Spam zombies — we need to cure the disease, not suppress the symptoms

Here’s a great presentation from Joe St Sauver presented at the London Action Plan meeting recently: Infected PCs Acting As Spam Zombies: We Need to Cure the Disease, Not Just Suppress the Symptoms

Some key points in brief:

Despite all our ongoing efforts: the spam problem continues to worsen, with nine out of every ten emails now spam; spam volume has increased by 80% over just the past few months and users face a constantly morphing flood of malware trying to take over their computers. Bottom line: we’re losing the war on spam.

The root cause of today’s spam problems is spam zombies, with 85% of all spam being delivered via spam zombies.

The spam zombie problem grows worse every day (with over ninety one million new spam zombies per year)

Users don’t, won’t, or can’t clean up their infected PCs; and ISPs can’t be expected to clean up their infected customers’ PCs.

Filtering port 25 and doing rate limiting is like giving cough syrup to someone with lung cancer — it may suppress some overt symptoms but it doesn’t cure the underlying disease.

Filtered and rate-limited spam zombies CAN still be used for many, many OTHER bad things, and they represent a huge problem if left to languish in a live infected state.

Joe’s take — “we’re in the middle of a worldwide cyber crisis”. I agree. He suggests a new strategy:

It is common for universities to produce and distribute a one-click clean-up-and-secure CD for use by their students and faculty. It’s now time for our governments to produce and distribute an equivalent disk for everyone to use.

I agree the existing schemes are clearly not working; this is an interesting suggestion. Read/listen to the presentation in full for more details; pick up PDF, PPT and video here.

This entry was posted in Uncategorized and tagged , , , , , , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.


  1. Greg Ferguson
    Posted December 28, 2006 at 18:47 | Permalink

    “It is common for universities to produce and distribute a one-click clean-up-and-secure CD for use by their students and faculty. It’s now time for our governments to produce and distribute an equivalent disk for everyone to use.”

    While it’s a great thought, it’s not doable. A university or school can easily segment a machine or kick out a student for violations. The US and most major governments don’t have that sort of control.

    Imagine the US goverment, or any government body, having the intelligence to cover all the OSes in use. Even if we take current Linux and Mac OS versions out of the mix because they’re relatively safe, and fix the Windows and DOS systems on the internet, variations of Windows and user’s hardware will make it fail. Add in that people won’t do it even if it’s a law, and the chances for success get even smaller.

    My skepticism only gets worse when I think about how badly our government would do just trying to understand the problem. And, even if the U.S. government got enough of their act together to produce something, that would only move the problem outside the boundaries of the U.S. since other countries wouldn’t have implemented a solution.

    I blame Microsoft for the initial problem, by building an OS and apps with more holes than swiss-cheese, and by being such an irritating company that people wanted to attack all their software. The owners of the machines also share part of the blame for not caring about the state of their machine, but a hardened OS would have helped stop the spread in the first place. Once viruses and trojans had a foothold, it was an easy step for exploitation by our current spammers.

    This needs to be a grass-roots-driven multi-front, multinational initiative. The citizens of the internet need to band together, and build walls that restrict unwanted traffic through primary routers (email and TCP/IP), through software that strips the malware from systems, and that hardens the OS with OR WITHOUT the OS vendors help. The governments then need to mandate laws saying the ISPs MUST scan and isolate systems that are spewing spam until the owners of those systems prove they have taken the steps to remove the malware and harden the system.

    Using the internet isn’t a right, it’s a privilege, but it needs to take more than paying a few dollars to get a feed. Just as a driver’s license is needed to operate a vehicle on the road, we need to have some sort of certification showing the people owning a computer know how to operate it in a safe and socially responsible manner. Imagine how much more dangerous our roads would be if anyone of any age could buy a car and immediately drive it without any certification.

    Fixing the problem starts at home, with people being educated on what it takes to be responsible with their computing hardware. The tools needed to fix the problem need to be free, actively supported, and easy-to-use and robust enough that grandma in Grand Rapids can do it with minimal assistance. Once that side of the equation gets resolved, then the government can step in with some laws helping ISPs and the internet bodies segment and isolate violators. Heck, I’d be willing to pay a few dollars more per month on my internet-service bill just to cover the extra overhead if it’d speed up our throughput and reduce the risks.

  2. Posted December 28, 2006 at 21:57 | Permalink

    Would you really run a government-sponsored “clean-up” CD on your machine? Yikes.

