In theory, a lot of the SPAM e-mail we get now comes from worms and virii that have installed themselves on peoples systems, and act as a relay. It's very rare to find an actual open realy email server nowadays (although I'm sure they do exist).

I've spent some time a few months ago tracking down every IP address in my spam inbox, and trying to telnet to it on various ports, in the 'hopes' of maybe finding that spam backdoor. A LOT of these IP's were residential IP addresses (quite a few have dsl.xxx.xxx names ! )

What is your opinion or ideas on this matter? Shouldn't it be possible in some way to trail this spam back to the source and somehow find out who is accessing these zombies, or at least shut down the zombies? Maybe you could flood all the zombie machines you find? Perhaps do a scan for all the latest worm ports until you get a response - (and possibly take over someone's botnet or mail zombienet !)

Also, even with every variant that comes out, most likely they are set to send information to another new location, if you're quick enough maybe you could IDA the sucker and find out where, and get all those addresses yourself. Perhaps use the emailers for your own little reasons even ( a little of the dark side, I know).

Got any thoughts?

-nt20

Shutdown the zombie ? I totally disagree with that point of view. To do
so you'll need at a certain level to gain a control on the server. Meaning
hacking into it to get those privs.

Imagine that I am an admin of a mail server. Or any kind of server that
could be tweaked to do some relay. (I'm not but I've been in this position).
Following a 'hack', the server run as an open relay.

Having someone of the outside came and shutdown the server may
lead to an official complain. The fact that someone abuse of the server
to do is mess (i don't like spamming neither...) is certainly not an
excuse for you to shut down the server. You could cause far more
severe damage than the previous abuse. And you'll be legally responsible
of this.

If you happen to find such sort of server, in my mind the thing to do
is to try to contact the administrator or anyone involved with the
adminsitration of the server to at least, let them know the trouble
they are in. You can even think of helping them if they don't feel
confident in repairing the thing. But I wouldn't go in a 'retaliation'
way, as you'll only hurt people that already are victims.

FoolFox

Howdy,

I have done just about everything you can possibly do to stop my spam.
Emailing abuse does not work because most of the time no one reads your complaint. And if they do they dont understand how to read a header file.
I get complaints sent to me by different mail admins all the time complaining about virii being sent from this server. They cant even see that the originating ip does not match the domain name.

I think that when you click on the link in the spam email to get "removed" from the list, you are only verifying that it is a valid email address. Mail filters do some good but are nowhere effective enough.

The other thing is that spam is relayed through so many servers that it becomes difficult to track down who is responsible.
If everyone disabled the ability to relay mail, it would be a great help.
Sadly, the free mail people cant because it needs the advertising revenue.

Bottom line- admins need to get their heads out of their asses and free mail services need to put some safe gaurds in place.
The only results I have ever received are from upstream providers.
Show them that the spam is coming through their routers/servers and they tend to do something.

My 7 cents worth,
Woodmann

http://spf.pobox.com is one of the many efforts to try and stop spam. It's going to cause quite a few issues too.

I get huge amounts of spam too, upwards of 150 spam mails per day. Bayesian filtering mostly deals with it - SpamBayes (check Sourceforge) is a great Outlook plugin. It's annoying, but there's nothing we can really do. Mail relaying is an essential service, and targeting relayers won't solve the issue. We need to target the people running insecure machines on the net, which spammers use. For example, smtp.isp.net is a relay that is only accessible to isp's customers - it can't be directly used by spammers. But if a spammer takes a machine belonging to isp's customer, the spammer can use it. In that case the problem is not the relay, it's the end pc.

I have to say I agree with Foolfox. Security is what I do, and hypothetically personally I would be very unhappy if someone tried to root one of my boxes because it was badly configured. From a business and security point of view I'd be more pissed about the hack attempt (which is an attack on me) than the screwup over the open relay (which isn't an attack on me, it's an inconvenience for others). I'd never leave an open relay though

I never meant "root on of the servers", or take over the machine. When I said shut down I meant if you could figure out the commands that the virii - planted email relay program responded to, you could send the command to tell it to shut down.

I went thru my entire email bulk folder one day, and tried to ping and then whois each IP address. About 80% of them were addresses assigned to a ISP, and they were not a mail server (I did find some mail servers, but not very many). Which means tons of people out there are still getting mail relay worms and virii. That's my point. If you get one of these virii, you could RCE it and then figure out it's command structure, and possibly sweep a few subnets to tell any worms to shut down, or at least clog them up so the spammers themselves can't use them.

