Perspective: Feds to fight the zombies

Remote-controlled "zombie" networks operated by bottom-feeding spammers have become a serious problem that requires more industry action, the Federal Trade Commission is expected to announce on Tuesday.

The FTC and more than 30 of its counterparts abroad are planning to contact Internet service providers and urge them to pay more attention to what their customers are doing online. Among the requests: identifying customers with suspicious e-mailing patterns, quarantining those computers and offering help in cleaning the zombie code off the hapless PCs.

To be sure, computers infected by zombie programs and used to churn out spam are a real threat to the future of e-mail. One report by security company Sophos found that compromised PCs are responsible for 40 percent of the world's spam--and that number seems to be heading up, not down.

But government pressure--even well-intentioned--on Internet providers to monitor their users raises some important questions.

Will ISPs merely count the number of outbound e-mail messages, or actually peruse the content of e-mail correspondence? E-mail eavesdropping is limited by the Electronic Communications Privacy Act in the United States, but what about other countries without such laws? If these steps don't stop zombie-bots, will the government come back with formal requirements instead of mere suggestions the next time around?

The FTC said that its advice should not be alarming. "I think our recommendations are intended to provide flexibility by ISPs to implement them to the extent they can," Markus Heyder, an FTC legal adviser, said on Friday. "We have vetted them extensively with other partners and industry members."

Heyder said the commission plans to send letters to ISPs outlining the suggested antispam steps: "This is intended to provide a range of possible measures that can be taken if appropriate."

Sarah Deutsch, Verizon Communications' associate general counsel, said spam-fighting is "not an issue we're ignoring. It's something that we're extremely conscious of." Also, Deutsch said, "the ISP can help the customer but cannot be in the business of fixing their computer remotely. There are huge liability issues involved in that. What if we gave them some advice" that may not work?

Cordoning off "port 25"
The FTC also wants Internet providers to prevent e-mail from leaving their network unless it flows through their own internal servers. That makes spam zombies easier to catch. That technique is called blocking port 25, the port number used by the venerable Simple Mail Transport Protocol.

Many companies such as Microsoft's MSN and Comcast do

Biography
Declan McCullagh is CNET News.com's chief political correspondent. He spent more than a decade in Washington, D.C., chronicling the busy intersection between technology and politics. Previously, he was the Washington bureau chief for Wired News, and a reporter for Time.com, Time magazine and HotWired. McCullagh has taught journalism at American University and been an adjunct professor at Case Western University.

More Perspectives

[Philips]

Brilliant!

Brilliant! Article never ever mentioned that this "zombie PCs" problem is - trueth to be told - in fact "zombie Windoz PCs".

I'd rather out-law connecting M$ Windows directly to Internet. IMHO, that shall bring more fruits.

[Andrew J Glina]

Yes he did

He said "PCs", and thus he meant computers running Windows. It is like when someone says "I flew all night". You could think that he meant he has wings, but logically he must have used a plane. The other option is just too unlikely. Same case here.

[declan00]

PCs = Windows PCs

Right. I certainly meant to indicate that the infected PCs were Windows PCs.

I'll be more explicit next time.

Outlaw Windows??

While having Windows computers running directly on the Internet is a known BAD idea, you cannot legally outlaw one OS in favor of another. No amount of Windows or Microsoft bashing is going to provoke the US Government to create that law, not with Microsoft's bankrolling a defense strategy.

The same thing can happen to Linux and Unix machines if their firewall iptables or ipchains is not correctly set up or turned on at all.

For it to be law, it must say that every computer connected directly to the internet must have a properly configured firewall.

[Christopher Hall]

That's about what it'd take

That's about what it'd take to give you anti-Windows nuts a decent market share. Even then you'd probably lose it after a few months, anyway.

[poster48150]

Comcast and port 25

The article's statement "Many companies such as ... Comcast do this [block port 25] already" is incorrect, or at best, misleading. Under certain circumstances, Comcast *may* block port 25 outbound connections (e.g., from home users), and the block may or may not be permanent. In general, however, they do not.

