Walking season … and SPAM

Today I have started the walking season 2007. I did some gentle preparation during the week – few short, 4-5 km strolls around the neighbourhood, but it was today when I really started. It was beautiful day in Ottawa – sunny, temperature around 8-10, so I took off and did 12 km loop through Westboro, down south and around Dow’s Lake up to downtown. Just fantastic. The companion on the road were Security Now! – I was behind few episodes, but I managed to listen to almost full 3 episodes.

Interesting one was about Spambots – fleet of Zombies, remotely controlled that are used to send out spam. Conservative estimates are that from around 600 milion PC’s, about 150 millions are infected zombies – without their owner’s knowledge or consent, of course.

Steve was speaking about the way how to detect from email headers that the email was spoofed. Basically, what you need to investigate is where the chain of Received headers which contains IP address of the sender is broken – that determines the point where the spammer connected to some SMTP server and send out message, all other headers beneath can be spoofed. I know this is not best explanation, but it is pointless to rephrase what Steve explained very nicely – listen here or read the notes.

So while walking and listening that,  I have got an idea – with all the social websites and Web2.0 communities there may are realistic way how to cut down the spam wave that is everywhere around us (it is estimated that over 80% of all email is spam).

Key ingredients of the solutions are:
1) – owners of the zombie machines who do not know about the “service” their PC’s are providing. It is not easy to identify these machines and they may not know what to do
2) – who suffer the spam effects (and should be motivated to fix it) are the ISP’s of these zombie users, because it is their bandwidth and their IP ranges who get blacklisted
3) – those who would happily cooperate is everybody who hates spam (all of us, minus the spammers) and would not mind to do something – as long as the participation would be easy …

What I was thinking about a Web site/ Web service – something like where you can forward the spam you get which ends in your Junk folder or bounces back to your address. The service would analyze the headers and extract the IP’s of zombies – and keep building and maintaining the list. Extraction is not that hard and doable with nice Perl/Python/Ruby script :-). After a while, it would lead to a list of IP’s with activity record attached to it (which would allow the IP to drop off the list) …

Now imagine that the ISP’s could register themselves and enter the range of their IP’s. They would get back subset of the Zombie list residing in their own address space – and deal with them – for example notify users, ask them to download some malware removal program or even sell some additional service. It clearly must be ISP to deal with the Zombie owners, because they are only one who has access to their identity and it is in their interest to limit amount of bad things origination from their network. It is not only about spam – infected machine that sends spam can as easily and likely be part of DDoS attack, which is quite different legal category of problems. Either way, at the end, the result would be less active zombies around.

If the really big email services such as GMail and Yahoo – or big cable/DSL providers would participate and supply their own filtered spam (or even filtered list of Zombie-candidates) the database would IMHO start to provide valuable data very soon.

What do you think ?

2 Responses to Walking season … and SPAM

  1. dennis says:

    It would never work —

    1) ISPs are not going to invoke any self-regulation unless required by law;

    2) There is no central governing body that is going to require them to do so;

    3) Legal challenges (i.e., spamhaus); and

    4) Any meaningful implementation at the corporate level would be nearly impossible. Corporate IT is limited in what it can and can’t ban via blacklist because of the slim chance that something important might be blocked. Wide-net blacklists are a no-no.

    Further, much of the “zombie horde” does not spit out massive, repeat email as is often suggested. Most of these messages are now carefully sent in controlled amounts to different SMTP servers with one goal — not being caught for reasons of bandwidth use, bayesian scoring, or pattern recognition.

    These “hit and run” tactics let zombies exist for far longer without being caught up in any of the number of blacklists or other filtering mechanisms. “Pump and dump” senders are easy to pick up simply because volumes are large and the messages generally exhibit a pattern.

  2. Miro says:

    I partially agree with ISP reluctance to do anything unless they have to. In the past, there was much more spam coming from US/Canada (currently about 20% comes from these areas). It was the ISP actions that cut it down – the pain of bandwith consumption and blacklists were probably good enough reason.

    I think that we will see some legal enforcement in next few years as well.

    One additional benefit of such database is that it could not only provide list of Zombie IP’s – but also list of the compromised mail servers, working as relays.

%d bloggers like this: