[IP] "Rumplestiltskin worm" on the loose?

To: Ip <ip@xxxxxxxxxxxxxx>
Subject: [IP] "Rumplestiltskin worm" on the loose?
From: David Farber <dave@xxxxxxxxxx>
Date: Sat, 7 May 2005 07:25:21 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <6.2.1.2.2.20050506215551.074e7950@localhost>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx



Begin forwarded message:

From: Brett Glass <brett@xxxxxxxxxx>
Date: May 7, 2005 12:15:03 AM EDT
To: Farber Dave <dave@xxxxxxxxxx>, Ip ip <ip@xxxxxxxxxxxxxx>
Subject: "Rumplestiltskin worm" on the loose?


Dave:

This week, I have begun to see evidence -- in the form of "bounced" e-mails and errormessages in our servers' log files -- that "zombie" machines whichare infected bymalware (either worms or spyware) are launching aggressive"Rumplestiltskin attacks"

against mail servers throughout the Internet.

What is a "Rumplestiltskin attack?" As described in a paper I wroteseveral years ago(where I coined the term for lack of a better existing one), it is ane-mail addressharvesting attack in which a machine attempts to send e-mail messagesto randomlyguessed addresses at a domain. It might try common first names -- forexample,"john@xxxxxxxxxx", "joe@xxxxxxxxxx," and "mike@xxxxxxxxxx" -- andthen proceed tocommon last names and combinations of names and initials. (In somecases, we'veseen some very unusual guesses that appear to have been extractedfrom lists of

AOL screen names.)

If mail for a guessed address is accepted, the "zombie" machinerecords the addressand sends it back to its "master" -- a controlling machine which addsit to a

database of addresses which will become targest for spam.

Because the address guessing process is expensive (both in terms ofcomputing time andin terms of bandwidth), the best way to achieve results is via arogue form ofdistributed computing, in which large numbers of "zombies" (machinesco-opted via

malware) are pressed to the task.

On our servers, these attacks and other traffic from spammers are nowconsumingapproximately ten times more resources than all of our legitimatemail combined.

Because the "zombies" are generally not mail servers, the mosteffective way tomitigate these attacks -- though it might offend the sensibilities ofthe"Orthodox End-to-Endians" -- is for ISPs and enterprised to blockoutgoing port 25traffic from client computers that are not designated as, or intendedto be, mailservers. These computers should send outgoing mail only through adesignated mail

server, which in turn monitors them for excessive outgoing traffic.

ISPs' firewalls should monitor and log attempts to send such traffic,so that

infected machines can be spotted and cleansed of their infections.

As I've mentioned above, there will be some people who arephilosophically opposedto the notion of restricting Internet traffic so as to limit abuse.Alas, suchidealism is inappropriate for the real world, where spam is nowconsuming so manyresources that it threatens not only to choke off not only legitimatee-mail but

to consume the lion's share of ISPs' bandwidth.

--Brett Glass



-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] more on Tech: A 'hostile environment' for US natives????
Next by Date: [IP] bonded servitude raw deal more on Tech: A 'hostile environment' for US natives????
Previous by thread: [IP] bonded servitude raw deal more on Tech: A 'hostile environment' for US natives????
Next by thread: [IP] bonded servitude raw deal more on Tech: A 'hostile environment' for US natives????
Index(es):
- Date
- Thread