The Spam Diaries

News and musings about the fight against spam.
 by Edward Falk

Friday, November 07, 2008

Researchers Hijack Storm Worm to Track Profits

Always good for information on the spam economy, Brian Krebs of the Washington Post has just published a truly fascinating article: Researchers Hijack Storm Worm to Track Profits.

Bottom line: a one-in-twelve-million conversion rate of spam to sales seems to be enough to keep the spam economy going.

The article covers a project by researchers at UC San Diego and UC Berkeley, who managed to infiltrate the Storm Worm bot network and take over a small portion of it.

They then redirected some of the spam payloads to fake websites which had been set up to mimic the actual websites advertised in the spam. Would-be customers would go to the fake web sites and try to order their penis pills and become another statistic for the researchers. (At which point the sale fails to go through — the researchers were fishing for statistics, not credit card info.)

All told, 350 million spams over 26 days resulted in 28 sales, for a total of just over $2700. Researchers estimate that they took over just 1.5% of the Storm Worm network, meaning that the network sends about — let's see, carry the one — just under 900 million spam emails per day, with a revenue of just about $7000 per day.

That's it. There's your math. $7000/day pays for something like 20% of the total spam load we all endure, day after day. And the vast majority of it going to penis pills that don't even work.

One more piece of math: The worm propagates as a virus mailed from victim to victim. Researchers discovered that a whopping one in ten people will click on the link and download the virus.


So what does this mean in terms of fighting spam?

Well, first of all, educating people about spam, or getting them to sign the Boulder Pledge to not buy anything advertised via spam, is hopeless. You'll never convince everybody. If the spammers only have to reach one person in twelve million spams, then educating 99% of the people, or 99.99% of the people, or even 99.9999% of the people just isn't enough.

In other words, Just Hit Delete won't work.

Technological means? So far, no good. We build better filters, spammers add more entropy to their message text to bypass them. I'm sitting behind at least three good filters at home, and I'm flooded with the stuff.

Legal means? Not very effective so far, mainly thanks to CAN-SPAM, which protects spammers from almost all legal remedies. Only state governments and the very largest ISPs have been able to take legal actions against spammers, and the spammers generally make themselves judgement-proof well before it comes to that.

The Federal government can theoretically put a spammer in jail, but I'm unaware of any such cases except when other crimes such as wire fraud are involved, in which case CAN-SPAM violations are added on the side.


Other questions about this research present themselves. Such as, if the researchers could take over a small portion of Storm Worm, why can't they take all of it over and shut it down?

Can Storm Worm be repurposed for good? Maybe launch a popup on the user's screen when it's installed, saying "hey dumbass what did you think you were doing when you clicked on that link?" or "are you really so stupid that you believed a Nigerian prince wanted your help laundering a vast fortune out of the country?" Sheesh.

I've always dreamed that someone would write a virus that takes over the victim's system and installs all the necessary security updates. Or maybe upgrade them to Linux. It would be a public service.

Here's a thought: credit card companies should run fake sites like this, and use it as a way to educate consumers who get caught in the net — or maybe just take their credit cards away and do us all a favor.

More seriously, I would have liked to see some effort by the researchers to track the worm to its source, but I think it's likely that they tried without success. It's believed that the bulk of this spam originates from Russia, where there is little or no hope of getting any real information on the spammers. Given that restriction, I think the researchers were forced to be satisfied with the information they were able to collect.

The academic paper is available from Berkeley's International Computer Science Institute (pdf).


Update: This morning, the BBC had a good article on the report. In it, they made one very good point: the conversion rate is so low, and the profit margin so slim, that this suggests some avenues of attack on the spammers.

As for myself, I'm not convinced. My first thought was that the old idea of charging postage for email might be worth pursuing. At a conversion rate of less than $1 per hundred thousand emails, an e-postage rate of 1/100 of a penny per email would pose no burden on ordinary consumers, but break the economic back of spam. However, I quickly dismissed this idea upon realizing that since the majority of spam is sent by 'bots, it's the consumers who will be paying the postage, and not the spammers. Further, the postage would be so cheap that most victims wouldn't be charged enough money to motivate them to do something about the problem, and certainly not enough to make law enforcement — who don't even get out of bed for anything less than grand theft — take any notice.

Is there any other way to pass the economic burden spam — any economic burden at all? — to spammers? If there is, word of it has yet to reach my ears.

3 Comments:

Anonymous Anonymous said...

DDOS attack?????

6:55 PM  
Blogger Unknown said...

Just Block it. Filters are a joke. The key is contextual filtering. Get an email server that does the following:

- Checks SPF ( implement this on your domain ) to block spoofing
- Require valid domain MX records
- Check dns PTR's
- Use GreyListing ( spammers will only send once. If you tell them "try again later" they just drop the message. A real mail host doesn't. )
- Use Tarpitting ( progressive response delays for each spam attempt ) to proactively slow down their infrastrusture. Remember they rely on speed and volume.
- Check the SpamHaus Zen list. Deny any flagged messages.
- Check the SURBL. This is the only time your mail server should actually parse an email besides looking for viruses.

That all will block ~98% of Spam. Filters are for the birds. For our average client moving to our mail server, the above methods will take the boss of the company from ~500 Spams a day to ~12. And forget big expensive paid services ( PSMTP, Symantec, etc. ). hMailServer is a free program, runs on Windows, and does all of that out of the box. There are a number of *nix based server softwares where all of the above is easy to implement.

And the key here is: if it fails, BOUNCE THE MESSAGE! Filters like Symantec's, PSMTP, Gmail/Yahoo/MSN are problematic because they accept the mail before filtering it. More storage, you have to go in an actually empty your trash, etc. etc. If it's Spam, your email provider does themselves and you no favors by filtering after acceptance. The <.1% of people who can't pass the above checks will get the bounce, seek the cause, tell their mail admin to fix their setup, and go on about their business.

imho, if 90% of domains on the Internet could implement the above, Spammers would go out of business.

3:17 PM  
Blogger Unknown said...

It is a very nice and good post. Keep up the good work.

3:38 AM  

Post a Comment

<< Home