[Dshield] Rise in UCE

jayjwa jayjwa at atr2.ath.cx
Tue Jan 6 21:18:43 GMT 2004

On Mon, 5 Jan 2004, JD wrote:

> On Jan 3, 2004, at 8:35 PM, Michael Leone wrote:

> yea - this crap is getting out of hand.  How can we pressure the ISP's
> to crack down on people stupid enough
> to open attachments?

I personally think part of the answer is publication- post the names and
address of known virus & spam tolerant networks and prompt everyone that
runs an internet site to ban & blacklist them. They'll get the point when
no customer wants on board because no other host in the wide-open internet
will have anything to do with them. I already do this with some well-known
trouble-makers: ntlworld.com, rr.com dip.t-dialin.net, etc -all banned,
from all services. I heard about ntlworld.com customers complaining to
their provider because rr (that's RoadRunner ;) ) had blocked any and all
email for awhile. I'm small (tiny, I mean ;p ), but if major companies did
this, they'd be _forced_ to clean up. Many of these are repeat-offenders:
one host attempted to contact mine 5 times every hour for 2 weeks (dispite
being rejected from all email), attempting to deliver more of that
"Ms-Patch" (Win32.Swen virus). This is _after_ I had alerted them to their
virus infestation, provided proof, headers, other evidence, and even the
needed URL's and info to remedy the problem.

> I've refined my spam reporting system to combine spam reports destined
> to a single ISP into Many IP's,  so I can
> send 10 times more reports and use only 10% of net bandwidth.   Now the
> ISP's get a daily dose
> of a big list of infected hosts they need to shut down.  So rather then
> to send 150 individual spam reports to 'abuse at comcast.net',   I just
> send them a list of 150 IP addresses that host infected trojans in just
> email.

Unfortunately, alot of it falls on deaf ears. They hear $$$ first. If it
costs to do something, they'd rather do nothing. (But you do have the
right idea, IMO.)

> have you ever examined the URL's for these nasty smut engines?  have
> you ever noticed it having something like
> http://gordontower.com:8765/smut_here

I haven't seen many of these. I'd really hope that ISP's don't start
blocking random ports because of this kind of thing, that's like a few bad
apples ruining the bunch.

> Write into the AUP that in order for people to connect to the internet,
>   they HAVE to have their computer scanned for viruses and patched.

I do my homework, I know full-on what I'm doing...and I'll be damned if
anyone is going to scan ME. What's on my system is my biz- as long as it's
not affecting anyone else in a negative manner (and it's not). This policy
is about equal to forcing every Windows user to upgrade to a version of
Linux- that would solve the virus problem, too. First they look for
viruses, then copied software...then material they don't morally approve
of- next thing know you have harddisk censors telling you what you can and
can't save to your disk. (Kinda crazy, but it _could_ happen...)

> Filter ALL incoming attachments (most are already doing this),  and of
> course if anyone's computer IS exploited,  to disconnect them
> immediately before any more damage can be done.    Of course,  this is
> very BAD medicine.

But many don't...viruses sail right on in, infect unknowing users, turn
their machines into virus-spewing sites, and Woosh! back out to the
internet (to me & you) go the viruses, in exponential numbers. Heck,
there's still a great number of open-replay SMTP's out there...

Ultimately, it's about education of those that need it, and reprimanding
for those that know but choose to do wrong anyway. I still see people
posting in to USENET "alerting" others to a "new" virus- Swen, months
after the fact. Security is not a spectator-sport; it's an active process
of keeping up with currently occuring troubles, and obtaining the
nessesary patches/prevention. And for those (knowingly) hosting their own
spam-sites? They need to be disconnected. Permanently. The very few emails
that I got back from reporting a spammer to his ISP didn't do much to
encourage me. One stated that the offender had been "warned". Somehow I
don't think "warned" goes far enough.

[jayjwa] RLF#37

More information about the list mailing list