Re: Why can't ISPs stop spam/virus ?!

easy-lab_at_absamail.co.za
Date: 09/22/03


Date: 22 Sep 2003 09:26:43 GMT


> Oops! easy-lab@absamail.co.za was seen spray-painting on a wall:
> > Am I unreasonable to give my ISP 2 days to fix my spam/virus email
> > of > 10Mb/hr ?
>
Christopher Browne <cbbrowne@acz.org> wrote:
> When there's a weekend in the way, yes.
>
> The _good_ staff programmers won't be interested in working the odd
> hours.
>
Perhaps, but some rightly describe this as a WAR !
Do they wait for the holidays to finish before they call in the_good_
firemen ?

> > Why can't they route my (and other reporting victims) mail, through
> > a filter . There are several possible criteria for such a filter
> > (if the ISP can't see then I can provide the filtering parameters)
> > which would remove most of the recent disasterous spam/virus which
> > fills up our mailboxes in one hour, and blocks most valid posts.
>
> It turns out that the "possible criteria" aren't actually all that
> simple, not to do it _right_, anyways.
>
Apparently you're no aware of this (IMO starting on the 18 Sept)
worm/virus/spam wave ? My latsest 10 loads of average 100 mails
each (fills my 10Mb quota) would be effectively filtered by the following:
   90% > 80Mb size
   60% has no 'Subject' or 'sender' in the header (which my dir shows)
   30% has "icrosoft" in the 'subject'
   10% I can supply a header attribute to the filter.
   
IMO this give a very good 'kill-rate'. Much better than most treatments
in the medical profession.
   
> The much-loved "SpamAssassin" was letting most of them through, and
> some fairly smart people have worked on that one. ISP staff that are
> lucky if they know how to deal with all the hardware they bought
> aren't likely to do as well.
> --

I don't doubt that a small load of well designed spam can pass through.
This latest wave doesn't fit that description.

Jem Berkes <jem@users.pc9.EXTRA_org>
> My University uses Trend antivirus to scan incoming mail, and I've
> never seen a worm slip through.

Correct. Obviously attachments are easilyidentifyable

> On my home server I use my own 'renattach' software which can kill
> incoming mail with 'banned' attachment filenames; unfortunately testing
> is still underway and this hasn't been released yet. It will be available
> under the GNU GPL hopefully within a month.

Not a moment too soon.
But the viri/worm/spam must be killed before it gets to (and fills up)
the recepient's mail box.
In fact traps could be set out on the 'route' for:
    specified destination with trap criteria given by recipient.
    
Grant Edwards wrote:
> Decent ISPs have filters available. Mine runs stuff through
> Postini first, then provides procmail/SpamAssassin for use as a
> second stage. You need to get a decent ISP.
>
Yes, I just wanted to confirm before I fire my present ISP.
I could tolerate the standard spam, but this is a war, and need
more advanced weapons. My hit rate is about 100/hr, but
some newsgroups talk about receiving 3000/hr !!

Paul Lutus (perhps justifiable) ranted:
> Apart from the fact that all your suggestions are naive nonsense, there are
> some issues here you (and most people) do not understand. It has to do with
> the connection between virus writers and spammers.
>
Do you relise that you are a top-poster, in that you answer my
question(s), before they are asked ?

> In the early days of spam, spammers would --[snip historical
description; usefull/esential reading for those who don't know]--

> Here is a list of reasons spam cannot be stopped:
>
> 1. The method of distribution is now thousands of Windows computers,
> everywhere in the world, that are sending spam without the knowledge or
> consent of their owners. Result? You cannot filter by place of origin.
>
Yes. That's why I suggest that 'traps on the route' -- with AI methods
of 'moving' them closer to the origin will evolve.

> 2. The content is constantly varying, to avoid filtering methods. Result?
> You cannot filter by content.
>
IMHO virii/worms have easily identifiable contents ?
For recepients who reject attatchment from unauthorised senders ....

> Because of the above points, you cannot stop spam, you cannot easily trace
> it, and if someone goes to the trouble to locate a particular spamming
> computer, it is *by* *design* a single, expendable cell in a worldwide
> distributed network of the smallest possible cells -- end-user computers
> running Windows.
>
Yes. But I'm talking about virii/worms, not old fashion spam.

> Now think. What do Al Quaida and spammers have in common? Simple -- Al
> Quaida relies on small, distributed cells of undercover loyal operatives,
> ready to act when they receive a prearranged signal. In the same way, the
> computers taken over by the new crop of viruses and worms are the computer
> equivalent of terrorist cells and operatives -- they are hidden but deadly,
> and they await a signal to begin spamming. The computers are the
> footsoldiers of cyber-terrorists: the virus writers and spammers.
>
> The new virus programs have a huge internal list of Internet addresses they
> regularly poll for a message. The list is long obviously to make it more
> difificult to shut down all the sending sites, and perhaps to disguise the
> true trigger addresses. In the same way, an Al Quaida operative will have a
> phone book with a long list of phone numbers -- I mean, assuming the
> operative doesn't use encrypted e-mails for communication with his
> controllers.
>
> Make no mistake. In both cases, for both the concealed Al Quaida operative
> and the infected computer, we are talking about terrorist cells.
>
> According to a story I read yesterday, on Friday afternoon a teacher in a
> large public school in the southern US received one of the spam/virus
> e-mails disguised to seem to be a security alert from Microsoft, and,
> impressed by the thoughtfulness of MS, gratefully clicked the attachment.
> Fifteen minutes later the school was closed and the staff were gone for the
> weekend. It turns out the school's machines have fulltime, fast Internet
> access. This combination of factors has made the school a primary
> distribution center for the virus, issuing tens of thousands of copies per
> hour (using the large address books teachers are famous for compiling). Did
> I add that no one seems have a key to the building?
>
> Now, let's return to the first line in your message:

