Re: [Asrg] Countering Botnets to Reduce Spam

Chris Lewis <clewis+ietf@mustelids.ca> Sat, 15 December 2012 17:33 UTC

Return-Path: <clewis+ietf@mustelids.ca>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6D1921F8588 for <asrg@ietfa.amsl.com>; Sat, 15 Dec 2012 09:33:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.557
X-Spam-Level:
X-Spam-Status: No, score=-0.557 tagged_above=-999 required=5 tests=[AWL=0.491, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N0iW1aR0rAJq for <asrg@ietfa.amsl.com>; Sat, 15 Dec 2012 09:33:14 -0800 (PST)
Received: from mail.mustelids.ca (unknown [174.35.130.2]) by ietfa.amsl.com (Postfix) with ESMTP id 2894A21F8584 for <asrg@irtf.org>; Sat, 15 Dec 2012 09:33:14 -0800 (PST)
Received: from [192.168.0.8] (otter.mustelids.ca [192.168.0.8]) (authenticated bits=0) by mail.mustelids.ca (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id qBFHX7GO032296 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT) for <asrg@irtf.org>; Sat, 15 Dec 2012 12:33:08 -0500
Message-ID: <50CCB453.3030606@mustelids.ca>
Date: Sat, 15 Dec 2012 12:33:07 -0500
From: Chris Lewis <clewis+ietf@mustelids.ca>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.23) Gecko/20090812 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666
MIME-Version: 1.0
To: asrg@irtf.org
References: <SNT002-W143FB9A867C92FA80D90E04C54E0@phx.gbl> <DA14FA4D-13CB-4C61-90C4-4E690F0EC745@blighty.com> <SNT002-W1393526B62C0940EF697B2C54E0@phx.gbl> <20682.3413.665708.640636@world.std.com> <50CA0E91.2080304@mtcc.com> <20682.23612.451287.246798@world.std.com> <50CA805E.3010100@mtcc.com> <50CAA612.3070000@mustelids.ca> <SNT002-W117523E9206C73F54784577C54D0@phx.gbl> <50CABCB4.1030103@mustelids.ca> <20121214133937.GA23699@gsp.org> <50CB4100.2020408@mustelids.ca> <20684.42879.498431.234986@world.std.com>
In-Reply-To: <20684.42879.498431.234986@world.std.com>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] Countering Botnets to Reduce Spam
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Dec 2012 17:33:14 -0000

On 12-12-15 11:38 AM, Barry Shein wrote:
> 
> On December 14, 2012 at 10:08 clewis+ietf@mustelids.ca (Chris Lewis) wrote:

>  > Compromised Linux machines (mostly servers) are now responsible for ~40%
>  > of all spam.

> Any information on how they are being compromised?

- Wordpress and Joomla seem to be subject to a never-ending blizzard of
various file-upload compromises.  While ensuring that the customers
using them are using the very latest patches seems to help a _lot_,
that's apparently something that not all hosters attempt to enforce, and
tomorrow there'll be another compromise discovered.

- Some multi-host platforms are inherently leaky.  IIUC, Cpanel has anon
ftp turned on by default.

- Files uploaded via compromised customer userid/password are extremely
common, and have been for quite a while.  Small-medium environments are
under surprisingly high phishing pressure.  Even my teensy regional ISP
is subject to a never ending wave of phishes.