FC: Anti-spam tip for Windows uers: Turn off built-in messenging

From: Declan McCullagh (declanat_private)
Date: Tue Nov 26 2002 - 05:53:10 PST

  • Next message: Declan McCullagh: "FC: Hong Kong techies oppose "security" laws required by Beijing"

    Previous Politech message:
    http://www.politechbot.com/p-04194.html
    
    ---
    
    Date: Tue, 26 Nov 2002 08:24:38 -0500
    To: declanat_private
    From: Jon Zittrain <zittrainat_private>
    Subject: Re: FC: Spam king lives large off others' email troubles
    
    The "stealth technology" exploits the fact that many default Windows setups 
    have a form of popup messaging enabled, completely apart from traditional 
    instant messaging clients -- see 
    <http://www.jmu.edu/computing/security/info/winmsg.shtml>.
    
    ---
    
    Date: Tue, 26 Nov 2002 14:41:53 +0100
    From: Tomas Fjetland <tomasat_private>
    To: declanat_private
    Subject: Re: FC: Spam king lives large off others' email troubles
    
    Declan,
    
    You most likely already know, but what the article probably describes and 
    that Thomas Leavitt describes as "laughable", is probably the new wave of 
    advertising using the Windows Messaging service. It does depend on machines 
    that are on the internet but not properly secured, but everyone know that's 
    not uncommon. All such a spam system needs to do is check for if the normal 
    netbios ports respond, and if they do, chances are the machine will receive 
    and display such an ad.
    http://www.ciac.org/ciac/techbull/CIACTech03-001.shtml
    
    Makers of AdSubtract ad-blocking software, Intermute, have already released 
    a blocking tool, but using a good firewall would probably be the better 
    option. http://www.messagesubtract.com/help.html
    
    (I'm not affiliated with Intermute beyond being a satisfied customer of 
    AdSubtract)
    
    Regards,
    Tomas Fjetland
    
    ---
    
    Date: Tue, 26 Nov 2002 08:20:01 -0500
    To: declanat_private
    From: "James M. Ray" <jrayat_private>
    Subject: Re: FC: Spam king lives large off others' email troubles
    Cc: <thomasleavittat_private>
    
     >[This is really somewhat vile. --Declan]
    ...
     >... the last bit about the "stealth spam" technology is pretty laughable; I
     >find it hard to understand how a "tech" reporter could be ignorant enough of
     >basic Internet architecture to swallow the idea that somehow, a spammer
     >could shove stuff onto your computer (short of a massive OS security flaw,
     >etc.).
     >
     >... more likely, he's talking about some kind of rather prosaic adware...
    
    I may be wrong, but I think he's hinting about expanding into AIM-spam
    there. :( I won't welcome the first spam instant message I get, but even
    though my AIM id is widely known, I haven't gotten one...yet...
    JMR
    
    -- 
    "e-gold is to money what email is to letters."  -- JP May
    --
    Regards, James M. Ray  <jrayat_private> PGP = 0xAE141134
    http://www.e-gold.com/e-gold.asp?cid=101574
    
    ---
    
    Date: Tue, 26 Nov 2002 07:44:48 -0500
    From: Rich Kulawiec <rskat_private>
    To: Thomas Leavitt <thomasleavittat_private>
    Cc: Declan McCullagh <declanat_private>
    Subject: Re: FC: Spam king lives large off others' email troubles
    
     > ... the last bit about the "stealth spam" technology is pretty laughable; I
     > find it hard to understand how a "tech" reporter could be ignorant enough of
     > basic Internet architecture to swallow the idea that somehow, a spammer
     > could shove stuff onto your computer (short of a massive OS security flaw,
     > etc.).
     >
     > ... more likely, he's talking about some kind of rather prosaic adware...
    
    Actually, some of the ratware out there is surprisingly sophisticated.
    Spammers have moved on from simple header forgery and open SMTP relay
    hijacking to widespread, coordinated use of thousands of open proxies,
    with traffic spread across them and using "hashbusters" in the text
    to mitigate the accuracy of some anti-spam software.  They use all kinds
    of other tricks as well: HTTP references to hosts are often expressed
    as IP addresesses or in hex; HTML markup is obfuscated to make it
    difficult to do string comparisons, e.g.
    
    	<a href="http://www.<!-- blah -->sp<!-- blah-->amsite.com"</a>
    
    and similar things; they're frequently switching domain names; at least
    one that I know of constructed a VPN between two different ISPs and
    was tunneling traffic in an attempt to evade detection.  And so on.
    
