Discussion:
Web host spam vs spam filters
(too old to reply)
Martijn Grooten
2013-06-18 20:30:45 UTC
Permalink
So. I had promised I'd do some research into spam sent from web hosts. Which I did.

I used 64,000 spam messages sent between 27 April and 13 May 2013.

They were sent through 20 spam filters in parallel and real-time.

I defined a 'web host' as an IP address that was listening on port 80 around the time the email was sent.

About 30% of the spam in this corpus was sent from web hosts.

Web host spam bypasses a filter with a probability of 1.04%.

Other spam does so with a probability of 0.29%.

That's a significant difference. (Note that the spam I use tends to be easy to filter. Relatively little snowshoe spam and dodgy ESPs.)

There's the usual correlation versus causation disclaimer. It could well be that those spammers who use web hosts (most of which I assume to be compromised, but I didn't look into this) for sending spam are better at sending spam.

A bit of context here http://www.virusbtn.com/blog/2013/06_17.xml

Martijn.

________________________________

Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2013-06-19 19:53:31 UTC
Permalink
I notice a similar pattern, informally, here. That "informally"
includes not my mail box per se but the mail system here for our
customers at this ISP and the constant, daily effort to add cases to
the global spam filters. Our filter list includes around 170,000
specific cases which include ip ranges, body and subject text
patterns, etc. developed over the years one at a time from customer
complaints and attack forensics.

But I think definitionally it's a hard row to hoe.

My impression is spammers find web sites on web hosting services using
web software either with known holes and/or holes they can easily scan
for.

It's really just a massive extension of the open relay problem.

Where we used to be able to say that a site running, say, sendmail
with a particular rule set could be exploited by a spammer today it
could be any of zillions of e-commerce or other packages either known
or home-brewed or a little of both (code added to some package out
there which was ill-conceived security-wise) which can be used as an
open relay.

I also assume spammers just set up on these hosting services and put
their own relay code onto their site.

I guess all I'm trying to say is: Yes, but a big, big problem, the new
botnets, not that the old ones have gone away.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Neil Schwartzman
2013-06-20 00:40:36 UTC
Permalink
Post by Barry Shein
Yes, but a big, big problem, the new
botnets, not that the old ones have gone away.
right. I have heard tell that the hosting site compromises are being done 'by botnet' (there is more detail than that that i cannot repeat on a public list).

Some of it also relates to this article, plugins for CMS are a damned mess

http://blog.malwarebytes.org/intelligence/2013/06/a-guide-to-website-security/
Steve Atkins
2013-06-20 00:51:52 UTC
Permalink
Post by Martijn Grooten
So. I had promised I'd do some research into spam sent from web hosts. Which I did.
I used 64,000 spam messages sent between 27 April and 13 May 2013.
They were sent through 20 spam filters in parallel and real-time.
I defined a 'web host' as an IP address that was listening on port 80 around the time the email was sent.
About 30% of the spam in this corpus was sent from web hosts.
Web host spam bypasses a filter with a probability of 1.04%.
Other spam does so with a probability of 0.29%.
That's a significant difference. (Note that the spam I use tends to be easy to filter. Relatively little snowshoe spam and dodgy ESPs.)
There's the usual correlation versus causation disclaimer. It could well be that those spammers who use web hosts (most of which I assume to be compromised, but I didn't look into this) for sending spam are better at sending spam.
One obvious difference between a botnet compromised windows desktop and a botnet compromised unix webserver would seem to be that the webserver probably has a perfectly functional MTA, meaning that it'd be less likely to have some of the obvious giveaways (protocol and headers) that the mail from compromised desktops often has.