  3. David Malone
    Posted December 28, 2006 at 23:09 | Permalink

    While I agree with much of the diagnosis of the problem, the proposed solution does sound strange. I guess a clean-up CD might work, but if such a thing was easily constructable, then people would be selling it today.

    The notion of tax breaks for upgrades is really strange. I’d guess most goverments have more serious problems on their minds. Even if you could convince governments to do it, I’m not sure it would improve the situation at all. When I searched for “botnet Windows XP” the first hit I got described a botnet that was about 75% Win XP, and about 50% Win XP SP 2. I would be somewhat suprised if most botnets were formed from older machines (or, if they are, then if we upgrade those machines that more recent machines won’t just take their place).

    But, I’m often wrong…

  4. Posted December 29, 2006 at 16:04 | Permalink

    Dave —

    ‘I guess a clean-up CD might work, but if such a thing was easily constructable, then people would be selling it today.’

    I think the problem there is ‘sell’. If it was given away free in every corner shop or post office, and advertised heavily, I think it’d be much more widely used.

    About 80-90% of the less tech-savvy PC owners of my acquaintance, no longer run virus/malware scans. They installed McAfee or Norton when they set up the PC 6 months ago, but since then, it’s expired, and they haven’t bothered buying a replacement — because they don’t see the value of it (yet), and they perceive it as a waste of money. Eventually, they’ll start wondering about frequent crashes or slowdowns, and they’ll ask me or a similarly techie pal to take a look… but in the meantime, their machine is easily zombified.

    Mind you, I’m also unconvinced about the ‘upgrade tax break’ idea, though.

  5. Posted December 29, 2006 at 16:44 | Permalink

    Y’know, I was at the LAP meeting and heard the reactions to St.Sauver’s preso.

    The korean cert people at that conference have been distributing such a CD but mostly to their local K12s, universities etc. [Microsoft licenses mean that you can’t stick XP SP2 and other hotfixes into a CD and distribute them around if you’re an ISP .. different if you’re a company with an XP site license I believe]

    Nothing that stops ISPs from doing stuff like shipping DSL routers that have sensibly config’d firewalls and setup CDs that also have free AV / spyware buster etc tools.

  6. Posted January 4, 2007 at 12:19 | Permalink

    The amazing thing is that when I first started with the internet in the 1990s, there was little spam and little protection. Now there is lots of spam, and lots of protection. It seems they will always be one step ahead…

  7. Posted January 16, 2007 at 17:44 | Permalink

    Greg, i completely agree with your point on personal responsibility of everyone when using its PC.

    If we take even deeper look at the problem, we’ll see one more layer of the disease-symptoms pair. In this layer the Disease is the lack of information about subjects of popular spam offers and the symptom is the spam offer itself. For example, I think a lot of people buys pills by spam offer just because they not well informed about side effects of such pills — this is the disease, so they’re ready to respond to corresponding spam email which is symptom in this case.

    So even if you have successfully deleted all today zombies from PCs there’s always be a lot of people who still continue responding to spam and so installing new zombies on their PCs. And even worse. New generations are growing continuously and one of the educational system task is to explain children what is spam.

    I think these two problems must be solved together. Then we can say there’s a hope to overcome spammers.

    So we need anti-spam campaigns explaining people why this game is so tricky.

  8. Posted January 31, 2007 at 04:59 | Permalink

    The government is not the answer. And I’m writing this in Canada where we seem to believe that everything is the government’s responsibility!

    We certainly can’t blame the end-users since most of them can barely use the power button, let alone secure their machines.

    The problem used be misconfigured SMTP MTAs that allow relaying. That is less of an issue now as awareness among admins has increased and RBL lists are doing a pretty good job of dealing with these servers.

    To me this seems to come down to one thing: Microsoft Windows. If Windows wasn’t swiss cheese then we wouldn’t have compromised machines flooding the internet with SPAM. To me, the resolution to this problem lies squarely on the shoulders of Microsoft to solve. Here’s hoping that Vista helps but I’m not holding my breath.

    I was just reading a very interesting article on stopping SPAM using OS fingerprinting with PF on OpenBSD. Here’s the link:

    Clearly there is some way to go with OS fingerprinting. But it does hold some promise. If your server denies inbound connections from machines running Microsoft client OSes then we could all cut our SPAM significantly…

  9. Posted February 2, 2007 at 18:21 | Permalink

    Are there any projects of creation global email white list?

    The idea is simple: when Alice receives a first email from Bob, she sends confirmation to the global white list center, that this email is polite (not spam).

    Until that all emails from Bob to Alice will be blocked.

    Is this idea worth to live?