[ Two replies in one. Last point has operational content. ] On Wed, Sep 08, 2004 at 01:52:59PM +0100, Michael.Dillon@radianz.com wrote:
I see that 56trf5.com is a real domain. Does this mean that the domain name registries and DNS are now being polluted with piles of garbage entries in the same way that Google searches have been polluted with tons of pages full of nothing but search keywords and ads?
Absolutely. As one example out of thousands, there are at least 350 domains names of the form: aaefelb.info abbbafd.info acdfiaj.info aclbkcdc.info adkehgi.info aeamdgi.info that have been burned through by one currently-active group of spammers. Another group has about 16,700 domains (and counting) that I'm aware of. Note also the relationship betwen this proliferation, the zombies, and rapidly-updating DNS -- see below. On Wed, Sep 08, 2004 at 01:26:27PM -0500, Robert Bonomi wrote:
I _do_ think that it is _a_step_ 'in the right direction'. I'd *love* to see SPF-type data returned on rDNS queries -- that would practically put the zombie spam-sending machines out of business.
Not even close, I'm afraid. Yes, it would deal, to some extent, with direct-to-MX spam from them (*if* all the domain they were forging cooperated), but: 1. Nothing stops those zombies from sending out spam via the mail servers on the networks on which they're located. (And in the process, forging either the address of the former owner of the zombie or another user on the same network.) Before you say "but the network operators would detect and fix that" let me point out that zombie-generated spam has been epidemic for going on two years and many -- MANY --ISPs have yet to perform basic network triage that could mitigate much of this very quickly. It's reaching, I think, to expect that those same ISPs, who by now have grown quite comfortable sitting on their hands, would do anything about this. (I recently speculated n Spam-L that I was willing to bet that at least one such ISP would respond by plugging in more mail servers in order to alleviate the resulting congestion. Bruce Gingery promptly pointed out that this is a sucker bet: it's already happened.) 2A. Nothing stops those zombies from embedding spam payloads in ordinary messages sent by their [putative] users. Mail grandma? Spam grandma. 2B. Nothing stops those zombies from accepting spam payloads on port XXXX and writing it directly to disk in the place and format expected by the end user's mail client. No SMTP. No DNS. And with optional forged headers "proving" SPF/DomainKeys/etc. validity, just in case tools for checking those are in use. 3. Spammers have been using rapidly-updating DNS for quite some time in order to spread out their zombie-hosted web sites. With today's change they can now extend that up a level: nothing is stopping them from, say, registering 1000 domains, using 100,000 zombies to host copies of the content, and using rapidly-updating DNS to distribute the traffic (as well as making shutting it all down tedious). And as if that won't be enough fun (and here's the operational bit): 4. This is the point that I think a lot of us tend to overlook: arguably, SMTP spam from those zombies is the *least* of our problems. Those systems are under the control of an unknown number of unknown persons, and can be put to many more uses -- and already have. They've already been observed hosting spamvertised web sites [1], probing for open proxies, and participating in DDoS attacks. They represent an enormous computing resource that's effectively in the hands of The Bad Guys. (To put this in perspective, compare the estimated size of the zombie farm to the much-vaunted Google cluster in terms of CPU count, aggregate bandwidth, and network diversity.) And as I said previously, none of the three entities who could do anything about it (the zombies' former owners, consumer broadband ISPs, Microsoft) are willing to step up, admit there's a problem, and do whatever it takes to fix it. There is thus no reason at all to expect the problem to decrease; on the contrary, there is every reason (given the miserable track records of all concerned) to expect it to increase. ---Rsk [1] Including some with content of interest to the FTC, DEA, FBI, RIAA, MPAA, BSA, SPA and other people who have lawyers, guns and/or money. Makes sense from spammy's point of view: it's free, it's fault-tolerant and scalable (thanks to rapidly-updating DNS), and maybe someone else will get clobbered for it.