Wednesday, January 10, 2007
But I use an antivirus!
I got a fake Bank of America message yesterday, sent from a compromised MS-Windoze computer on Surewest DSL. Left a message on the owner's Web site and he called me.
He was pretty angry, but it wasn't at me in particular. He's trying to run email service for three hundred customers on that computer, using some commercial mail-server-in-a-box product. He'd already fielded four trouble calls on it that day, and that was a typical day. It's keeping him from running his web design business. He didn't know it was spamming. Surewest hadn't called him, of course, despite my report to their RFC2142 abuse address.
The email server wasn't coping with the spam load, and it was just "falling over." He's not using a DNSBL, but trying to filter the raw stream. Sorry, buddy, a 3 GHz P4 can't keep up with that any more. You have to block some fraction of it first.
He was absolutely sure he couldn't possibly have a spam bot or an intruder. Because he spends $hundreds/year on antivirus software (and the one he uses has a better reputation than Symantec or McAfee), checkups by Web sites, and specialized software that's supposed to monitor his outbound traffic for spam content. Evidently these measures don't work so well.
He was absolutely sure the spammers were "spoofing his IP address." That's so hard to do that even though the big spam gangs know how to do it, they don't bother. An explanation of why that's true would have gone high over his head so I didn't try.
It took a while but I got him to look in his server's outbound queue, and there were hundreds of Bank of America and Amazon phishes waiting to go out. Not all receivers are ready on the first try. He was puzzled. You're only looking at the leftovers, buddy, most of it's been sent. That was what it took to convince him something was happening on his machine that he didn't know about. The spambot was generating phish messages and letting his commercial email software queue it and send it. Phishers seem to like doing that way Exploiting a legitimate server doesn't get you blocked so much.
I explained that no antivirus can defend you from the zero day threat, that is an attack so new your antivirus doesn't detect it yet. It was the first time he'd heard of that.
We talked about possible solutions but he wasn't confident he could do any of them without disrupting his business. He'd been considering outsourcing the email operation and I think this convinced him. Spammers drove a small businessman out of the field, after nearly ruining his business and his life. Now there are fewer choices of email providers for the rest of us. Tell that to some bozo who thinks spam doesn't hurt anybody and you should "just hit delete."
He was pretty angry, but it wasn't at me in particular. He's trying to run email service for three hundred customers on that computer, using some commercial mail-server-in-a-box product. He'd already fielded four trouble calls on it that day, and that was a typical day. It's keeping him from running his web design business. He didn't know it was spamming. Surewest hadn't called him, of course, despite my report to their RFC2142 abuse address.
The email server wasn't coping with the spam load, and it was just "falling over." He's not using a DNSBL, but trying to filter the raw stream. Sorry, buddy, a 3 GHz P4 can't keep up with that any more. You have to block some fraction of it first.
He was absolutely sure he couldn't possibly have a spam bot or an intruder. Because he spends $hundreds/year on antivirus software (and the one he uses has a better reputation than Symantec or McAfee), checkups by Web sites, and specialized software that's supposed to monitor his outbound traffic for spam content. Evidently these measures don't work so well.
He was absolutely sure the spammers were "spoofing his IP address." That's so hard to do that even though the big spam gangs know how to do it, they don't bother. An explanation of why that's true would have gone high over his head so I didn't try.
It took a while but I got him to look in his server's outbound queue, and there were hundreds of Bank of America and Amazon phishes waiting to go out. Not all receivers are ready on the first try. He was puzzled. You're only looking at the leftovers, buddy, most of it's been sent. That was what it took to convince him something was happening on his machine that he didn't know about. The spambot was generating phish messages and letting his commercial email software queue it and send it. Phishers seem to like doing that way Exploiting a legitimate server doesn't get you blocked so much.
I explained that no antivirus can defend you from the zero day threat, that is an attack so new your antivirus doesn't detect it yet. It was the first time he'd heard of that.
We talked about possible solutions but he wasn't confident he could do any of them without disrupting his business. He'd been considering outsourcing the email operation and I think this convinced him. Spammers drove a small businessman out of the field, after nearly ruining his business and his life. Now there are fewer choices of email providers for the rest of us. Tell that to some bozo who thinks spam doesn't hurt anybody and you should "just hit delete."