Cheers,
Steve-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Neil Schwartzman
2013-06-20 12:49:07 UTC
Permalink
Post by Steve Atkins
Post by Martijn Grooten
So. I had promised I'd do some research into spam sent from web hosts. Which I did.
I used 64,000 spam messages sent between 27 April and 13 May 2013.
They were sent through 20 spam filters in parallel and real-time.
I defined a 'web host' as an IP address that was listening on port 80 around the time the email was sent.
About 30% of the spam in this corpus was sent from web hosts.
Web host spam bypasses a filter with a probability of 1.04%.
Other spam does so with a probability of 0.29%.
That's a significant difference. (Note that the spam I use tends to be easy to filter. Relatively little snowshoe spam and dodgy ESPs.)
There's the usual correlation versus causation disclaimer. It could well be that those spammers who use web hosts (most of which I assume to be compromised, but I didn't look into this) for sending spam are better at sending spam.
One obvious difference between a botnet compromised windows desktop and a botnet compromised unix webserver would seem to be that the webserver probably has a perfectly functional MTA, meaning that it'd be less likely to have some of the obvious giveaways (protocol and headers) that the mail from compromised desktops often has.
Also, better connectivity and thus speed, and thus an IP can get more out before it is blacklisted by say the Spamhaus CBL. Also, many of these IPs have heretofore reasonable reputations at Senderscore/Senderbase and receivers, I'd imagine.

it'd be interesting to track those rep scores before and after.
Martijn Grooten
2013-06-20 17:07:45 UTC
Permalink
Post by Steve Atkins
One obvious difference between a botnet compromised windows desktop
and a botnet compromised unix webserver would seem to be that the
webserver probably has a perfectly functional MTA, meaning that it'd be less
likely to have some of the obvious giveaways (protocol and headers) that the
mail from compromised desktops often has.
Yes - though I've been told that most of the scripts used to send botnet spam aren't very different than what's used on Windows boxes. At least they don't seem to use the local MTA.

Martijn.


________________________________

Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Chris Lewis
2013-06-20 20:22:22 UTC
Permalink
Post by Martijn Grooten
Post by Steve Atkins
One obvious difference between a botnet compromised windows desktop
and a botnet compromised unix webserver would seem to be that the
webserver probably has a perfectly functional MTA, meaning that it'd be less
likely to have some of the obvious giveaways (protocol and headers) that the
mail from compromised desktops often has.
Yes - though I've been told that most of the scripts used to send botnet spam aren't very different than what's used on Windows boxes. At least they don't seem to use the local MTA.
Right. All of the ones I've seen are written in PHP or Perl, and do
direct-to-MX.

The operators of these machines tend to be at least somewhat more
technically astute than the canonial "grandma on DSL", and real MTA logs
are too much of a dead giveaway as to the presence and ultimate
eradication of the malware.

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Alessandro Vesely
2013-06-21 14:53:37 UTC
Permalink
Post by Chris Lewis
Post by Martijn Grooten
Yes - though I've been told that most of the scripts used to send
botnet spam aren't very different than what's used on Windows boxes.
At least they don't seem to use the local MTA.
Right. All of the ones I've seen are written in PHP or Perl, and do
direct-to-MX.
The operators of these machines tend to be at least somewhat more
technically astute than the canonical "grandma on DSL", and real MTA
logs are too much of a dead giveaway as to the presence and ultimate
eradication of the malware.
OTOH, while firewalls on Windows boxes tend to maintain lits of what
processes are authorized to do outbound connections, on *nix servers the
concept is different. But Linux iptables has an xt_owner module that
matches on a uid range, so, beside blocking outbound port 25 on
non-MTAs, one could block attempts to send mail by wrong user-ids on
MTAs. Undoubtedly a sign of barbarization...
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Chris Lewis
2013-06-22 02:36:26 UTC
Permalink
Post by Alessandro Vesely
OTOH, while firewalls on Windows boxes tend to maintain lits of what
processes are authorized to do outbound connections, on *nix servers the
concept is different. But Linux iptables has an xt_owner module that
matches on a uid range, so, beside blocking outbound port 25 on
non-MTAs, one could block attempts to send mail by wrong user-ids on
MTAs.
That works well. It's one of the first things we advise, and there are
several packages that do just this.

HOWEVER, it's hard to do on some boxes, and complex CMS software can
sometimes clobber such configurations, and SOMETIMES they insist on
letting httpd or apache or nobody send email because some of their
clients have stupid SMTP scripts.

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Continue reading on narkive:
Loading...