    Now granted, the overwhelming majority of spammers aren't capable of
    crafting these kinds of tools and may even struggle to just use them.
    But there are clearly at least a few very sharp brains at work out
    there and the tools they're creating are clearly designed to (1) maximize
    throughput (2) maximize actual delivery rate (3) minimize chances of
    detection (4) minimize compute/network load on the spammer's own systems.
    Combine this with the limited technical resources at some ISPs and the
    willingness of others to allow spammers on their networks and it's a
    major problem.
    
    ---Rsk
    
    ---
    
    Date: Tue, 26 Nov 2002 10:56:10 +0000
    From: Matt Collins <mattat_private>
    To: Declan McCullagh <declanat_private>
    Subject: Re: FC: Spam king lives large off others' email troubles
    
    On Mon, Nov 25, 2002 at 11:18:18PM -0500, Declan McCullagh wrote:
     > [This is really somewhat vile. --Declan]
     >
    
    Laughable as Thomas may find it or not the massive OS security
    flaw in question is windows messenger service, affecting at least
    w2k and XP, and the cause of many many unfirewalled windows users
    receive random popup messages on their systems advertising
    porn, etc.
    
    Thomas presumably finds the idea laughable, because he cant imagine
    any vendor providing the ability for random 3rd parties on a distant
    network to connect and pop up requestors on your box, stealing focus
    from whatever you may be doing. Microsoft, gloriously, have provided
    this ability, to the extent that many associates who have an application
    that crashes if focus is stolen from it regularly , well, crash, until
    they disable this 'feature'.
    
    Some discussion here:
    http://www.mircscripts.org/viewImage.php?cid=5099&v=b
    
    Matt
    
    n.b. this is the OS's messaging service, not the instant message
    client similar to ICQ.
    
    ---
    
    From: "Thomas Leavitt" <thomasleavittat_private>
    To: "Ed Allen Smith" <easmithat_private>
    Cc: "Declan McCullagh" <declanat_private>, <andrewat_private>
    Subject: Re: FC: Spam king lives large off others' email troubles
    Date: Tue, 26 Nov 2002 00:39:23 -0800
    
    Stunning... once again, Microsoft has shown that it is incapable of
    designing an operating system which can both function normally, and be
    secure, in a networked environment.
    
    Boy am I glad that I'm sitting behind a NAT device (one of four or five
    computers sharing my 56k connection). I feel a hell of a lot more secure
    knowing my systems are sitting on the open Internet. All I can say is, if I
    were a firewall/anti-virus software company or a NAT device manufacturer,
    I'd be revving up the marketing machine... because once this stuff becomes
    freely available, it will be impossible to run NT/2000/XP without something
    of the sort - my guess is that it will take less than 10 pop ups in a single
    hour to piss people off badly enough to do something. Whether that involves
    lynching Ralsky, Gates, or something more moderate is unknown. :)
    
    Regards,
    Thomas Leavitt
    
    ---
    
    From: Ed Allen Smith <easmithat_private>
    Date: Tue, 26 Nov 2002 03:05:18 -0500
    To: thomasleavittat_private
    Cc: declanat_private
    
    In message <5.1.1.6.0.20021125181352.02ab9c40at_private> (on 25 November
    2002 23:18:18 -0500), declanat_private (Declan McCullagh) wrote:
     >[This is really somewhat vile. --Declan]
    
    Yes. Hopefully, someone will do the same Oakland County real estate record
    search that this reporter did and make Ralsky's address available to the
    public again. Given his lack of concern for the privacy of anyone else, I
    see no reason why he should have any.
    
    ---
    
    Date: Mon, 25 Nov 2002 23:30:13 +0000 (UTC)
    From: Bill Nash <billnat_private>
    To: Declan McCullagh <declanat_private>
    cc: politechat_private
    Subject: Re: FC: Spam king lives large off others' email troubles
    
    On Mon, 25 Nov 2002, Declan McCullagh wrote:
    
     > [This is really somewhat vile. --Declan]
     >
     > ---
     >
     > From: "Thomas Leavitt" <thomasleavittat_private>
     > To: "Declan McCullagh" <declanat_private>
     > Subject: Fw: More on the Spam Kings
     > Date: Mon, 25 Nov 2002 14:43:16 -0800
     >
     > ... more likely, he's talking about some kind of rather prosaic adware...
     >
    
    	Or how about something as simple as a return reciept? This
    functionality is bred into most e-mail software. Most people either don't
    know, don't care, or can't be bothered to learn. Sad but true, I miss the
    DOS days when you had to have a clue to operate a PC. The legacy Bill
    Gates is a species of idiot.
    
    - billn
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    -------------------------------------------------------------------------
    Like Politech? Make a donation here: http://www.politechbot.com/donate/
    Recent CNET News.com articles: http://news.search.com/search?q=declan
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Tue Nov 26 2002 - 06:14:43 PST