News from PANUG/BizNix - October 21, 2003 http://panug.org - http://biznix.org SPECIAL EDITION COORDINATED SPAM ATTACKS by Ed Sawicki by Ed Sawicki - Accelerated Learning Center / Tailored Computers The article "Cloaking Device Made for Spammers" pointed out by Dick Pilz last week (http://panug.org/49) tells of a Polish hacker group that claims to have hijacked 450,000 Windows computers and is using them to send spam. The article focuses on how the group uses clever techniques to hide the identity (IP addresses) of web servers used by the spammers. Details of how this is achieved were sparse in the article, but hijacking DNS servers was mentioned. I'm guessing that the group hijacked many of the BIND servers that are vulnerable to attack. Patching servers is not a problem confined to the Windows world. Note that at the PANUG meeting last week, there was speculation that IP addresses in e-mail message headers sent by the group were spoofed. This appears not to be the case. This assumption is germane to the rest of this article. I just spent a few hours examining the log files of the SMTP servers that run the eScrubber service - a spam suppression service that my company offers. This service handles over 200,000 messages each month where more than half are spam. I found evidence of a highly-coordinated attack methodology for delivering spam mail. I have an email address that was harvested by spammers many years ago. I haven't used that address for many years but it's still on some spammer lists. Today, I discovered that spam sent to that address was sent in "bursts". Here's a list of sites sending to my seldom-used e-mail address that were rejected by the eScrubber servers during a 3-minute period yesterday: 21:29:10 alb-24-25-153-232.nycap.rr.com[24.25.153.232] 21:29:14 ool-4354a252.dyn.optonline.net[67.84.162.82] 21:29:17 c-67-162-195-202.client.comcast.net[67.162.195.202] 21:29:20 c-24-131-246-43.mw.client2.attbi.com[24.131.246.43] 21:29:23 ool-4354b10c.dyn.optonline.net[67.84.177.12] 21:29:27 188rts38.wuh.wustl.edu[128.252.188.38] 21:29:31 blk2-235-114.eastlink.ca[24.224.235.114] 21:30:25 175.suab.chcg.cgcil01r18.dsl.att.net[12.102.133.175] 21:30:33 pcp105914pcs.echryh01.nj.comcast.net[68.45.97.150] 21:30:39 ACBC0FC4.ipt.aol.com[172.188.15.196] 21:31:50 cpe-066-057-150-020.nc.rr.com[66.57.150.20] 21:31:55 122-4.200-68.tampabay.rr.com[68.200.4.122] 21:32:02 pcp01449001pcs.carlsl01.pa.comcast.net[68.83.53.254] 21:32:07 ip142177048038.mpoweredpc.net[142.177.48.38] 21:32:14 rdu163-50-037.nc.rr.com[24.163.50.37] 21:32:21 CPE-24-94-191-123.kc.rr.com[24.94.191.123] 21:32:47 va-winchester3c-38.wch.adelphia.net[67.20.51.38] 21:32:56 pcp03078427pcs.hyatsv01.md.comcast.net[68.48.162.56] No e-mail to that address was detected for 12 hours before and 5 hours after. This burst is just one of many that has been occuring for the past few weeks. Note that the amount of time between most of the attempts in a burst is several seconds. I believe that when one computer fails to deliver the message it reports its failure and the task is given to another computer. If this is true, it indicates a highly-coordinated and sophisticated network of spamming computers. This is a good indication that the spammers are far ahead of current anti-spam technology. It will be difficult for techniques, such as DNSBLs or RBLs, to scale when the population of hijacked Windows computers (for this one group) is 450,000 and the number can be easily increased. I think dealing with spam using black list techniques may be dead soon. We'll be rejecting a high percentage of white mail if we use black lists. The answer to the problem is elusive because the spammers/hackers are clearly capable of adapting to any defense mechanism we engineer - especially when Windows computers and DNS servers are so easily broken in to. The eScrubber solution relies more on white lists than black lists. This is not a perfect solution but will turn away more spam - for now. We'll have to develop more effective techniques if we're to keep up with the spammers. DISCLAIMER PANUG and BizNix welcome contributions from all members. Member contributions do not necessarily represent the official positions of PANUG or BizNix. The views of members that contribute frequently may appear to be the official position of the group(s). If you contribute, you'll be adding vital diversity of opinion and outlook to these broadcasts.