A significant rise in the global volume of spam in the past two months has
security analysts worried that bot nets are increasingly being used by spammers
to stymie network defenses erected to curtail bulk email.
Estimates of the magnitude of the increase in junk email vary, but experts
agree that an uncommon surge in spam is occurring. On the low side, Symantec,
the owner of SecurityFocus, has found that average spam volume has increased
almost 30 percent for its 35,000 clients in the last two months. Others have
seen much more significant jumps: Spam black list maintainer Total Quality
Management Cubed has seen a 450 percent increase in spam in two months, and
the amount of spam filtered out every week by security software maker Sunbelt
Software has more than tripled compared to six months ago.
Two weeks ago I noticed an increase of the spam creeping through my filters
and landing up in my various in boxes.
I use SpamPal on all of
my PC’s on my network at home and I recommend it to every person I meet.
As a long term user of SpamCop I
also recommend signing up and reporting ALL the spam that people get. You can
get a free reporting account and although it will not necessarily mean a decrease
in the amount of spam you get, it could help reduce the amount of spam others
get. I say not necessary because (1) you may be put on a gray list by spammers
if they find out your are reporting your spam (and trust me, they do), or (2)
until such time as every user subscribes to submitting spam to RBL’s, there
will always be spam creeping through
But back to the increase. On my main machine I have SpamPal configured to
use every possible blacklist and still the spam was getting through ‘untagged’.
(Spampal is set up to identify spam and tag it rather than delete it. When
it reaches my mail client (Thunderbird or MS
Outlook), it is then filtered in the junk folder. Thunderbird also has
the ability to ‘trust’ the spampal headers that are applied to detected spam
and will automatically ‘junk’ that mail.
History of Spam
When was first born of first became a problem, it most likely originated from
a number of servers rented by a spammer and based in a country such as China
where they didn’t care who was paying for what providing they paid. There was
a proliferation of machines responsible for sending out masses of spam to users
througout the world. When people first started fighting spam, this made it
easy since all you had to do was block a single IP, or block a range of known
addresses used for sending spam.
This is when the spammers started getting clever. Number one, they were paying
for these servers in countries like China and depsite the profits, when they
realised they could could get the service for free, it was a no brainer. By
searching for and using email servers that were not protected they could send
their mails using those servers. (Open Relays are one method they use). But
this again has a drawback when it comes to detection because there are only
so maany Open Relays and once a list of these is compiled, users can block
Using a low number of email servers to send spam could mean that a single
addition to an RBL would mean that the spam run would not be very effective.
For example, using a single email server to send 10,000,000 emails is not very
effective if that email server is placed on an RBL
The ultimate aim of the spammer is to use a large number of mail servers to
send his spam.
For example, using 10,000,000 email servers to send one spam each is highly
effective. If would be difficult to have an RBL with 10,000,000 entries within
it. And even if such a list existed, the amount of processing power required
to scan a list of 10,000,000 entries would be far too consuming and mostly
not be effective.
In the figures above, 10,000,000 computers used to send 1 email each was
a figure used to prove the point. But that could become a reality
There are so many Open Relays in the world and as network administrators tighten
these down, it becomes harder for the spammers to find them.
There are still the ‘average Joe User’ types who set up their own dedicated
servers or even an email server running on their home network and don’t configure
it properly leading to it being used as an Open Relay. But these too are reducing
as ISP’s close down or restrict access to what services home users can use.
Likewise, network adminstrators are paying attention to the reports of nadly
configured servers and terminating the accounts of those who end up getting
their networks blocked becaue of mis-use by a spammer.
There will always be the network or country who turns a blind eye to the spammer,
but this leads to easy identification and blocking of the servers.
So where will the spammer get his 10,000,000 computers from to use as mail
Simple. Your computer.
Bot Net as an Email Server
We have all heard of viruses and trojans (if you haven’t then you should be
A virus by definition now is something that does damage to your computer.
A trojan is something that resides on your computer and has the potential to
do something that you are not aware of, whether that be damaging or simply
logging all of your online bank details for example.
A Bot Net is a collection of computers that have had software installed on
it without the knowledge of the user.
