[Dshield] Rise in UCE

JD lists at webcrunchers.com
Tue Jan 6 03:15:04 GMT 2004


On Jan 3, 2004, at 8:35 PM, Michael Leone wrote:

> Has anyone else seen a major rise in spam (UCE) in the past few days? 
> Even that this looks like a spike to an original incline of spam in 
> the last few months.

yea - this crap is getting out of hand.  How can we pressure the ISP's 
to crack down on people stupid enough
to open attachments?   I don't know if anyone noticed,  but in past 
week,  a new virus was released in the wild,
so be expecting more and more infected hosts that have to be shut down.

I've refined my spam reporting system to combine spam reports destined 
to a single ISP into Many IP's,  so I can
send 10 times more reports and use only 10% of net bandwidth.   Now the 
ISP's get a daily dose
of a big list of infected hosts they need to shut down.  So rather then 
to send 150 individual spam reports to 'abuse at comcast.net',   I just 
send them a list of 150 IP addresses that host infected trojans in just 
a SINGLE
email.

> Alot of these messages also contain W32.Klez - This some sort of 
> attack? Or just general misbehavior from the peanut gallery?  Most 
> contain pornography sites messages which get quite disgusting, 
> including very nasty images as well.

have you ever examined the URL's for these nasty smut engines?  have 
you ever noticed it having something like
http://gordontower.com:8765/smut_here

or something like that?    This means this smut engine is someone's 
infected computer who happens to leave it turned on,  with their DSL or 
cable modem.  Most cable modem providers don't allow web site hosting,  
so they use non-standard port numbers to slip beneath their radar.

These are nothing more then people's PC's running Wingate.   Spam and 
porn hosting.  How can we stop it?
Good question,  but i have some suggestions,  but ISP's and privacy 
advocates would shoot me for even considering this
idea.

Write into the AUP that in order for people to connect to the internet, 
  they HAVE to have their computer scanned for viruses and patched.   
Filter ALL incoming attachments (most are already doing this),  and of 
course if anyone's computer IS exploited,  to disconnect them 
immediately before any more damage can be done.    Of course,  this is 
very BAD medicine.

In meantime,  report your spam.....   the more that gets reported,  the 
faster they can be shut down.

JD




More information about the list mailing list