Jim

[hadaso]

Reporting spam

I report most of the spam I get using SpamCop.net reporting service. Much of it comes from Comcast/Verizon/rr/att etc. (the list is long) from IP addresses belonging to broadband subscribers (i.e., spam sent by Zombie PCs). The abuse teams of these ISPs receive the reorts. They know which customer had that IP address at the time the mail was sent (or they can know that by inspecting their logs). They can email the customers and tell them exactly what happened (and offer help to get rid of the pest if the customer needs help).

Everyone who wants to contribute to fighting spam can use a spam reporting service to report spam to the sender's ISP. spamcop.net is the service I use, and perhaps is the best spam reporting service, enabling people to report spam to the correct abuse team without needing to be experts in technicalities of email. Juast paste your email in, click a button to analyze, then click another button to send reports. That's it. (or forward your spam to a speacial reporting address).

[davearonson]

can != do

You wrote: "They can email the customers and tell them exactly what happened (and offer help to get rid of the pest if the customer needs help)."

Yes, and they CAN yank his plug, at least temporarily, and they can do all sorts of things. But DO they? In my experience, they at least (to put it charitably) take a rather long time getting around to it.

[InetUser]

Hear Hear!

SmapCop.net is one of those under reported gems on the Internet. I report my spam there. In fact, I've enabled the mail server rules for all the RBLs that it feeds. I'm down to merely a few spams every week now and loving it!

All the ISPs have to do is block the incoming spam email using these RBLs. Who is going to send you spam if they are blocked from delivering it to you? This is the real solution that can work. If the RBL listing and de-listing process were to be run professionally by the ISP help desks and the RBLs shared among the ISPs, this is a solution that can work.

Just blocking all port 25 traffic is no solution (I happen to run my own mail server on Linux, and there are a number of small at home businesses that I'm sure do so as well). Limiting the options of those who can because of those who can't or won't keep this crud off their PCs is not the solution.

[hadaso]

The future of botnets

Botnets are used now to send spam and to attack websites. But the in the future they would probably do a lot more. It seems that organized crime is preparing to take over the net. It is pretty easy to locate spam sending PCs if ISPs want to. The sent spam is pointing back at the sender's IP address. But botnets can be used in other ways: for instance, they can be used to form distributed "supercomputers", which the mafia can then use to crack encription. I can think of many more ways to abuse the available spare computational power of all the mostly idle PCs connected to the internet...
Spammers used to be stupid (rule #3). But nowadys, the russian mafia has the ability to recruit talented people and pay them to work for the mafia. Sending spam is just their beta testing phase...

[hadaso]

Monitoring without reading email

There are many ways to monitor outgoing email, with different levels of inrusion of privacy. The most intrusive way is having a human read all outgoing email (but this is not cost effective anyway). The next level is running outgoing email through a spam scanner, and manually checking only those sources that show exceptionally high "spamminess". But there are ways to watch for outgoing spam without ever having a human look at outgoing content. Scanning for outgoing content without then manually checking content is one. ISPs might then do some statistics on the outgoing traffic and alert the customer that there might be a problem, and ask if the customer would like help.
Another method (that was suggested in discussions in the fastmail.fm forum at emaildiscussions.com) is to monitor bounce rates per user. It is clear how this to do this with a server through which outgoing email is relayed. High bounce rates indicate a very high probability of a spam stream. For email sent from zombie PCs this would necessiate transparent port 25 relaying (this is the "port 25 blocking" that some ISPs do now. outgoing traffic to port 25 is captured and sent to the ISP's server, instead of the destination server, and then the ISP's server resnds the email out. This enables the ISP all kind of monitoring, and one way that is not to intrusive, is to just let everything go through, but count bounce rates (and perhaps some other statistics). When the counts suggest a higher probability of spam, additional spam tests can be employed, and then if the ststistics shows high likelyhood of a spam stream, the sender can be approached).

One important thing that ISPs should think about is how to approach users with the news that their PC might be the source of spam (or is abused in any other way). ISPs should do it in a way that doesn't intimidate the user. The user should not feel as being accused of anything. Users approached should be encouraged to cooperate with their ISPs. The athmosphere should be of users working together with the ISPs to solve a problem. People like to contribute to society. They should feel that this is what they are doing when working with their ISP to solve a problem. However, people don't understand the technicalities, and might feel that the mere fact that they are being approached about a problem might put them in some disadvantage. ISPs should think about ways to avoid this, and for educationg people about cooperating to solve network problems.