Bot Nets can be used for any number of purposes. Hosting websites, attacking
other computers with DOS (Denial Of Service Attacks), finding other computers
to install trojans (or make them into Bot Net clients) and amongst many other
users, they can also be used to send email.
A computer that is part of a Bot Net is often linked to a controller. The
controller can instruct the Bot Net to go to another computer and download
more software depending on the usage required by the Bot Net controller. If
the Bot Net controller recieves an order to send out a million emails, then
he tells his Bot’s to fetch the email application (if not already on the infected
or ‘owned’ PC). He then tells the Bot where to get it’s list of recipients
to send the emails to. It behaves like a distributed email server.
So now rather than rely on a small number of email servers, or known vulnerable
email servers, the spammer has the resources available to use a massive number
of email servers to send a few of his emails. If a percentage of his Bot’s
become listed on RBL’s, he loses a small percentage of his spam output.
By using someones home computer, they are unlikely to notice a few emails
being sent out per hour. The spammer isn’t going to give the game away by sending
massive amounts of data that would be noticed by the user. It may even be clever
enough to learn when you use it, and when you don’t. It will use your bandwidth
when you are not.
How do the Bot Nets get onto my PC ?
Without starting a Microsoft bashing war, since Windows based PC’s are the
most predominant used in the home, and we all know the hype surround the vulnerability
with various Microsoft Operating systems, the fact remains that these computers
form the bulk of most of the Bot’s that exist today.
There are a number of techniques that the Bot Net controllers will use to get
the Bot Net application installed on your PC. From Viruses to Trojans in emails,
to using exploits in the Operating system, exploits in Web Browser’s, they
hav many ways of getting them into your PC.
Are Bot Nets the reason for the recent increase in Spam?
By looking at the IP addresses of the spam that has been getting through my
filters, there is a large increase from residential IP’s.
In english, this means an increase from home users.
They will still have to employ other techniques since most home users on broadband
use ADSL connections which can be easily detected.
Simarly, many home users are on Dynamic IP addresses, (ie. you get a new address
each time you reset your PC/Router), and these too can be easily detected and
used to form a blacklist. But the fact is, over 90% of the spam that has evaded
my filtering in the past two weeks has most likely come from PC’s part of a
massive Bot Net.
What Can I do to prevent becoming part of a Bot Net?
Some will say the quick answer is to switch to Linux (or any *nix based OS)
and ditch Microsoft Windows. We all know that isn’t going to happen for whatever
But you must ensure that you have a decent firewall enabled either on your
PC or at your Router and ideally both.
Keep your Anti-Virus up to date.
Keep your Anti-Spyware up to date.
Right now, my personal choice for my home PC’s is AVG
They have had one of the better Anti-Virus solutions for a long time and send
out regular updates.
Ewido was one of the better Anti-Spyware tools out there and made even better
when Grisoft recently purchased them. So at the moment AVG Anti-Spyware is
just Ewido with Grisoft markings, but is still the same great product underneath.
What is more, you can get both products for free and continue to use them for
free after the 30day evaluation period expires. You lose some functionality,
and may have to do some actions manually, (such as perform an update to get
the latest definitions with AVG Spyware), but that isn’t too much hassle when
you consider the effectiveness of the products.
That said, I don’t mind paying a subscription for something that I consider
worthwhile which is why I subscribe to both AVG products.
But in singing the praises of AVG, I also use two other services just to be
on the safe side. For viruses I use an online service VirusTotal.
This allows me to submit files for instant verification by uploading them to
VirusTotal it checks them against a number of AVG vendors. If it’s a virus
it will detect it.
I also use the Opensource SpyBot
– Search and Destroy. The User Interface is not as user friendly as some
others, but its detection and cleaning rate are up there with the best. It
also has some useful tools and helps protect your browsers from known vulnerabilities.
- I would always recommend having two methods of Virus and Spyware detection
on your PC
- Scan memory, internet folders and workspace every day
- Scan the complete computer weekly
That information is in addition to the standard good practice of not opening
mail from people you don’t know, not clicking sites that you don’t know etc