Botnets: Hi-tech crime in the UK
- 8 March 2012
- From the section Technology
Criminals in charge of botnets are always trying to extend their reach over more and more machines.
They do this because the number of machines they control fluctuates moment by moment as some are disinfected, turned off or taken over by rivals.
But there are some machines they can depend on for a long time. They sit on the same IP addresses and keep on spewing spam for years and years.
Dave Rand, founder and overseer of the Mail Abuse Prevention System (MAPS), knows which UK IP addresses have been sending spam the longest.
Anyone who thinks they get a lot of spam should talk to him about the scale of the problem as he has built his career around junk mail.
Every day, between 100 and 200 million junk mail messages find their way to the network Mr Rand runs.
He gets so many because he has run his domain for a long time and has been active in anti-spam circles for almost the same amount of time.
He has become the authority on spam origins, and MAPS publishes lists of the biggest spewers of junk messages to help ISPs and others block the messages at source.
Mr Rand set up MAPS to tackle the big spam problem he had back in 1995.
"I was getting the ridiculous quantity of 1-2 spam messages per day," he said. "I found that completely intolerable. I started to record those and out of that came MAPS."
The data he holds reveals that there are some IP addresses in the UK that have been sending out junk mail for years and years. Mr Rand provided a few to the BBC for this investigation.
Some of the IP addresses the BBC looked into were overseen by business ISPs and hosting companies, or were for small businesses that ran their own IT.
Many of the addresses he supplied started sending spam in 2004 and, bar the occasional hiatus, have kept sending a steady stream of junk ever since.
Some have sent so much spam that the IP address they use is blocked so any mail received from it is deleted. One IP address that has sent hundreds of thousands of junk messages is on 14 separate block lists.
Analysis of the machines using publicly available tools reveals that many are poorly configured Windows machines sitting on a badly administered network.
Many are servers running software that has not been regularly updated. Some run software, such as Squirrelmail, which is well known for having loopholes spammers can exploit.
Cybercriminals scan the net looking for the version numbers of the programs a server is running, seeking out vulnerable versions.
Some of the machines the BBC investigated send out spam for fake drugs such as viagra. Others are used as so-called dictionary attackers in which servers are battered with combinations of popular words in a bid to uncover passwords.
Machines sitting on a couple of the addresses were being used to send out destructive viruses or malicious programs that tried to enrol more machines into a botnet.
Alex De Joode, chief security officer at hosting firm LeaseWeb, said it was not surprising that such machines could sit churning out spam for years.
"Most hosting companies do not know exactly what traffic enters and leaves their network," he said. "If no-one on the internet complains about it, there's no reason for you to investigate that server."
A business ISP could be controlling tens of thousands of IP addresses, he said, and would simply not have time to investigate all the complaints that come in about them.
He said the fractured nature of the net meant that tracing where spam was coming from and doing something about it could be tricky - and could soak up resources a small firm could use more productively.
"If you are a small ISP and have only a few employees, then your main worry is tracking customers not abuse handling," he said. "And if it's a business ISP the server may not be under their control."
Mr Rand said the problem had become so big because the cost equation was heavily tilted in favour of spammers.
"The ISPs will never save money stopping spam," he said. "The cost to the spammer of sending junk is zero, so no matter what response rates they get, anything greater than zero is a win."
Many ISPs might claim that spam was becoming a solved problem as far less of it made it through to email inboxes, but that did not mean it was not a problem, said Mr De Joode.
"It's not just emails filling your inbox," he said. "It's the route into the world of cybercrime."
Spam is a way for criminals to start generating cash, it allows them to recruit money mules and often relies on hijacked PCs that can be plundered for personal information.
Mr Rand said he was generally not in favour of governments getting involved in industry issues, but the spam problem was so big and so persistent that it might be time for them to intervene.
Government involvement or threats to hold ISPs accountable if they did not do more to tackle spam might spur a big change, he said.
"Maybe its legislation we need, maybe its threats of legislation," he said. "We need help."