[landlines]

Blocking Port 25 is not the answer

We had to "fire" Earthlink as our broadband host because of their constant monkeying around with Port 25: sometimes blocked, sometimes not, but never reliable one way or the other.

We have our own mail server, run by a third party web host provider 1200 miles away, and we need to access it. When we complained to Earthlink that we could not send any email, they responded by (1) wasting at least a couple of hours of our time making us go through the same useless procedures in an attempt to "fix" the problem (they always assumed we were at fault), and then (2) providing a special address to allow Port 25 communication to go through ...which worked for only 24 hours or so. Then the process would repeat.

Our needs were very simple: we need to receive a lot of incoming email (97% of it is SPAM, but our Eudora filters catch 96% of it automatically) in order to reliably get our legitimate business messages. We send very few messages remotely via our mail server (10 in a day would be a lot), but we MUST have the capability to do so.

Blind or bureucratic monkeying around and interfering with the operation of standard ports is "throwing the baby out with the bathwater!" A much better way to respond to the threat is with the same technology which gave us the highly effective Bayesian filters: applying these techniques at the ISP and network node level should, in time, allow nearly-automatic zombie identification and notification.

And with some creative effort, it should be possible to design automation to trace at least multiple-use (that is, those which can be ordered into various actions remotely, as opposed to those which have pre-programmed orders at the time of infection) zombie nets back to their source very effectively.

In the near term, simply avoiding use of programs which automatically execute anything which comes to them via the Internet (for example, Microsoft products with Active X and other indiscriminate scripting holes) would nearly eliminate the problem. Blocking these or replacing the applications with this type of flaw would be much more effective than crippling the Internet.

[Jim1900]

Port 25 should be blocked

As a practical matter, I doubt ISP's can implement Baysian filtering for everyone. My ISP blocks outbound port 25 (as well as inbound port 80 and various other ports) for dynamic IP address accounts. But for only $10 a month more, you can get a static IP address that also removes all the port blocks. That would be the better way to go.

Re: Blocking Port 25 is not the answer

[i]We have our own mail server, run by a third party web host provider 1200 miles away, and we need to access it. [/i]

That's actually a no-brainer. The third party should be willing to work with you by opening up say, port 2525, to receive your outgoing emails. Then let Earthlink do what it will with port 25 - it won't bother you any.

[RavingEniac]

Get better email & browser software

3-4 years ago the volume of spam seemed to rise substantially and I complained to my ISP, tried complaints to originating ISPs based on info in the headers, and nothing seemed to help. My ISP started running Spam Assassin and blocked some good email. BUT GOOD NEWS ARRIVED. The Mozilla email program got Bayesian spam filtering implemented, and since perhaps version 1.6, it's been removing most of my spam with almost no false positives. Someone said the Eudora filter does the same. Mozilla doesn't do the risky automatic things MSIE does, including opening executable attachments. So Mozilla and its derivatives are far less likely to become zombified.

Besides fewer vulnerabilities, Mozilla has less market share and is a less inviting target. One of the principles of ecology is that a monoculture is more susceptible to epidemics than a diverse culture of many species, or in this case many different email and browser programs. It's self-defeating to try to attain a monopoly, Bill.

Just don't restrict me...

I am happy with attacking spam at the source, but restricting innocent users by blindly banning port 25 or invading privacy by reading and rerouting the mail is not the answer. I want the spam stopped, but I don't want to be punished for something I am not doing wrong. Yes, broadband users are usually incompetent and fall victim easily, especially Comcast and Verizon users who have fast connections and their parent companies are too big to really handle abuse on their networks. I think the answer is in user side blocking and scanning, that way the user can say what emails they do and do not want.

Re: Just don't restrict me...

[i] I want the spam stopped, but I don't want to be punished for something I am not doing wrong.[/i]

Classic NIMBY syndrome. The sources of the spam, at least from the point of view of the recipient, are on the ISP's networks. The best way to stop a lot of spam is to block outgoing port 25 and make customers route mail through the providers' SMTP servers.

[cturkin]

And what about geting rid of the Bots?

Why are we allowing all of these Bots to persist?

Surely 1) Anti-spyware products should be used by everybody just like anti-virus products are (Microsoft, please finish the anti-spyware beta and distribute to all Windows users). 2) People should realise that not patching thier PC's (it really is easy and automatic, so there is no excuse not to) and not taking reasonable precautions is anti-social behaviour.

