[Dshield] Spam Falloff (was Increased activity)

John D. lists at webcrunchers.com
Mon Aug 18 17:59:44 GMT 2003


>John,
>
>Funny that you mention that. I've noticed a significant drop in spam showing
>up on my inbox since 11th of August (a 50% reduction). I had just thought it
>was spammers taking a vacation or something. :)
>
>Now I wonder if there was something else involved. Our ISP hasn't
>implemented any port blocking or anything that we know of (and they are very
>diligent in notifying us about any network changes).
>
>Maybe the spammer machines got infected? Anyone else have any ideas? Not
>that I mind - the reduced spam is a blessing. I'm just curious why all of a
>sudden it would fall way off.

It couldn't have been us....  (grin) but a few weeks ago,  with heavy usage of SpamCrunchers,  we did see a significant drop in the amount of spam,  as it fingered the users which were infected with a spam trojans,  and automatically reported them to their ISP.

Speaking of spam trojans,  we are collecting them for analysis.  So if anyone has any info and where we can find copies of them,  let me know.   I spent some time checking the anti-spam sites,  and so far,  have not discovered any of them using this exploit.

I'm most interested in knowing what ports they use for their infected zombies.
Spam we get from ISP's like "comcast",  or "attbi" usually indicate one of their customers is infected.  We trace the spam back to the last gateway (usually the user - in the case of a zombie).  We port scan their puter...  (most of the times they are turned off),  but we have collected some IP addresses anyway,  and periodically scan them.  It's produced some encouraging results.   if we detect their puter is turned on,  and scan reveals the existance of the trojan by the existance of a listener on that port,  we notify the ISP and tell them whats going on.   Their IDS can then identify the trojan controller when they log in (provided we can furnish them with an IDS rule).  Next time the spammer accesses the zombie,  the IDS can pick it up.  Now we have the controller's IP address.

Unfortunately,  not all ISP's have IDS systems installed,  and some would have to resort to sniffing the IP address of the customer,  which they won't do,  without permission of the PC user,  for privacy concerns,  but it IS a viable way to catch those trojan controllers if the ISP can negotiate with the user to allow them to sniff their IP.

Our Crunchbox,  an ISP system, does this really well.  but not everyone has one.
Once we added the MSBlaster snort rule,  none of our PC's were infected,  but we got a shitload of users that got added to our "shitlist",  when the IDS picked it up.  It detected the threat,  blocked it,  and we didn't even have to block port 135.  ONLY the attackers were blocked.  Of course we advised the PC owners to upgrade.

John







More information about the list mailing list