Argh!  Its a brand new day, and another brand new batch of Spam to delete from the inbox..  For those of you that may have a passing curiosity of where all this unsolicited stuff originates from, I have found that the current state of affairs is probably best described through the work of Joe Stewart - Director of Malware Research at SecureWorks.

In his latest Threat Analyses document: "Spam Botnets to Watch in 2009", as well as a previous document from 2008: "Top Spam Botnets Exposed", Mr. Stewart goes into detail about the various Bot-based, Spam Generation clusters that exist on the Internet, and how they can be categorized based on their behaviour - including the "types" of Spam each cluster tends to yield.

To combat this phenomenon, a number of ISP's (including the ISP I purchase my services from) have implemented outbound TCP Port 25 (SMTP) blocking - forcing the customer to only use the SMTP servers associated with the ISP.  It was rather alarming to read in Mr. Stewart's latest document about a category of malware known as "Gheg" or "Tofsee" that has the capability to "...route spam through the victim's ISP's mailserver" - effectively circumventing the whole TCP Port 25 blocking techinque above!

I had asked around for any evidence that such a "smarter" Spam Bot actually exists, and was provided the following section of a packet capture by the "honeynor.no" group:

47 45 54 20 2F 73 70 6D 2F 73 5F 61 6C 69 76 65   GET /spm/s_alive
2E 70 68 70 3F 69 64 3D 31 32 33 34 35 36 37 38   .php?id=12345678
39 30 30 30 26 74 69 63 6B 3D 31 32 33 34 35 36   9000&tick=123456
37 38 39 26 76 65 72 3D 31 32 33 26 73 6D 74 70   789&ver=123&smtp
3D 62 61 64 20 48 54 54 50 2F 31 2E 30 0A 55 73   =bad HTTP/1.0.Us
65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C   er-Agent: Mozill
61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C   a/4.0 (compatibl
65 3B 20 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E   e; MSIE 6.0; Win
64 6F 77 73 20 4E 54 20 35 2E 31 3B 20 56 53 32   dows NT 5.1; VS2

Note the smtp=bad directive that gives indication that TCP Port 25 blocking is in effect and an alternate means would be required to make the Spam Bot function.

Another interesting section in Mr. Stewart's latest document is entitled "McColo Takedown".  Again a quick canvas to other folks combined with some searching leads me to this amazing graph from the SpamCop.net website that easily shows the significant Spam reduction effect as a result of this mid-November, 2008 event:

http://www.spamcop.net/spamgraph.shtml?spamyear

I would strongly encourage you to read both of Mr. Stewart's Threat Analyses reports.  Links to these reports are here:

http://www.secureworks.com/research/threats/botnets2009/

http://www.secureworks.com/research/threats/topbotnets/

G.N. White

Handler On Duty (and now a clean inbox to boot)