It shouldn't be so hard to eliminate most of these Bots with just a little more education to the masses.

Better solution

Spam zombies often run by organized crime syndicates. This means that while these proposals may cut down on the current systems of operating such systems, they do not as a whole really address the problem. The only way I can see this problem resolved is by a two pronged approach of international treaties and aggressive law enforcement. In this way, if someone's system is compromised by a zombie, it is reasonable to allow law enforcement to try to track down this person and prosecute him or her.

[Michael Grogan]

Go to the real source..

If most of these ot nets are controlled by foriegn servers,shouldn't it be possible for ISP's to simply block all incoming traffic from those servers? If they want to send us malicious junk, let's close the door : )

Closing the door of international emails

It is already technically feasable for email administrators to deny emails originating from email addresses in any country.

However, as most emails from spammers are fake email addresses ANYWAY, this won't stop them from still sending them. Then you've got a potential denial of service issue as the email server, full of bounce messages can't connect to the originating server to pass them along.

If they simply change the email address to a .us account, then it passes through and gets accepted and still is delivered to you.

Then, what do you do if they do close the door, and your company or you yourself have contacts in those countries? The email server will deny those emails from them that are legitimate, and cause you greif as a user and a company. Many companies now offshore their workload during the night time to India, China, Thailand, and other countries in that area. Without that communication, 24 hour business would come to a halt fast.

If you are a small company or home user, that would be a good idea, but not something AOL or Earthlink, or any other major ISP can do without a lot of backlash from its corporate users.

Whitelists/blacklists would probably be a better idea.

Email regulations and some facts.

Lets face a few facts:
1: It is incredibly too easy to create new email addresses on the internet with Google, Hotmail, Yahoo, and your own email servers at home.

2: It is also very easy for others to spoof your email addresses as they spam the world.

3: When spammers get caught on one ISP, all that is required is for them to jump to another ISP and continue under a new alias.

These three things make spamming, phishing, and everything else too easy and profitable for people in these types of organizations.

Now here is where things can get out of hand. How do we combat these problems and yet still remain free of governmental regulations?

We do not need Big Brother to get involved if technology leaders can implement a system to keep known spammers at bay (off the Internet permenantly) and allow everyone else their peice.

My vision how this could be accomplished would be something similar to an international database of PKI keys tied to a standard registration number. To get a new email address from Yahoo, for example, you enter the registration number and some key personal information like a PIN, which then pulls down from the database everything else about you. It also automatically creates a PKI certification for your new address, and all emails generated through yahoo will be PKI signed automagicially.

Likewise, if you host your own email server at home/place of business, it would consist of similar things. Each person would provide their registration number to the administrator, who would then create the account on their behalf. The administrator would have to provide his creditials as an email server admin to add the new user.

What this presents is a massive organization to match users with their emails. Anything not PKI signed is most likely spam from illegitimate sources. But this doesn't prevent spammers from just faking their names and applying for new registration numbers and then, in turn, new email addresses. To go further, you've then have to turn to something completely impossible to fake. DNA? Retinal Scans? Nothing exists that can do that. Everything can be faked or falsified. Even if you turn to one of these things, you're forcing internet users to run down to their local registration office to submit to some sort of biological retrevial system to be stored in an international database.

Fact number 4: Email is always going to be insecure without governmental regulations, and with governmental regulations, privacy WILL be lost. As an additional consequence, those who want to commit the crime will find a way around the regulations and may still get away with it.

[Catgic]

Cordoning off "Port 25"&Blah, blah, blah

Im a plank-owner Freewebizen who believes in, and wanders the vast e-wasteland preaching, the Free-Web 4All, Web-Freedom 4All Gospel. Somehow the phrase Cordoning Off doesnt evoke an image of enhanced Web-Freedom.

Bring in the FTC assisted by DOJs freedom & liberty lovin lawyer clowns. Thats?!? a Web-Freedom enhancing PAT (PAT I & II, is it?) solution?!?

