At 03:56 PM 12/17/2005, Pollywog wrote:
On 12/17/2005 07:19 pm, Matt Kettler wrote:
> Spammers of any decent sophistication have rather extensive networks of
> zombies at their disposal that the can co-ordinate.
>
> Does this surprise you at all?
Yes, because spammers are stupid and I had not seen this sort of distributed
spamming before.
It is a gross and dangerous error to regard spammers as stupid. Sure, some
of them are stupid, but not all are. There's plenty of evidence that much
of our spam comes from highly organized, somewhat sophisticated,
multi-person, multi-national spam gangs. To underestimate ones enemy is a
grave error.
Large-scale spammers are working together with virus writers. Virus writers
are installing backdoors that they can harvest and sell to spammers as mail
relay bot-nets. Spammers are using these in performing very massive-scale
dictionary scans.
I'm also fairly sure that the cycle comes full circle, and every time they
find a valid address they kick off a few mail worms to it hoping to pick up
a new bot. Virus begets spam begets more viruses.
This is also not the only sign we've seen of a well organized spam outfits.
It's quite obvious spammers analyze anti-spam tools, including
spamassassin, for weaknesses. Take the infamous bug 1589 that was exploited
by spammers forging multiple different email clients to gain hefty negative
scores.
Also take the current heavy exploitation of Geocities. This isn't just some
idiot setting up a couple pages on uk/de/br.geocities.com, they're using
rapidly adapting automated scripts to bombard geocities with these. They're
probably using their botnets to create the registrations, which is why it
looks like just a bunch of users from all over the place to geocities. If
it was all coming from a few IP's it'd be easy for them to stem it.
These guys aren't geniuses, but the top spammers certainly more clever than
most people think. We often assume their moral handicaps must have matching
mental ones. That underestimation is one weapon the spammers, and other
sociopaths, have on their side.
It is rather clever because it can go unnoticed if one does
not examine the system logs carefully and often.
At my site it happens at such a heavy rate it's blatantly obvious.
Dictionary attack probes are about 80% of the connections made to my
mailserver. With that much scanning relative to actual mail delivery the
distributed nature becomes pretty obvious as they're all consecutive in the
mail logs. It's been going on at my site continuously since at least mid 2004.
