Bot nets likely behind jump in spam

An uncommon surge

There is strong evidence that bot nets - networks of compromised PCs - are behind the recent jump in spam.

Sunbelt Software analyzed the junk email messages received by one of its dummy accounts in the past 48 hours: The 1,110 blocked messages came from 160 different mail servers as determined by their Internet addresses. The data suggests that a large number of compromised PCs are participating in sending out spma.

"It's pretty easy, once you start breaking out the numbers, to tell a bot net from a run-of-the-mill spam server," Greg Kras, vice president of products for Sunbelt. "Honestly, I think the increase is an attempt to keep viability by the corporations that are doing spam," Kras said. "It use to be that 1 in 1,000 was a good success rate for a spam run. Now, it is more likely 1 in 100,000."

Some Internet users have noticed an indirect effect of the surge in bulk email. Spammers usually put another person's email address in sender's field of the message. Because many spam and antivirus filters send back a rejection message to the sender, the actual owner of the email address will be inundated with replies.

That's exactly what happened recently to one client of Paul Marsh, a consultant and the information technology manager for the Nellie May Education Foundation.

"The client called me up to say, 'I've probably got a thousand e-mails in my inbox that seems to be nothing by bounce backs from spam,'" Marsh said.

Other Internet users may not notice the increase, because the spam messages are blocked by email filters or by anti-spam software on their PCs.

It's likely that the greatest increase is due to certain companies being targeted by spam more than others. Many companies may see a gradual increase, others an enormous spike, in traffic, said Carlin Wiegner, director of product management at Symantec.

"I don't know if I would say this is out of the ordinary, but I would say that it's not common, especially if you are one of those customers that is suffering a 100 per cent increase," Wiegner said.

Security researchers that use honey pots - heavily monitored computers that are allowed to be infected by malicious software to spy on the attackers - have also confirmed the connection between bot nets and spam, said Thorsten Holz, a graduate student and the founder of the German Honeynet Project.

"Our spam traps show definitely an increase in the last couple of days (and) weeks," Holz said.

Holz credits the difficulty in sending spam from single-server mail relays for causing spammers to move their operations to bot nets.

"Since more and more network operators shut down open mail relays or other administrators use black lists to block these open relays, the attackers have shifted their tactics: they use compromised machines - in the form of bot nets - to send out spam," Holz said. "Filtering these is hard and thus it offers attackers a way to send out spam."

The majority of spam now seems to be pharmaceutical and stock related. In particular, image spam - which contains meaningless and random text snippets to throw off filters and an image with the actual advertisement- that touts stocks has surged.

The volume and improved techniques has continued to gunk up the Internet, said Paul Ferguson, network architect for antivirus firm Trend Micro.

"The numbers are pretty staggering," Ferguson said. "The more of a cesspool things become, the less useful things become, so as a community at large, yeah, it is something we have to worry about."

While better technical defenses are needed, technology only goes so far, said TQMCubed's Hart. Its time that users are taught that anyone who responds to spam has become part of the problem.

"We should be teaching people not to do business with criminals and to stop giving credit cards to criminals," Hart said.

Hart argues that, if no one bought the goods hawked by spammers, then the incentive for bulk emailers would rapidly go away. The message is simple, he added.

"If you don't like spam, then don't do business with spammers."

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

\

Sponsored: Designing and building an open ITOA architecture