I hate bottom-feeding e-Spammers and their Internet of the Living Dead, Zombies and Bots as much or more then the next techno-geek guy or gal, but not at the expense of imposing more intrusive TSA style packet ping & pong port info-gatekeeper e-security/clerks on server-network cyber-hoses. COUNT ME OUT, WEBIZEN. I have more than enough government ?HELP? in my life, liberty and pursuit of happiness life every time I fly domestically or internationally, and as I dutifully collect and process all my personal financial forms to make my annual Webizen donation to the Grand Old Republic every April 15th.

Yes sir/maam, I still launch my own e-packets, pack my own bags and have no agricultural or meat products in my possession. What?!? I have to take off my shoes to surf the Web???

Follow the TECHNO-[IL]LOGIC here, Web-Fans. Government network engineer-bureaucrats recommend boarding up, roping off and shutting down Port 25 to solve the I-Net Zombie & Bot network intercommunications problems. Lets see& CUTTING COMM PORTS & LINKS WILL IMPROVE COMMUNICATIONS THROUGHPUT AND SHORTEN NETWORK RESPONSE TIMES THEREBY INCREASING WEB-FREEDOM.

My personal oaken p-Pod computer displays ERROR 666: IT NO COMPUTUM. How about yours? JP B-)

[Gayle-Edwards]

OH NO... ZOMBIES...

The ZOMBIE THREAT... The MAFIA... and *****-ENLARGEMENT, ...OH MY.

OK, lets face some facts. If the government really wanted to stop "spammers" the best approach would be to hit companies that use SPAM, ...PERIOD (yeah sure, some spammers reside outside the U.S. But, the people -utilizing- SPAM the most, do not). However, the government obviously doesnt want to do that. Why..?

Look at JUNK-FAXES. Thanks to the current U.S. administration, my FAX-machine now receives more JUNK-FAXES (and wastes more of MY MONEY and MY TIME) than my legitimate business-correspondences (it used to be ILLEGAL for businesses to employ this FAX-SPAM, but not anymore).

Nor, does the government seem to want to hold "Microsoft" responsible for selling a dangerously-flawed product (even though, that company IS primarily responsible for creating this situation, in the first place). And, by the way, infecting someones computer with "zombie" software is already A FEDERAL-OFFENSE.

Furthermore, (and this is important) there just isnt enough credible-evidence of these much talked-about, but seldom seen, "Zombie-networks" to support the DRACONIAN-MEASURES being proposed (blocking generic-ports, locking-down ALL PCs, restricting applications, holding private-citizens responsible, ...for being nothing more than CRIME-VICTIMS themselves, etc.).

So, what are the REAL reasons for all of this "Zombie, SPAM" hokum? Mostly it seems, to me, to be a way to set-up the conditions to IMPOSE so-called "TRUSTED COMPUTING", and widespread Internet-use monitoring, ...all in the name of "protecting citizens".

You know, ...the network-switches used by most ISPs already have the built-in capability to completely-block "non-trusted" (I.E. non-Microsoft) PCs (so, you might as well say goodbye to Open-source, Linux, or any non-Microsoft licensed PC). In fact, this "security-feature" was implemented at Microsofts, "TCPA" urgings, some time ago (quite a coincidence, huh..?).

And yes, this could easily be used to REQUIRE any specific piece of hardware, or software, demanded by those controlling the "specifications" (I know from years of personal-experience just how bureaucracies can manipulate such "specifications" to achieve any goal that they desire). So, the power to control, is simply built-into such LAWS.

Frankly, I would recommend being concerned whenever large government-agencies, and Big-business interests, start down any scare-mongering propaganda-campaign (which is, very much, what this appears to be).

[Catgic]

Correctomundo, Mary

I enjoyed the read and am pleased to see theres a X-X type out there in cyber-space who sees both the forest and the trees, and is techno-savvy about how bureaucracies can manipulate such specifications to achieve any goal that they desire.

Though e-Zombies are real, they are being used by large government agency bureaucrats in league with Big-Biz Billy Ware interests as spinning Red Wheels to distract and cajole the cyber-masses into thinking they NEED PROTECTION from Uncle $ammy Buck$ and his cyber-slogging Big Brethren & Sistren.

As you said, &infecting someones computer with zombie software is already A FEDERAL-OFFENSE. The government needs to start enforcing the law, not start disconnecting, restricting and blocking ports, locking down PCs, restricting apps and surveilling network traffic links and system gateways without probable cause and a valid subpoena.

