Politech mailing list archives

FC: Anti-spam tip for Windows uers: Turn off built-in messenging

From: Declan McCullagh <declan () well com>
Date: Tue, 26 Nov 2002 08:53:10 -0500

Previous Politech message:
http://www.politechbot.com/p-04194.html

---

Date: Tue, 26 Nov 2002 08:24:38 -0500
To: declan () well com
From: Jon Zittrain <zittrain () cyber law harvard edu>
Subject: Re: FC: Spam king lives large off others' email troubles

The "stealth technology" exploits the fact that many default Windows setupshave a form of popup messaging enabled, completely apart from traditionalinstant messaging clients -- see<http://www.jmu.edu/computing/security/info/winmsg.shtml>.


---

Date: Tue, 26 Nov 2002 14:41:53 +0100
From: Tomas Fjetland <tomas () fjetland com>
To: declan () well com
Subject: Re: FC: Spam king lives large off others' email troubles

Declan,

You most likely already know, but what the article probably describes andthat Thomas Leavitt describes as "laughable", is probably the new wave ofadvertising using the Windows Messaging service. It does depend on machinesthat are on the internet but not properly secured, but everyone know that'snot uncommon. All such a spam system needs to do is check for if the normalnetbios ports respond, and if they do, chances are the machine will receiveand display such an ad.

http://www.ciac.org/ciac/techbull/CIACTech03-001.shtml

Makers of AdSubtract ad-blocking software, Intermute, have already releaseda blocking tool, but using a good firewall would probably be the betteroption. http://www.messagesubtract.com/help.html

(I'm not affiliated with Intermute beyond being a satisfied customer ofAdSubtract)

Regards,
Tomas Fjetland

---

Date: Tue, 26 Nov 2002 08:20:01 -0500
To: declan () well com
From: "James M. Ray" <jray () omnipay net>
Subject: Re: FC: Spam king lives large off others' email troubles
Cc: <thomasleavitt () hotmail com>

>[This is really somewhat vile. --Declan]
...
>... the last bit about the "stealth spam" technology is pretty laughable; I
>find it hard to understand how a "tech" reporter could be ignorant enough of
>basic Internet architecture to swallow the idea that somehow, a spammer
>could shove stuff onto your computer (short of a massive OS security flaw,
>etc.).
>
>... more likely, he's talking about some kind of rather prosaic adware...

I may be wrong, but I think he's hinting about expanding into AIM-spam
there. :( I won't welcome the first spam instant message I get, but even
though my AIM id is widely known, I haven't gotten one...yet...
JMR

--
"e-gold is to money what email is to letters."  -- JP May
--
Regards, James M. Ray  <jray () omnipay net> PGP = 0xAE141134
http://www.e-gold.com/e-gold.asp?cid=101574

---

Date: Tue, 26 Nov 2002 07:44:48 -0500
From: Rich Kulawiec <rsk () firemountain net>
To: Thomas Leavitt <thomasleavitt () hotmail com>
Cc: Declan McCullagh <declan () well com>
Subject: Re: FC: Spam king lives large off others' email troubles

> ... the last bit about the "stealth spam" technology is pretty laughable; I
> find it hard to understand how a "tech" reporter could be ignorant enough of
> basic Internet architecture to swallow the idea that somehow, a spammer
> could shove stuff onto your computer (short of a massive OS security flaw,
> etc.).
>
> ... more likely, he's talking about some kind of rather prosaic adware...

Actually, some of the ratware out there is surprisingly sophisticated.
Spammers have moved on from simple header forgery and open SMTP relay
hijacking to widespread, coordinated use of thousands of open proxies,
with traffic spread across them and using "hashbusters" in the text
to mitigate the accuracy of some anti-spam software.  They use all kinds
of other tricks as well: HTTP references to hosts are often expressed
as IP addresesses or in hex; HTML markup is obfuscated to make it
difficult to do string comparisons, e.g.

        <a href="http://www.<!-- blah -->sp<!-- blah-->amsite.com"</a>

and similar things; they're frequently switching domain names; at least
one that I know of constructed a VPN between two different ISPs and
was tunneling traffic in an attempt to evade detection.  And so on.

Now granted, the overwhelming majority of spammers aren't capable of
crafting these kinds of tools and may even struggle to just use them.
But there are clearly at least a few very sharp brains at work out
there and the tools they're creating are clearly designed to (1) maximize
throughput (2) maximize actual delivery rate (3) minimize chances of
detection (4) minimize compute/network load on the spammer's own systems.
Combine this with the limited technical resources at some ISPs and the
willingness of others to allow spammers on their networks and it's a
major problem.

