Re: [ISN] MayDay! MayDay! Ruskies reinvent cyber crime

From: InfoSec News (alerts@private)
Date: Fri Feb 15 2008 - 00:09:27 PST


Forwarded from: *Hobbit* <hobbit (at) avian.org>

Breathless articles like this just piss me off.  It isn't about whose 
botnet is bigger or more secretive or what its C2 protocol is.  It's 
really about the fact that they're permitted to exist at all, let alone 
successfully send huge volumes of spam.

If the ISPs would actually grow a pair one of these days and curtail 
untrusted customer netblocks full of known-infested machines from 
sending ANY direct SMTP traffic to anywhere but the ISP's own authorized 
and well-controlled egress relay, there would be no point in spam 
botnets.  I wrote at length about this over two years ago and suggested 
some local [and arguably somewhat lame] mitigation strategies, in

  http://www.usenix.org/publications/login/2005-10/openpdfs/hobbit.pdf

but how many people actually read Usenix papers, anyways.  The point 
here is that the ISPs are a very large percentage AT FAULT for the 
continued existence and appeal of botnets.  If you work for an ISP, go 
ahead, be as angry as you want at me for saying that, but you know how 
true it is.  Have you ever spent *4 hours* on the phone with reps in the 
Phillipines for Verizon or Comcast [to pick on the big boys] trying to 
find someone who can even spell SMTP, let alone do anything to solve a 
problem or track spam?  GFL.

How hard is it to add some anti-forgery header rules to the egress 
dropoff mailservers that ALREADY exist, special-case a few people who 
actually know what they're doing, and then hop on the edge routers and 
clamp down on any other TCP 25 noise emerging from subscriber clouds? 
HOW HARD IS IT??  Don't give me that lame "common carrier, can't do it" 
excuse -- you wouldn't be blocking ingress CIFS and the like either if 
that held any water.  If you're an ISP and continuing to let botnets 
work under your noses, you are an overt threat to the security of many 
nations at once.  Get busy.

Oh, and you could try answering your abuse@ mailboxes once in a while.

_H*


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Fri Feb 15 2008 - 00:22:13 PST