Where Spam Comes From

from the right-here-in-the-US-of-A dept

This shouldn't be a huge surprise, but the latest spam study shows that the vast majority of spam is coming from US-based computers. Of course, much of this is due to hijacked "zombie" machines - most of which are found here in the US. Figuring out the actual country of origin of most spam really doesn't seem all that useful when the machines aren't actually owned by the spammers. Thus, about the only thing really interesting is the finding that 30% of all spam is now sent from such zombie machines. This raises the question of how do we deal with such machines. Why aren't internet providers being more proactive in discovering these machines and alerting their users?

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 26 Feb 2004 @ 3:33pm

    Why?

    Simply, it doesn't make them money to do so.

    Look at it one of two ways: some people will say they're just greedy little ISPs, looking to not upset the steady flow of customer money into their pockets, and dealin with the zombie spam problem may disrupt that flow.

    The other side of the coin is that many ISPs are simply swamped with work, at least in the system bits, and can't possibly allocate people to the job of dealing with this problem because they have already allocated all their people on stuff that will impact their ability to serve the customers who directly pay them, and impact it immediately. So, everyone's crunching just to keep the system going, and they don't have funding enough to allow the techs time to sleep or look into something that one of their idiot users did NOW.

    reply to this | link to this | view in chronology ]

    • identicon
      LittleW0lf, 26 Feb 2004 @ 6:17pm

      Re: Why?

      Simply, it doesn't make them money to do so.

      Think you are right AC, especially the second bullet. Most ISPs don't have enough experience and intelligence to implement these fixes, and prefer to keep status quo then change.

      However, can someone tell me why Cox seems to hate me because I use a real (OpenBSD based) firewall, and tells me every time I call them to let them know that their router is acting funny or their mail server is down (which is actually quite rare,) that they insist that I put a windows box up instead so they can test my end to see if the problem is here? My openbsd firewall doesn't reject ping or udp packets, so they can ping or traceroute it just fine. Allow your customers to use non-Windows software, and you're likely to have far less zombies out there....

      reply to this | link to this | view in chronology ]

  • identicon
    Chris ODonnell, 26 Feb 2004 @ 5:08pm

    No Subject Given

    It doesn't seem like it would that difficult for an ISP to monitor the amount of traffic hitting port 25 and shut down anybody suddenly pumping out 10,0000 emails an hour. Hell, for that matter they should refuse to turn the customer back on until they prove the computer is clean.

    reply to this | link to this | view in chronology ]

    • identicon
      thecaptain, 27 Feb 2004 @ 6:54am

      Re: No Subject Given

      To you and me that would seem simple, in fact, that's how the security guys at my company shut down a lot of infected machines before they could even get out in the wild.

      But from experience a LOT of ISPs don't even bother. Videotron here in Quebec is useless when it comes to security. They consistently do nothing when you report an infected PC to them..I've given up on it.

      Just for fun, I monitored my firewall on their cable network and I filled a nice sized hard drive in a couple of days...I'm tempted to say that the majority of the PCs on their networks are infected winXP or win2K machines...I get hit so much that the receiving packets light on the modem is consistently (not flashing) red. Amounting to THOUSANDS of attempts per day.

      I just feel lucky that the network slowdown hasn't been TOO bad (there's no other choice for cablemodem access around here).

      I use linux for my servers/firewall so 99% of the logged attempts are useless on my stuff.

      I've complained and complained, sent in logs anything they request (WHEN they ever do) but the most they've done so far is cut off external access to port 80 (woohoo..big deal).

      reply to this | link to this | view in chronology ]

      • identicon
        Doug, 27 Feb 2004 @ 3:47pm

        Re: Cable Modem light

        A small tech note:

        While some of the activity that you're seeing on the cable modem light is indeed malware attempting to get to your system, it's only a small percentage of what you're seeing on the light.

        The rest of the spurious activity is ARP packets generated by the switch. A lot of recent malware tries to contact randomly generated IP addresses. Every time that the switch for your cable segment gets a request for a node that it hasn't heard of, it hits everyone with an ARP to see if the requested node responds. Of course, no response is ever forthcoming.

        reply to this | link to this | view in chronology ]

        • identicon
          thecaptain, 28 Feb 2004 @ 6:46am

          Re: Cable Modem light

          Wow! Thanks for that information. You learn something new everyday :)

          Seriously, it's nice to know why that traffic is as bad as it is (although as I said...looking for the attempts on my logs..you pretty much see a reason to think that's all the traffic there is)

          reply to this | link to this | view in chronology ]

  • identicon
    Mark, 27 Feb 2004 @ 7:25am

    US spam

    The stuff that I get that doesn't come from China, Mexico or Brazil is usually from just a handful of US based ISPs - Roadrunner, Charter and PacBell. Sometimes I wonder why I bother reporting to those guys.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.