---Rsk

---

Date: Tue, 26 Nov 2002 10:56:10 +0000
From: Matt Collins <matt () clues com>
To: Declan McCullagh <declan () well com>
Subject: Re: FC: Spam king lives large off others' email troubles

On Mon, Nov 25, 2002 at 11:18:18PM -0500, Declan McCullagh wrote:
> [This is really somewhat vile. --Declan]
>

Laughable as Thomas may find it or not the massive OS security
flaw in question is windows messenger service, affecting at least
w2k and XP, and the cause of many many unfirewalled windows users
receive random popup messages on their systems advertising
porn, etc.

Thomas presumably finds the idea laughable, because he cant imagine
any vendor providing the ability for random 3rd parties on a distant
network to connect and pop up requestors on your box, stealing focus
from whatever you may be doing. Microsoft, gloriously, have provided
this ability, to the extent that many associates who have an application
that crashes if focus is stolen from it regularly , well, crash, until
they disable this 'feature'.

Some discussion here:
http://www.mircscripts.org/viewImage.php?cid=5099&v=b

Matt

n.b. this is the OS's messaging service, not the instant message
client similar to ICQ.

---

From: "Thomas Leavitt" <thomasleavitt () hotmail com>
To: "Ed Allen Smith" <easmith () beatrice rutgers edu>
Cc: "Declan McCullagh" <declan () well com>, <andrew () b40 org>
Subject: Re: FC: Spam king lives large off others' email troubles
Date: Tue, 26 Nov 2002 00:39:23 -0800

Stunning... once again, Microsoft has shown that it is incapable of
designing an operating system which can both function normally, and be
secure, in a networked environment.

Boy am I glad that I'm sitting behind a NAT device (one of four or five
computers sharing my 56k connection). I feel a hell of a lot more secure
knowing my systems are sitting on the open Internet. All I can say is, if I
were a firewall/anti-virus software company or a NAT device manufacturer,
I'd be revving up the marketing machine... because once this stuff becomes
freely available, it will be impossible to run NT/2000/XP without something
of the sort - my guess is that it will take less than 10 pop ups in a single
hour to piss people off badly enough to do something. Whether that involves
lynching Ralsky, Gates, or something more moderate is unknown. :)

Regards,
Thomas Leavitt

---

From: Ed Allen Smith <easmith () beatrice rutgers edu>
Date: Tue, 26 Nov 2002 03:05:18 -0500
To: thomasleavitt () hotmail com
Cc: declan () well com

In message <5.1.1.6.0.20021125181352.02ab9c40 () mail well com> (on 25 November
2002 23:18:18 -0500), declan () well com (Declan McCullagh) wrote:
>[This is really somewhat vile. --Declan]

Yes. Hopefully, someone will do the same Oakland County real estate record
search that this reporter did and make Ralsky's address available to the
public again. Given his lack of concern for the privacy of anyone else, I
see no reason why he should have any.

---

Date: Mon, 25 Nov 2002 23:30:13 +0000 (UTC)
From: Bill Nash <billn () billn net>
To: Declan McCullagh <declan () well com>
cc: politech () politechbot com
Subject: Re: FC: Spam king lives large off others' email troubles

On Mon, 25 Nov 2002, Declan McCullagh wrote:

> [This is really somewhat vile. --Declan]
>
> ---
>
> From: "Thomas Leavitt" <thomasleavitt () hotmail com>
> To: "Declan McCullagh" <declan () well com>
> Subject: Fw: More on the Spam Kings
> Date: Mon, 25 Nov 2002 14:43:16 -0800
>
> ... more likely, he's talking about some kind of rather prosaic adware...
>

        Or how about something as simple as a return reciept? This
functionality is bred into most e-mail software. Most people either don't
know, don't care, or can't be bothered to learn. Sad but true, I miss the
DOS days when you had to have a clue to operate a PC. The legacy Bill
Gates is a species of idiot.

- billn

-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Like Politech? Make a donation here: http://www.politechbot.com/donate/
Recent CNET News.com articles: http://news.search.com/search?q=declan
-------------------------------------------------------------------------

Current thread:

FC: Anti-spam tip for Windows uers: Turn off built-in messenging Declan McCullagh (Nov 26)