Id rather deal with the e-Zombies sans government HELP using new-emerging cyber-technology thats coming down the ways, rather then agree to become a government monitored and controlled Web-Zombie myself. JP B-)

[RavingEniac]

Mary, you may be right

It's an old trick in certain political circles to cause a problem for which the proposed solution is an extension of govt control which those political circles wanted in the first place. Seems like a most notable use of it was the Hitler-era fire in the Reichstag, or something like that. Boss Hogg probably did the same trick in a hundred episodes of the Dukes of Hazzard. Some think the Bush administration may be inclined to do this sort of thing, and from what I saw, the spam explosion started in 2001 or later.

There were one or two high-profile spam busts a year or two ago, but no recent news and no sign of a sudden drop in spam indicating that any major spammer was taken out, though the federal law to do so remains on the books.

The internet is supposed to operate according to open nonproprietary standards, and that's the way it should remain.

Procedure for identifying and fixing Zombie Computers?

I consider myself to be mildly computer savvy (have the firewall and anti-virus software) and am trying to learn more about how to fix Zombie Computers - because I think mine has become one. I have a neighbor who is an emergency room doctor with the same problem and this is one patient he has no clue how to work on. I'd like to help him and me. Any suggestions? I have been surfing the internet for many hours now looking for a solution.
Thanks!

[Raife]

What leads you to this conclusion..?

First, what are the symptoms that lead you to believe that your computer is a "zombie".

Normally, a correctly configured "firewall" will prevent such activity. And, most updated antivirus-software will detect many "trojans".

Try any "malware-detector". There are several free programs (do a Google-search. Many people try "AD-Aware". A good program, but it does not really address "Zombies"). You can also get a free "malware" detector for "XP" at "microsoft.com". Most of these programs will link to a method to remove such software.

Also, for detection, try a "packet-sniffer" such as "ethereal" at "www.ethereal.com" (this will record all traffic into, and out-of, your computer).

You can try "rolling-back" the OS to an earlier date. But, this usually does not work (because the most aggressive "zombies" function as viruses and change core-executables).

If this fails... do a clean install (FORMAT the hard-drive after backing up everything that is important). Re-install the OS. Install all patches as soon as the OS is loaded (and SP2 if you are running "XP"). ONLY install Programs that are safe (shrink-wrapped, or, from recognized sources and companies. No Instant-messengers, password-rememberers, Porn-accessers, P2P-clients, etc...).

Get a safer "Web-browser" (not "IE", if you can avoid it... Try "Firefox", "Opera") And, DO NOT click ANYWHERE in ANY POP-UP (close such pop-ups with the "window-close-X" in the upper right-hand corner not the "Cancel" button inside the pop-up window). Shut off "Windows messenger Service" (its dangerous and you probably do not need it).

Also, get a safer (safer than "outlook") Email-reader ("Thunderbird" from "Mozilla" for example).

If you are braver, switch off of "Microsoft-Windows" (I am assuming here. So, let me know if I am wrong).

Hope this helps...

ISP's Are Responsible

As a network administrator with an aggressive anti-spam defense, which includes blocking most of the world on the firewall, I can tell you that a majority of the UCE hits are coming from hijacked systems. ISP's like SBC and Comcast give clients a router and no warning telling them that their IP address will be scanned daily for open ports and hijacked immediately if an opening is found. They don't urge (or require)them to use a Firewall and up-to-date Anti-virus programs. "Here is you high-speed connection--pay us now and enjoy the ride." It is like selling cars to people who don't know how to drive! The ISP still owns the IP address and must take some responsibilty for protecting the client! After all, my computer would not exist on the Internet if it did not have an IP address given to me by my ISP. The computer is compeletly safe from hacking if it is not seen on the Internet! And what about the websites referenced in these SPAM emails? Surely they are hosted by an ISP and if they were removed from the Internet because of these links, it wouldn't take too long for them to stop supporting the hackers. Money makes the world go around and we need to start at the source. If a company is banned from selling products on the Web because they advertise via UCE, I believe you will see a significant drop in the amount of unwanted commercial email. It may not happen immediately, because there will always be countries where these businesses can hide; but ISP's could block access to their network from those countries or networks that harbor the backers of UCE. We have more power than we realize; we are just too afraid to use it because it comes with a price tag!