Where Spam Comes From
from the right-here-in-the-US-of-A dept
This shouldn’t be a huge surprise, but the latest spam study shows that the vast majority of spam is coming from US-based computers. Of course, much of this is due to hijacked “zombie” machines – most of which are found here in the US. Figuring out the actual country of origin of most spam really doesn’t seem all that useful when the machines aren’t actually owned by the spammers. Thus, about the only thing really interesting is the finding that 30% of all spam is now sent from such zombie machines. This raises the question of how do we deal with such machines. Why aren’t internet providers being more proactive in discovering these machines and alerting their users?
Comments on “Where Spam Comes From”
Simply, it doesn’t make them money to do so.
Look at it one of two ways: some people will say they’re just greedy little ISPs, looking to not upset the steady flow of customer money into their pockets, and dealin with the zombie spam problem may disrupt that flow.
The other side of the coin is that many ISPs are simply swamped with work, at least in the system bits, and can’t possibly allocate people to the job of dealing with this problem because they have already allocated all their people on stuff that will impact their ability to serve the customers who directly pay them, and impact it immediately. So, everyone’s crunching just to keep the system going, and they don’t have funding enough to allow the techs time to sleep or look into something that one of their idiot users did NOW.
Simply, it doesn’t make them money to do so.
Think you are right AC, especially the second bullet. Most ISPs don’t have enough experience and intelligence to implement these fixes, and prefer to keep status quo then change.
However, can someone tell me why Cox seems to hate me because I use a real (OpenBSD based) firewall, and tells me every time I call them to let them know that their router is acting funny or their mail server is down (which is actually quite rare,) that they insist that I put a windows box up instead so they can test my end to see if the problem is here? My openbsd firewall doesn’t reject ping or udp packets, so they can ping or traceroute it just fine. Allow your customers to use non-Windows software, and you’re likely to have far less zombies out there….
No Subject Given
It doesn’t seem like it would that difficult for an ISP to monitor the amount of traffic hitting port 25 and shut down anybody suddenly pumping out 10,0000 emails an hour. Hell, for that matter they should refuse to turn the customer back on until they prove the computer is clean.
Re: No Subject Given
To you and me that would seem simple, in fact, that’s how the security guys at my company shut down a lot of infected machines before they could even get out in the wild.
But from experience a LOT of ISPs don’t even bother. Videotron here in Quebec is useless when it comes to security. They consistently do nothing when you report an infected PC to them..I’ve given up on it.
Just for fun, I monitored my firewall on their cable network and I filled a nice sized hard drive in a couple of days…I’m tempted to say that the majority of the PCs on their networks are infected winXP or win2K machines…I get hit so much that the receiving packets light on the modem is consistently (not flashing) red. Amounting to THOUSANDS of attempts per day.
I just feel lucky that the network slowdown hasn’t been TOO bad (there’s no other choice for cablemodem access around here).
I use linux for my servers/firewall so 99% of the logged attempts are useless on my stuff.
I’ve complained and complained, sent in logs anything they request (WHEN they ever do) but the most they’ve done so far is cut off external access to port 80 (woohoo..big deal).
Re: Re: Cable Modem light
A small tech note:
While some of the activity that you’re seeing on the cable modem light is indeed malware attempting to get to your system, it’s only a small percentage of what you’re seeing on the light.
The rest of the spurious activity is ARP packets generated by the switch. A lot of recent malware tries to contact randomly generated IP addresses. Every time that the switch for your cable segment gets a request for a node that it hasn’t heard of, it hits everyone with an ARP to see if the requested node responds. Of course, no response is ever forthcoming.
Re: Re: Re: Cable Modem light
Wow! Thanks for that information. You learn something new everyday 🙂
Seriously, it’s nice to know why that traffic is as bad as it is (although as I said…looking for the attempts on my logs..you pretty much see a reason to think that’s all the traffic there is)
The stuff that I get that doesn’t come from China, Mexico or Brazil is usually from just a handful of US based ISPs – Roadrunner, Charter and PacBell. Sometimes I wonder why I bother reporting to those guys.