Re: [Asrg] Countering Botnets to Reduce Spam

Chris Lewis <clewis+ietf@mustelids.ca> Sat, 15 December 2012 03:46 UTC

Return-Path: <clewis+ietf@mustelids.ca>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78B1421F8AAE for <asrg@ietfa.amsl.com>; Fri, 14 Dec 2012 19:46:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.508
X-Spam-Level:
X-Spam-Status: No, score=-0.508 tagged_above=-999 required=5 tests=[AWL=0.540, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ehetlU25NqjV for <asrg@ietfa.amsl.com>; Fri, 14 Dec 2012 19:46:35 -0800 (PST)
Received: from mail.mustelids.ca (unknown [174.35.130.2]) by ietfa.amsl.com (Postfix) with ESMTP id B2CFB21F88CC for <asrg@irtf.org>; Fri, 14 Dec 2012 19:46:34 -0800 (PST)
Received: from [192.168.0.8] (otter.mustelids.ca [192.168.0.8]) (authenticated bits=0) by mail.mustelids.ca (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id qBF3kTff008490 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT) for <asrg@irtf.org>; Fri, 14 Dec 2012 22:46:29 -0500
Message-ID: <50CBF295.4090709@mustelids.ca>
Date: Fri, 14 Dec 2012 22:46:29 -0500
From: Chris Lewis <clewis+ietf@mustelids.ca>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.23) Gecko/20090812 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666
MIME-Version: 1.0
To: asrg@irtf.org
References: <SNT002-W1393526B62C0940EF697B2C54E0@phx.gbl> <20682.3413.665708.640636@world.std.com> <50CA0E91.2080304@mtcc.com> <20682.23612.451287.246798@world.std.com> <50CA805E.3010100@mtcc.com> <50CAA612.3070000@mustelids.ca> <SNT002-W117523E9206C73F54784577C54D0@phx.gbl> <50CABCB4.1030103@mustelids.ca> <20121214133937.GA23699@gsp.org> <50CB4100.2020408@mustelids.ca> <20121214174457.GA18374@gsp.org>
In-Reply-To: <20121214174457.GA18374@gsp.org>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] Countering Botnets to Reduce Spam
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Dec 2012 03:46:35 -0000

On 12-12-14 12:44 PM, Rich Kulawiec wrote:
> On Fri, Dec 14, 2012 at 10:08:48AM -0500, Chris Lewis wrote:
>> Compromised Linux machines (mostly servers) are now responsible for ~40%
>> of all spam.
>>
>> The actual _count_ of compromised Linux machines is indeed quite low.
>> Say 62K out of 8.6M observed compromised machines.  About .72%. Two 9's ;-)
> 
> I believe you.

Would I lie to you Rich? ;-)

Let me remind you of what you said:

>> - Linux systems are not a significant component of botnets.  I've been
>> doing passive OS fingerprinting for most of a decade, and they're in
>> the noise floor.  It's still true now, as it was years ago, that
>> bot-originated spam comes from Windows systems to about six 9's.

You made two assertions there.  I'm more or less agreeing with the
former (linux botnet infections are rare compared to Windows), but
disagreeing with the second - 40% of all spam right now is from that
small number of Linux botnet infections.

> And to clarify further:
> I classify a system as a bot if it meets a set of criteria that includes
> more than sending spam: I may also classify it as a bot if it's doing
> brute-force SSH/FTP/IMAP/etc. attacks, if it's doing port scans, etc.

The term "botnet" is somewhat nebulous.  It's perhaps best that you
consider it to be an infection of some sort that does things via
"network initiated" command&control.

And do remember I was specifically addressing an assertion about _spam_.
 Not other botish things.

The "tame" linux spambot I have periodically fetches commands from
somewhere in the Ukraine, and spams based on those commands.

The traditional darkmailer infection is more of a cgi that's accessible
via the infectee's web server, and is either manually or automatically
controlled.

> Do you think #2 explains the difference in our numbers, or do I have
> to make a LOT of coffee and dig into #1?

We're comparing apples to oranges and apples.  Forget about the oranges
bit ;-)