That is what I was talking about guys !

-nt20

Ahh, similar to the CodeBlue virus, which targetted CodeRed infected IIS servers and patched the vuln. Although it wasn't all nice...

http://virus.daguru.org/codeblue/codeblue.html

"As a result of above the worm disables security breaches that can be used (or were used) by other worms to infect the machine or/and hackers to break through Web security protections"

Except it wouldn't be a virus, it would be more like a network scanner that shuts down virii.

For example, one could feed it a list of spam email headers and it would go to work, scanning thru the IP's and bruting thru the various virus communication backdoors to shut them down. (In other words, going thru an internal list of different virii ports, and commands, etc, for each IP to check to see if that IP had a virii or worm to be shut down).

So more of an active sweep, like a white blood cells - when they get notification of an infection, they sweep the area to remove it, or at least identify it.

-nt20

I just went through all the scum collected by my company's various filters and starting tracing it back. I did see some mail coming from zombied machines, but that wasn't the bulk of it. I'd say easily 70% of it was coming from rogue ISPs in the U.S. who deliberately provide bandwidth for spammers. I have some personal experience this because the company I work for was once hosted by an ISP who sold out to the spam interests. We were getting blacklisted by all the major players becuase our IP address was in one of the subnets used by Eric Reinertsen.

"Funny" story, though - I didn't know he was on our subnet at the time I set up our mail server. I was jacking around with it some time after midnight. I don't recall exactly what I was doing, but I was having trouble getting the thing to work, and to narrow down the problem I momentarily disabled authentication for relaying, but still had it set to only relay mail from our own private IP network (i.e. 192.168.XX.XX). I got up to get a cup of coffee, and I shit you not - by the time I got back to my desk, the server had nearly 150 open outgoing mail queues to all over the world. I killed the mail server fast and checked the logs. Fortunately only 17 messages had actually been successfully sent in that ~3 minute chunk of time. I never have figured out what exploit was being used, because the logs didn't make any sense:

About a minute before the outgoing connections started I see:

There had been no previous communications with those hosts, it was just an isolated probe of some kind. 4 seconds later, the shit hits the fan and the server starts making hundreds of outbound connections all by itself (i.e., they weren't relay requests - it just starts spewing on it's own accord). At 6:28, I shut the mail server down, closed the relay, flushed the queues, and started it back up. The spamming stopped.

What's cute is that 64.119.196.66 and 64.119.222.232 both belonged to fellow iWay "customers" with bulk-mailing operations.
hxxp://www.spamhaus.org/sbl/sbl.lasso?query=SBL7188
hxxp://www.spamhaus.org/sbl/sbl.lasso?query=SBL9538
hxxp://www.spamhaus.org/sbl/sbl.lasso?query=SBL19042

They must have been continuously trolling their own ISP's WAN for open relays to have caught it that fast.

We wrestled back and forth with the ISP trying to get them to fire the spammers, but it quickly became obvious that the spammers were their bread and butter. They also apparently had absolutely no fear of legal action, because these guys were clearly raping their other clients.

Anyhow, that was kind of a long diversion. Probably the other 30% of our spam (and getting higher by the day) is coming from APIC networks. I know a number of sysadmins at other companies that finally got pissed off enough to just mass ban every netblock allocated to APIC. You kind of hate to do something like that, but you can't really blame them.

Every now and then I'll get a few really oddball originating IPs like mail coming from unallocated IP blocks, or from blocks that are supposed to be allocated to the U.S. military.

Personally, I think any method that tries to stop them from delivering their mail will only inconvenience them in the long run. Shut down a few zombies, and they'll just make more. The ways of spewing their garbage are legion. Get them booted from one ISP, and they already have 5 others waiting in the wings. Pass hardcore draconian anti-spam legislation, and they'll just start broadcasting from Maylasia, Pakistan, etc. You have to get at the source and make them stop, but I don't know any way to do that short of vigilantism. I guess you could start with trying to find the ultimate source of their operations and start trashing their data every chance you get.

Thanks for the comments TBone. Yeah, I've seen a lot of APIC addresses too.

Most likely they probably are just sitting right on top of a mailer waiting for that relay to open up.

-nt20