TechTalkz.com Technology & Computer Troubleshooting Forums - View Single Post

07-11-2007, 11:44 PM

ok, maybe i can explain this in a simpler way...

first:
a spammer has 2 choices, he can make his spam more readable so that the
people who do manage to receive it don't have to put as much work into
reading it, or he can make his spam more obfuscated so that it gets past
filters and reaches more inboxes...

while better readability is no guarantee of greater sales, less reach
*is* a guarantee of fewer sales...

second:
while pdf viewers may not be technically a standard part of the os they
are *effectively* a standard part of the os... just as flash-based ads
on the web are effective despite flash not coming pre-installed,
pdf-based spam can be effective without acrobat coming pre-installed...
when it comes to formats this popular the question of whether the reader
comes pre-installed simply does not matter...

Virus Guy wrote:
> kurt wismer wrote:
[snip]
>> and the point i'm making is that acrobat is virtually standard
>> *in spite* of not necessarily coming pre-installed...
>
> PDF's are still an ergonomically poor way to convey spam payload given
> the lack of automatic rendering. They may be in use now because the
> PDF format is somewhat proprietary. Commercial server and client-side
> filter software may not have permission or the license from Adobe to
> impliment PDF decoding routines that are necessary for content
> inspection (but you would think it would be in Adobe's best interest
> to provide it to them gratis).

no, the pdf format is more open than that... pdf is used as a spam
obfuscation technique simply because it's novel enough that existing
filters didn't have any handling for it yet...

>> spammers have always had a poor penetration rate with their
>> advertisements... if the new obfuscation reduces it they'll
>> just do what they've always done - make it up on volume...
>
> Volume is not necessarily something they can increase when-ever they
> want. Presumably they are always operating at 100% of their volume
> capability anyways.

ummm, no... increasing volume can be as easy as building a bigger botnet...

[snip]
>>>> isp's try to stomp out the zombies on their networks
>>> These days, few if any ISP's do that.
>> in my part of the world they do...
>
> Then why don't they block port-25 on their outbound? Why are the big
> US cable and telco providers of residential internet service still the
> biggest sources of trojanized spam bots? If they don't block port-25,
> why can't they at least detect spam runs as they happen, and put rate
> limits on them? Why can't they detect a spam run in progress by
> looking for inordinate amounts of MX lookups being made by an infected
> customer?
>
> What exactly does a given ISP do when they learn about spam being
> emitted by one of their several-million customers? Do they call the
> customer? Send them an e-mail? Perform an on-site service call?
> Please explain what happens in your part of the world.

they cut off the customer's internet access... when the customer calls
to complain they inform the customer why their access was cut off and
tell them what they need to do to get it turned back on... the customer
may or may not be successful at removing the bot but with the internet
access cut off the zombie has been removed from the network...

someone i used to work with encountered this very situation with a large
isp known as rogers...

i understand that at least one 'solution' provider has developed
technology that would give isp's the power to let such affected
customers connect in a restricted fashion such that the only thing
they'd be able to do would be download tools the isp made available for
correcting the problem... unfortunately i can't think of the name right
now...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

07-11-2007, 11:44 PM	#5
kurt wismer Guest Posts: n/a	Re: New .PDF malware (?) ok, maybe i can explain this in a simpler way... first: a spammer has 2 choices, he can make his spam more readable so that the people who do manage to receive it don't have to put as much work into reading it, or he can make his spam more obfuscated so that it gets past filters and reaches more inboxes... while better readability is no guarantee of greater sales, less reach is a guarantee of fewer sales... second: while pdf viewers may not be technically a standard part of the os they are effectively a standard part of the os... just as flash-based ads on the web are effective despite flash not coming pre-installed, pdf-based spam can be effective without acrobat coming pre-installed... when it comes to formats this popular the question of whether the reader comes pre-installed simply does not matter... Virus Guy wrote: > kurt wismer wrote: [snip] >> and the point i'm making is that acrobat is virtually standard >> in spite of not necessarily coming pre-installed... > > PDF's are still an ergonomically poor way to convey spam payload given > the lack of automatic rendering. They may be in use now because the > PDF format is somewhat proprietary. Commercial server and client-side > filter software may not have permission or the license from Adobe to > impliment PDF decoding routines that are necessary for content > inspection (but you would think it would be in Adobe's best interest > to provide it to them gratis). no, the pdf format is more open than that... pdf is used as a spam obfuscation technique simply because it's novel enough that existing filters didn't have any handling for it yet... >> spammers have always had a poor penetration rate with their >> advertisements... if the new obfuscation reduces it they'll >> just do what they've always done - make it up on volume... > > Volume is not necessarily something they can increase when-ever they > want. Presumably they are always operating at 100% of their volume > capability anyways. ummm, no... increasing volume can be as easy as building a bigger botnet... [snip] >>>> isp's try to stomp out the zombies on their networks >>> These days, few if any ISP's do that. >> in my part of the world they do... > > Then why don't they block port-25 on their outbound? Why are the big > US cable and telco providers of residential internet service still the > biggest sources of trojanized spam bots? If they don't block port-25, > why can't they at least detect spam runs as they happen, and put rate > limits on them? Why can't they detect a spam run in progress by > looking for inordinate amounts of MX lookups being made by an infected > customer? > > What exactly does a given ISP do when they learn about spam being > emitted by one of their several-million customers? Do they call the > customer? Send them an e-mail? Perform an on-site service call? > Please explain what happens in your part of the world. they cut off the customer's internet access... when the customer calls to complain they inform the customer why their access was cut off and tell them what they need to do to get it turned back on... the customer may or may not be successful at removing the bot but with the internet access cut off the zombie has been removed from the network... someone i used to work with encountered this very situation with a large isp known as rogers... i understand that at least one 'solution' provider has developed technology that would give isp's the power to let such affected customers connect in a restricted fashion such that the only thing they'd be able to do would be download tools the isp made available for correcting the problem... unfortunately i can't think of the name right now... -- "it's not the right time to be sober now the idiots have taken over spreading like a social cancer, is there an answer?"