213.239.219.153:1863
209.250.234.164:6798
216.12.205.178:5555
72.36.171.250:5051
88.198.36.87:5050
88.84.144.181:9050
88.84.148.49:1122
194.116.209.105:5555
200.251.187.2:4212
193.138.222.11:9999
66.252.31.210:9501
88.84.152.230:7766
134.197.89.1:8782
80.97.51.143:7777
211.115.112.76:6270
89.163.182.20:3921
66.252.31.210:9501
66.109.25.116:11640
208.53.143.101:2329
tcteam.ath.cx:2006
dv.tetovalive.de:9501
gt.albashow.de:8350
xp.i-am-leet.com:8202
suzi-love.ath.cx:2006
h3x.tetovalive.de:5051
207.81.157.91:8822

I totally agree about putting responsibility for this kind of activity in the hands of ISPs and network providers. I wonder what it would take to make that happen. Network ownership can be so fuzzy and people don’t like to take responsibility for parts of the network outside their direct control. Meanwhile the spammers are working under the “bits don’t stop at the border” model.

And as you discovered, trying to work on this directly with customers just doesn’t scale – the profit of a single customer in a year is eaten up by 30 minutes of phone support. Assuming the user even cares to begin with.

Mark – interesting technique on the Thunderbird content filtering, though it would seem to mark quite a few false positives (and the comments say as much).

Lars, that Usenet rant was a good read, thanks.

That this is offered as a service so that Heise users can check their systems for unpatched holes failed to register with the security people in charge.

“Seems to” is it. [See link]

> I worry that someday email will only be feasible with whitelisting,

Given the prevalence of Internet Explorer (BTW, still not adequately secured by default in version 7), today the Web is only feasible with whitelisting.

> It’s becoming increasingly popular for admins to block entire nations, either at the apache or at the firewall level. I’ve been tempted to do the same myself, but haven’t. Yet.

If all you ever see is spam, hacking attempts, or other malicious traffic from a given IP range associated with a country, oh well . . .

Daniel wrote:
> The only real way to shut down these botnets is for a Malicious Virus to be released.

“Great minds,” and so forth . . .

> even if the Payload is something malign like Demolishing the network stack, but leaving User Data intact, it would still be highly Illegal

“You may as well be hanged for a sheep as for a lamb” is one of the reasons why IMO no-one not having a money-profit-making interest will write such a beast.

-Jim

Half the infected machines are not even getting current security patches. The flip side of that is a frightening stat too, but the reality is that the unpatched, unmaintained older systems are at least half of the problem.

I’m inclined to think that we’re looking to the wrong places for solutions and police. Microsoft can’t help us. They’ve only just begun to make serious efforts to track and eradicate trojans. The ISPs, backbone networks and routers are probably where we need to be looking to choke the large botnets.

As one person I know commented, one of the largest cable networks doesn’t do an effective job of addressing the infections coming from their network.

I tend to think that one problem is the networks don’t want to assume liability by attempting to solve the problem and then being seen as responsible for failing to prevent infections.

The other problem is that the service providers seem to be lacking the competency and technical understanding to even attempt to control this. And the few who are able to study this kind of thing are like scientists observing and trying to interpolate a big picture from the little bits they can actually see.

I think the ISPs need to accept more responsibility and accountability for letting they customers get hijacked, and that perhaps aggressive filtering is needed to help plug the holes.

I spent much of the last half decade doing ISP support and watched the virus infections and trojans grow. I spent countless hours walking college students and little old ladies through scanning systems, and even arguing with IT students to try to convince them they were infected.

Eventually I just started aggressively plugging the abused ports on our routers. This had minimal impact on quality of service and left a lot of infected computers inside our network but helped prevent new infections spreading and complaints from upstream providers.

I’s a different and much more complex world now, and the sophistication clearly comes from people who are making enough money at this that they can afford to hire and attract the kind of talented programmers to exploit anything. These guys probably make more than the naive children in Redmond trying to plug the dyke with a finger.

So lets look to the folks who built the networks and infrastructure for ways to detect and isolate this kind of crap. Throw some money at Cisco and get the networks more active in caring about the abuse. Figure out how to isolate the bots at a network level, spam at the servers and clients, and eduction users and support staff better. The solution is as complicated and elusive as the source of the problem, but clearly what everyone is doing now is not working.

Of course, even if the Payload is something malign like Demolishing the network stack, but leaving User Data intact, it would still be highly Illegal and in America, the distributer would be charged with Terrorism, since they are restricting the trade of Capitalist Businesses (Spammers) on a Public (Socialist) network.