Government and botnets

The US government is looking at telling ISPs how to deal with compromised customers and botnets.
They’re a bit late to the party, though. Most of the major commercial ISPs have been implementing significant botnet controls for many years now. Control involves a number of different techniques, but notification has been designed into the system from day 1.

“There is no need for mandated action in this area since the market is already moving forward. Many ISPs are already doing a great deal to combat the menace of bots and malware. All over the U.S., ISPs currently have notification systems in place to tell their users they are infected and — whether they deliver these warnings via email, phone, walled gardens, or inline warnings — the warnings are being delivered,” says Michael O’Reirdan, chairman of the MAAWG. “Other ISPs currently have pilot programs or technology development efforts in place, and there will be more deployments in the near future.”
O’Reirdan says ISPs handled the spam battle on their own, and can also do so for battling bots. It has become a business issue for them, he says. “No one had to mandate anti-spam platforms: ISPs put them in place to deal with the menace of spam because, if they had not, they would have lost customers if customers’ mailboxes were overrun with spam. The same is happening with anti-bot platforms. It is becoming a ‘table stakes’ issue for ISPs, and legislating in this arena will merely lock the response of ISPs in stone to conform with the legislation rather than allow innovation and development to meet the rapidly varying nature of the bot challenge posed by the bad guys,” he says. Kelly Jackson Higgins

The ISPs have taken a leadership position in the area of protecting consumers from botnets. This has been a major discussion point at MAAWG for years. Many ISPs have worked closely with vendors to create detection and notification systems to mitigate and clean botnet infections.

Spot the CAN SPAM violations
Hotmail fights greymail

Related Posts

MAAWG statement on email appending

MAAWG has published their position statement on email appending. It’s pretty explicit in it’s condemnation of the practice.

Read More

Uptick in botnet spam

There’s been a heavy uptick in botnet spam over the last few days, judging by things I’m hearing and my own mailboxes. There are a few common subject lines, but all of them are trying to get recipients to either run programs or visit malicious web pages.
The first subject line I’m seeing a lot of is “<name> wants to be friends with you on facebook!” In my mailbox most of those names have not been common European names. The give away that this isn’t actually a Facebook invite is the Reply-To address pointing to Linkedin. The URLs in the message appear to be random strings of numbers, and may actually encode recipient information in them.
The second has a subject that that is a variation on “End of July Statement.” The spammers are mixing capitals, adding in “Re:” and “FWD:” and sometimes increasing the urgency by adding required or STAT!! to the mail. These mails contain a .zip file which probably contains some virus which will turn the recipient machine into the next spam spewing bot.
The third variation has the subject line “Uniform Traffic Ticket.” The content is a citation that tells the recipient they were speeding somewhere in New York (possibly other states, I have only done a spot check of the couple hundred copies I have). There is, however, a .zip attachment with a virus.
Most people probably aren’t seeing these. SpamAssassin is doing a reasonably good job here of catching the spam and filtering it. I’m sure that the bigger ISPs are also filtering it effectively. But one person did forward a copy of the spam to a mailing list and ask if anyone knew what was going on.
If you get any of these messages, you don’t need to ask. It’s virus spam. Don’t open it and don’t forward it.

Read More

MAAWG: Just keeps getting better

Last week was the 22nd meeting of the Messaging Anti-Abuse Working Group (MAAWG). While I am prohibited from talking about specifics because of the closed door nature of the group, I can say I came out of the conference exhausted (as usual) and energized (perhaps not as usual).
The folks at MAAWG work hard and play even harder.
I came away from the conference feeling more optimistic about email than I have in quite a while. Not just that email is vital and vibrant but also that the bad guys may not be winning. Multiple sessions focused on botnet and crime mitigation. I was extremely impressed with some of the presenters and with the cooperation they’re getting from various private and public entities.
Overall, this conference helped me to believe that we can at least fight “the bad guys” to a draw.
I’m also impressed with the work the Sender SIG is doing to educate and inform the groups who send bulk commercial messages. With luck, the stack of documents currently being worked on will be published not long after the next MAAWG conference and I can point out all the good parts.
There are a couple specifics I can mention. One is the new list format being published by Spamhaus and SURBL to block phishing domains at the recursive resolver. I blogged about that last Thursday. The other bit is sharing a set of security resources Steve mentioned during his session.
If your organization is fighting with any messaging type abuse (email, social, etc), this is a great place to talk with people who are fighting the same sorts of behaviour. I do encourage everyone to consider joining MAAWG. Not only do you have access to some of the best minds in email, but you have the opportunit to participate in an organization actively making email, and other types of messaging, better for everyone.
(If you can’t sell the idea of a MAAWG membership to your management or you’re not sure if it’s right for you, the MAAWG directors are sometimes open to allowing people whose companies are considering joining MAAWG to attend a conference as a guest. You can contact them through the MAAWG website, or drop me a note and I’ll make sure you talk with the right folks.)
Plus, if you join before October, you can meet up with us in Paris.

Read More