Meng Weng Wong on the losing battle against spam

Meng is one of the great thinkers in this area. Here’s a recent update from him on the state of play.

Bots (zombied machines) are, in fact, predominant; they are
responsible for the majority of spam sent today, and the infection
rate is estimated as being as high as 1 in 3 Windows machines.

The bad-guy industry is mature.  Zombie networks can be rented by the
CPU-hour.

The field is so mature, in fact, that different criminal gangs play
“capture the flag”, battling it out to re-own machines that were
already owned by somebody else.

Distributed computing has officially arrived 🙂

Spammers today have access to more computational power, and at a
lower price point, than Lawrence Livermore, Sandia, and TJ Watson put
together.  This is a provocative statement.  I’ll substantiate it
below, with the caveat that the necessarily rough estimates do
introduce substantial error.

http://www.nytimes.com/2007/01/07/technology/07net.html?
ex=1325826000&en=cd1e2d4c0cd20448&ei=5090

http://www.spamdailynews.com/publish/Organized_crime_offers_rent-a-
zombie_deals.asp

Scotland Yard says zombie networks are available for approximately
$100/hr for 10,000 machines.  At approximately 2 gigaflops per PC,
$100 buys you one hour on a 20 Tflop/s zombie network (unclustered,
of course, so you’re not going to be modeling fusion reactions or
protein folding, but we’re going to pick a yardstick, we might as
well use gigaflops.)

If the typical zombie farmer makes 500,000 machines available for
rent, a total of 1,000 teraflop/s is available for $5,000 per hour.

http://www.networkworld.com/weblogs/layer8/012079.html

By comparison, LLNL’s Blue Gene/L runs at 280 Tflop/s, Sandia’s Red
Storm runs at 101.4, and TJ Watson’s box runs at 91.2.  For $10,000,
you can rent a 180 gflops slice of Blue Gene for a week, for 108
million gigaflops.  Or you can rent 1,000,000 zombie gigaflops for
two hours, for a total of 7.2 billion gigaflops.

http://www.itjungle.com/tlb/tlb031505-story03.html
http://www.top500.org/lists/2006/11

If you believe these figures, and are willing to compare apple-
gigaflops with orange-teraflops, the fastest supercomputer in the
world costs 66 times as much as a zombie network, and offers one-
third the raw computing power.  Of course, the flops aren’t
equivalent because the architectures and applications are completely
different.

And, of course, any economist will tell you that stolen goods cost
less.  IBM owns its facilities; zombie networks 0wn theirs.

But I’d like to think this disproves the original assertion that
“bots are not predominant.”

> Rather than have to defend my very normal need to do this against
> idiots, let’s just vote them off the island.

ISPs that do not block 25 are themselves being voted off the island
by a growing population of receivers in the email community.  There
is a small but growing industry which aims at filtering *outbound*
mail, and at quarantining and remediating infected home users.  All
of these costs are, of course, generally borne by ISPs, but are
hidden from and largely unappreciated by the consumer.

In 2007, email breaks down roughly like this:

If you’re a home consumer, you’re expected to relay mail through your
ISP’s servers.  You can reach them on port 25.

If you want to relay mail through some other server, say, your
corporate server at work, you can submit on port 587, which remains
unblocked.  That server will require a username and password, so it’s
not an open relay.  RFC2476 goes into more detail.

If you want to send mail directly to a receiver’s MX, you can’t: port
25 is blocked.  This is the recommendation of http://www.maawg.org/
and several other industry organizations.  It is, as you say, based
on the unfortunate logic that “most X are Y and most Y are X, and
since we can’t pinpoint X well enough, we approximate using Y.”

At present, if you really want port 25 unblocked, you have to sign up
for business-class DSL, often called “static”.

This usually costs more.

Now that port 25 is unblocked, you are assumed to run your own MTA
software, and to have your own MTA administrator.

If any of your machines get compromised, and emit spam, you will
eventually appear on one of the numerous DNSBLs out there.  When that
happens receivers may reject your mail, or file it to the spam folder.

It is unfortunate that the end-to-end Internet is only available to
“business-class” users.  If we want to get port 25 unblocked, all we
have to do is (a) secure Windows, so that home users can keep them
uninfected without doing any extra work, and (b) solve spam.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: