I recently grew frustrated at the lack of a good, fast RBL checking web site. So, during the MailChannels summer hackathon on a remote island in the Pacific Northwest, I coded up an AJAX-based blacklist check web page. This new service is a work in progress, but already satisfies a few goals I had in mind at the start of the hackathon:
- It’s fast – DNS lookups are done in parallel, so a complete set of results usually comes back in under one second;
- It’s easy – IP addresses and host names are accepted, and CIDRs will be added soon; and,
- It gives you useful information – such as the ASN and subnet range from which the IP address was allocated.
For those of you who are so inclined, feel free to figure out the wire-line protocol, which is a REST-ful JSON thing. I can’t promise it won’t be rate limited, but I certainly don’t mind if you script it to provide the back-end for your own multi-RBL checking service.
Without further adieu, here’s the link:
http://www.mailchannels.com/blacklist-check.html
Tags: blacklist, blacklist check, rbl
April 18th, 2008
Posted in Uncategorized
Why Are Botnets So Difficult To Stop?
Definition: a "botnet" is commonly known as a network of infected computers used to send spam (among other actions).
The largest botnets contain hundred of thousands of "zombie" machines controlled by a "bot herder," who uses sophisticated encryption, infection and peer-to-peer (P2P) networking techniques to ensure the permanence and growth of the botnet. As the zombies are used, they become discovered and subsequently blocked. While individual zombies are constantly changing, the overall botnet and people who control them remain the same.
Because of botnets, spam does not come from a predictable set of computers rather, it comes from all over the place in a completely unpredictable manner. By leveraging the diversity of IP addresses available via botnets, spammers have rendered the blocking approach far less effective than it once was.
Further, as the number of broadband subscribers continues to grow most rapidly in developing economies such as China and Eastern Europe the number of computers available to exploit for participation in botnets is expanding. As botnets increase in size and sophistication, trying to identify where the "bad stuff" is coming from is becoming less and less worthwhile.
Indeed, researchers at Georgia Tech discovered in 2006 in a survey of data from the Spamhaus black list that only 5 per cent of botnet IP addresses ever end up listed in the Spamhaus database. In another paper, the same researchers found that 85 per cent of spam zombies sent fewer than ten email messages to their honeypot server over the course of about 18 months, as shown in the above graph.
Example: A Transient Zombie
In late 2007, the zombie at 201.21.174.207 (a Brazilian broadband subscriber address) began sending approximately three spams each day into one of our honey pot systems. It took 19 days for the first real-time blackhole list (RBL) to identify this IP address and cause it to be blocked. By sending only a very light trickle of email, zombies can evade detection.
While blocking continues to be a core component of the multi-layered anti-spam architecture, it makes little sense in 2008 to depend on filtering technology designed to block spam in 2001 before the advent of botnets. Approaches that seek to block spam fail to deal with the issue of unknown senders.
NEXT: Post #6 Blocking Spam in 2008PREVIOUS: Post #4 Spamonomics: The Economics of Spamming
Tags: anti-spam, DSNBLs, IP-addresses, rbl, spam, unknown senders, zombie
November 28th, 2007
Posted in Uncategorized
This evening I was looking at some of the spam found in my Gmail Spam folder. I started using Google Search to see if I could correlate some websites related to the spam. I did find some interesting things, such as the bad English “recorded for security purpose”, found on one spam-related website, is copied across several spam-related sites. I was looking for some casual correlation to hopefully find some bad IP addresses not found in one of the top RBL sites, such as Spamhaus. Alas, Spamhaus had me beat. It knew them all.
But then I found something rather interesting. I came across a website with a pop-up, trying to get me to download a Windows executable file.
In order for this to work I’d have to click on the fake dialogue button “Continue”. Then a real dialogue with an option for “Save As” appears, I download it, open it, and enjoy using my new virus. Okay, so nothing new and exciting there. It’s a pretty simple website trying to con me into running their malicious code.
Now I was curious how many duplicate pages out there had the same pop-up, so I did a search for the text “You need to download new version of Video ActiveX Object to play this video file.”.
I clicked on the first result.
But the page was gone.
I was really looking forward to that virus pop-up. Never mind, maybe Google Cache can help me out.
Excellent! The spammer took down the webpage linking to their exploit code, but luckily Google Cache was able to save a copy of the page, which popped-up the “Save As” dialogue, so I can now download it and enjoying start using my new virus, as it silently rips through my machine, stealing my personal data and emailing spam around world.
I uploaded this file to the Kaspersky Virus Scanner and it was identified as being “infected by Trojan-Downloader.Win32.Zlob.eob”.
Oh no, I just realized. This exploit is not platform independent and will not run on my machine. It only runs on Windows and I’m using Ubuntu Linux. I guess I’ll have to keep googling…
Tags: activex, exploit, gmail, pop-up, rbl, spamhaus, spammers, video, virus
POST
FIRST
PREVIOUS