> > Am I unreasonable to give my ISP 2 days to fix my spam/virus email
> > of 10Mb/hr ?
>
> Don't you understand this is not a nuisance, it is a war? It will not stop
> until the spammers begin to take heavy casualties.
>
> Wake up and smell the capuccino. Once there is a death penalty for spammers
> and virus writers, the problem will begin to abate, *BUT* *NOT* *BEFORE*.
>
> Go ahead and laugh. Then start counting the days until such a seemingly
> ludicrous, off-the-wall suggestion begins to seem reasonable.
>
> As I write this, over half of the Internet's bandwidth is taken up
> distributing either viruses or spam messages. And in the new twist
> described here, once they take over some hapless user's machine, the
> viruses are designed to emit spam as well as copies of themselves.
>
OK; do you remember the days of the common air-craft-hi-jacks ?
BTW the dynamics is identical to that of eg. foot-and-mouth
disease in live stock. And if those affected act like they did with
SARS (rather than those affected act like for HIV) is can be
managed/controlled.
--------
Paul Lutus wrote:
> > Problem 1: desperate spammers. Problem 2: desperate programmers. Are you
> > getting this? They've formed an alliance and are now creating virii and
> > worms of unprecedented sophistication. The purpose? To take over as many
> > *individual* Windows machines as possible, where they silently await a
> > signal to begin spamming. The present crop of virii and worms are written
> > very cleverly and are regularly updated to evade the filtering methods used
> > by the anti-virus companies. This means that existing virus filtering
> > methods *cannot* *possibly* *succeed*.

Ed Murphy wrote:
> But in the particular case of e-mail-borne viruses, don't the vast
> majority of the payloads still consist of attachments whose filename
> ends in .EXE, etc.? You can filter on *that*. I do, as of yesterday
> (when Swen finally pushed me to figure out fetchmail/procmail). Good
> ISPs should, or should offer options along those lines.
>
> > That takes care of the origin of the messages -- for all practical purposes
> > there isn't one that can be identified and controlled. As to the content of
> > spam messages including reply addressed and place of origin, it is trivial
> > to vary the language in an e-mail so that existing e-mail filtering methods
> > *cannot* *possibly* *succeed*.
>
> The content needs to include the message that the spammer wants to get
> across, in some sort of human-readable form, so that places some limits
> on how much it can vary. The actual variance is a lot smaller than it
> probably could be, presumably because spammers believe that most people
> (especially their target market) are too stupid to filter effectively.
>
That's right, and like for medical, you don't need a 100% kill rate to be
effective.

> How would this stack up against Bayesian filtering? I can envision a
> particularly sharp ISP offering to do it for the user: "Forward your
> spam e-mails to spam@sharpisp.com, and our SmartSystem will automagically
> figure out how to identify and suppress future spam, based on the type of
> spam that *you* have been receiving! (You can review the suppressed
> messages at http://www.sharpisp.com/yourusername/spam/ - if a legitimate
> message is mistakenly identified as spam, then just click on it, and it
> will appear in your mailbox as normal. Messages stored here are deleted
> after X days.)"
>
This sounds good, expect it is a 'network problem' (not just individual ISPs)
and will need to be handled at the network-level.

> Then again, between the people computer-literate enough to do their own
> reasonably effective filtering, and the people computer-illiterate enough
> to either (a) get by with no filtering at all or (b) accept whatever
> filtering their ISP offers without asking questions, how much of a middle
> ground is there?
>
It's not good enough to be able to filter once it's in your mailbox.
In my and many other victims, the mail-box is disable by overflow !!

== Chris Glur.



Relevant Pages

  • Re: unwanted uncoupling using Kadee couplers - magnets
    ... Using the reply domain as a means to filter incoming email isn't very ... I use Mailwasher (in addition to ISP ... I think two bits of Spam reached my ... throught the 2mm.org.uk domain mail server on their original path. ...
    (uk.rec.models.rail)
  • Re: The destruction of rec.pyrotechnics
    ... It's actually quite simple to filter the spam crap, ... chip on one of her computers or a hack to her operating system, ... In closing, let me say that during 50 years in display fireworks, I ...
    (rec.pyrotechnics)
  • Re: Hijacked Zombie boxes
    ... Henry Baker's tirade does not take into account address spoofing nor does he ... to contaminate other computers. ... when all he has is a dynamically assigned IP address; only the ISP has the ... spam, ...
    (microsoft.public.security.virus)
  • Re: Change provider - keep e mail address?
    ... So if he is getting a lot of spam on Virgin, ... friends and family, unfortunately many companies ask ... I can use 123-reg control panel to filter my mail by blocking, redirecting, ... All for 6 quid a year for both domains, I can redirect to any ISP or other ...
    (uk.telecom.broadband)
  • Re: Why cant ISPs stop spam/virus ?!
    ... >> mail, through a filter. ... > the connection between virus writers and spammers. ... > spam until they were thrown off the site. ... The method of distribution is now thousands of Windows computers, ...
    (comp.os.linux.misc)