We have been doing a lot of reporting of networks that house spammers, but today we have a chance to talk about an old fashioned bot network. Normally, they are going out of style as a way to send spam, except for some of the worst spam, eg phishing, sending to virus pages etc, but in a day and age where anyone can ‘rent’ a bot’ that might have thousands or even hundreds of thousands of compromised accounts, this can still be challenging to deal with. For the spammer, the idea is that most providers and account holders won’t notice if just a few messages sneak out using each account.
We call them ‘piggyback’ spammers. They dont’ want to do enough damage to waste that valuable resource (eg have their compromised account discovered), so they just slip out a few messages a day on each account.
Now, normally most ISP’s have decent outbound spam protection that can pick up on the content, which is why it isn’t the best way to send spam anymore, but often they will use a short random string that can slip by filters, so if the volume stays low, it is hard to catch.
In today’s battle, another technique was used, in which a larger set of completely random text, random formatting (bayesian poisoning) and no harmful content at all, and all directed at a single user. Why you ask?
Well, it could be something as single as a broken bot, run by a script kiddie, who forgot to add in his poisonous content or, who instead of looping through many targets got stuck on a single target; but in all honesty? Bot Net’s are so cheap to rent, it could be something as simple as a disgruntled ex-employee or girlfriend.
By sending thousands of emails as an annoyance to fill up a person’s in box, or even filling up their quota, makes it hard to use that account. (35MG per day).
These types of attacks are one of the hardest to stop (distributed) and in this case, over 6500 different compromised accounts were used during a single day, via 1300+ IP(s). Which is why ISP’s have to be diligent in protecting email accounts, eg password strength, using TLS/SSL communications, and rate limiters.
The only way to find out who is behind it, is to actually work with the ISP’s who have the comprised users, and see who is behind the connection attempts, but often that will be simply another compromised server acting as a command and control server, operated by an anonymous person who is the one renting the service. And it is cheap, roughly about $.10 per compromised account in the bot. So, on the black market for a couple of hundred dollars you can make someone’s life a pain for a few days. Probably safer than pretending to order pizza’s to be delivered to your enemy.
So, how do you stop something like this? Well, each ISP usually has an abuse address to report such activity to, but we all know that we don’t have the time to do this for 1300 ISPs’ so how can you stop this? Of course, make sure your filters are as accurate as they can be, and you COULD ‘blacklist’ everyone sending to that account except for people that are in their contact list or white-list for a few days, because this will help alert the sending ISP and account holder that something is wrong with the sending account, or of course wait them out, they aren’t going to spend money forever.
But as an ISP, there is very little you can without considerable effort. It’s not like you are going to block the biggest email providers in the world, (it is a good chance that they have but to be truthful, sometimes the only way is tothe most compromised accounts). Working with a good spam-protection company might be the most cost effective way.