Re: How to report a spam botnet
[crosspost postfix-users and spamassassin-users] Am Sonntag, 18. November 2012, 14:08:08 schrieb Michael Monnerie: > How should we report those IPs, is there a "anti botnet unit" > somewhere? Lets concentrate back on the subject, I got this answer: > normally it makes no sense to report botnets And this is what makes me worry. Botnets are todays biggest source of spam, and nobody has ever started to fight it really? There are tons of tools for every small issue, but nothing to cope with the biggest shit? -- mit freundlichen Grüssen, Michael Monnerie, Ing. BSc it-management Internet Services: Protéger http://proteger.at [gesprochen: Prot-e-schee] Tel: +43 660 / 415 6531 signature.asc Description: This is a digitally signed message part.
Re: How to report a spam botnet
Am 18.11.2012 19:35, schrieb Robert Schetterer: > Am 18.11.2012 14:08, schrieb Michael Monnerie: >> We've got one users e-mail password hacked, and at the sime time a lot >> of different IPs started to use that address. Here is the list. How >> should we report those IPs, is there a "anti botnet unit" somewhere? >> What is the best way to fight it? > > first secure the account, > then consider using something like fail2ban to firewall auto > if possible use i.e postscreen, and rbls > normally it makes no sense to report botnets > > Best Regards > MfG Robert Schetterer > ups, that was a cross post to the postfix list, sorry Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Re: How to report a spam botnet
Am 18.11.2012 14:08, schrieb Michael Monnerie: > We've got one users e-mail password hacked, and at the sime time a lot > of different IPs started to use that address. Here is the list. How > should we report those IPs, is there a "anti botnet unit" somewhere? > What is the best way to fight it? first secure the account, then consider using something like fail2ban to firewall auto if possible use i.e postscreen, and rbls normally it makes no sense to report botnets Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
How to report a spam botnet
We've got one users e-mail password hacked, and at the sime time a lot of different IPs started to use that address. Here is the list. How should we report those IPs, is there a "anti botnet unit" somewhere? What is the best way to fight it? 008.021.006.226 014.139.187.017 014.149.118.062 014.154.200.135 014.154.202.080 037.059.126.055 037.221.130.043 041.224.246.009 042.120.042.108 042.121.090.036 046.172.226.082 058.060.032.030 058.060.033.119 058.060.033.169 058.061.061.106 058.061.062.042 058.061.072.130 058.061.074.045 058.061.080.125 058.061.083.205 058.061.139.110 058.211.138.027 059.034.057.068 059.050.160.164 059.050.165.200 059.050.173.084 059.050.175.129 059.058.243.025 059.060.007.146 060.173.008.080 060.190.136.090 061.032.075.088 061.040.132.114 061.135.133.175 061.186.008.003 061.186.009.206 061.186.010.132 061.186.015.046 061.186.015.063 061.186.015.245 061.186.017.127 061.186.018.156 061.186.021.065 062.033.168.214 067.019.027.250 067.055.121.212 080.080.108.035 081.024.116.046 082.026.004.179 082.116.036.010 084.020.082.082 085.113.038.013 085.234.022.126 086.096.200.078 087.224.152.135 089.218.083.092 089.218.094.166 091.075.085.224 091.194.057.018 092.050.133.026 094.023.018.040 094.075.243.148 094.180.123.034 095.170.205.148 095.211.089.043 103.022.182.131 109.203.203.060 110.082.117.007 110.139.166.231 110.139.167.171 110.189.168.171 112.067.036.172 112.067.084.091 112.067.087.102 112.067.112.148 112.067.112.255 112.067.113.192 112.067.119.028 112.067.173.116 112.067.176.047 112.067.176.082 112.067.177.101 112.067.177.184 112.067.179.082 112.067.182.232 112.067.183.049 112.067.183.174 112.067.183.226 112.067.185.027 112.067.188.088 112.067.190.242 112.067.191.010 113.015.180.062 113.085.020.123 113.108.201.189 113.118.092.195 113.118.094.156 113.207.124.165 115.236.050.016 118.026.200.245 118.097.058.166 118.098.073.110 118.116.161.254 118.123.250.012 119.147.143.042 119.177.015.238 120.028.008.194 120.043.089.101 120.132.132.119 121.022.034.166 121.058.235.130 121.206.075.065 122.166.119.208 122.170.116.178 122.225.202.018 123.147.247.096 125.007.221.146 125.079.092.024 125.079.092.084 125.088.125.201 130.185.104.080 140.240.002.024 140.240.002.088 140.240.003.131 140.240.005.087 140.240.006.037 140.240.008.186 140.240.011.042 140.240.016.005 140.240.016.169 140.240.022.003 140.240.024.018 140.240.027.004 140.240.247.235 140.240.253.245 177.043.059.146 178.074.103.049 178.207.158.230 178.211.050.083 180.143.184.246 180.149.096.069 180.250.144.210 182.073.108.034 182.133.123.050 182.255.000.039 183.014.121.227 183.014.124.120 183.039.181.122 186.201.116.194 187.052.171.114 187.059.087.082 187.078.031.182 187.115.052.040 189.108.118.194 190.085.096.173 190.094.003.090 190.187.057.130 190.189.090.132 190.202.116.101 190.223.053.198 193.039.118.019 193.255.143.063 195.016.049.214 196.203.071.082 198.144.187.074 199.058.185.162 200.031.105.172 200.160.111.154 200.175.044.223 200.206.014.026 201.018.107.234 201.077.202.068 201.086.129.043 202.067.012.162 202.067.235.123 203.086.060.018 207.194.087.105 212.075.136.248 212.117.174.064 212.144.254.122 213.247.184.145 217.018.137.130 217.024.114.114 217.147.232.030 217.219.123.059 218.001.098.013 218.005.074.199 218.063.168.253 218.065.230.131 218.067.082.171 218.067.083.117 218.077.192.156 218.077.198.087 218.094.107.004 220.161.133.203 220.163.044.188 220.196.042.048 221.007.215.248 221.214.221.148 221.234.024.046 222.078.127.223 222.189.152.068 222.197.214.091 222.218.182.000 222.218.182.249 222.255.027.223 223.004.241.231 223.198.162.062 223.199.128.154 223.199.129.073 223.199.129.202 223.199.130.046 223.199.131.114 223.199.139.229 -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://it-management.atTel: +43 660 / 415 65 31 // PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import" // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4 // Keyserver: wwwkeys.pgp.net Key-ID: 1C1209B4 signature.asc Description: This is a digitally signed message part.