What I can’t understand is the spam that is complete gibberish…maybe a halfway recognizable title, but no message, or just gibberish in the body of the message. What is this supposed to accomplish? With no link, no way to contact the person to get my penis pills, how can anyone profit?
Are they just hoping that I’ll REPLY to the message? And they have a script that harvests any email addresses that reply? Does anyone actually reply? I can understand someone clicking a link on an impulse, but sending the penis pill email address a reply? And sometimes there is no SENT field, no link, no phone number, no address, no product. How can I get my penis pills then? Is this just some idiot who doesn’t know what he’s doing trying out brand new spam-ware and screwing it up?
Or should the UN try, when it can’t even authorize a war without tripping over its own feet?
The US only owns a small piece of this pie, and a large amount of both spam and viruses are coming out of Asia. Out of countries that don’t, won’t, or can’t stop it, and would greatly resent US hegemony over this matter in any case. Even if the actual authors are in the US, which is looking highly doubtful given the amount of Asians that have actually been caught, it’s pretty easy to fake your address and make it look like you’re operating far offshore.
n3rd: The only fatal flaw in the design of antiviral software is that it tries to fix fundamental flaws in the OS it’s running on.
No, this is not correct. It is not necessarily an operating system bug/vulnerability that allows for the spread of viruses. Granted, there has been a recent spate of viruses that do use vulnerabilities (e.g. blaster/nachi), but many do not. All these email viruses that require you to open and run the attachment cannot be blamed on the OS; how is the OS supposed to know that it’s actually a virus you wish to run, and not a program? There is no way for the OS to determine that the email was malicious in the first place.
As a side note, anyone running a personal firewall (blocking the correct ports) would not have been infected by blaster/nachi, even if they had not patched their PC’s.
Which fundamental flaws to anti-virus packages try to fix in the OS? I’d think that personal firewalls would be doing that job instead (closing off ports/protocols that aren’t needed, thereby reducing the risk of vulnerabilities being exploited, which is best practise anyway).
Also, are you arguing that there is no window period between the time of a virus being released and the time the AV software can detect/clean it?
I was skeptical of this, like others in this thread. So I did a little searching and found this on the Tech TV website:
That I could believe. There are a lot of reasons that the Nigerian scam is more likely to draw you in than most spam, starting with the use of meaningful words and sentences.
Heh. From the link that scr4 posted, regarding a “penis-enlargement” product being hawked:
*Other customers included the head of a credit-repair firm, a chiropractor, a veterinarian, a landscaper and several people from the military. Numerous women also were evidently among Amazing Internet’s customers. *
The head of a credit-repair firm: Har! That aside, I have to wonder what the women were going to do with the pills. I assume some of them were to become gag gifts (although at $50 a bottle, that’s an expensive gag), but are the other planning on giving them to their husbands or crushing them up and slipping them into hubby’s drinks?
RR
My theory (not a conspiracy) is that the people who are benefitting most from spam are … the spammers.
There are thousands (I hesitate to say millions, but who knows) of small businesses who fall for the 'Special Offer, mail 5 billion people for only $500". The spammer takes their money, spams (or not, he’s usually a criminal, after all), they may get a few leads, and that’s it. The spammer doesn’t care, the next 10 clients have already signed up.
Besides, where’s the Symantec or McAfee of anti-spam? Sure, it’s a market, but are you saying someone is responsible for a significant proportion of the billions of spam messages in order to sell software?
Anyway, the fundamental flaw is the lack of file permissions and, therefore, the ability of random programs to alter arbitrary files, even if those files are essential system files.
In Unix, and Unix-like OSes, there is a rather elegent-but-powerful system of permissions established that effectively prohibits userland programs from stomping on anything essential. Only root can run programs that can modify arbitrary files, and most people are smart enough not to run as root most of the time.
In Windows and MacOS Classic, no such system of permissions exists. Read-only permissions are advisory at best, meaning that any program can modify any file at any time. That is the main flaw antivirus programs are trying to paper over, and as we all know it isn’t working.
Windows NT and 2K/2K3/XP all support NTFS file permissions. Windows 2000+ also has file system protection, which will not allow you to overwrite important system files.
The problem with Windows is that any process can run under the ‘system’ context, often giving more access privileges than needed. Windows 2003 has removed this limitation, and every process must run under a user account.
File permissions will not, however, stop certain types of viruses. If I email in my own custom trojan to a (*nix or Windows) user, and they run it, I can still erase their boot sector or reflash their BIOS, circumventing the OS file security. In addition, many of the files on the system could still be potentially deleted, rendering the system almost unusable. (The logged in user is bound to have at least some access permissions, if not, they won’t be able to do much work on the box anyway.) I could also write my virus executable to an arbitrary directory that has available permissions, and schedule a cron job to start it at each boot.
The fact that very few viruses for *nix exist, simply means that *nix is a less targeted platform than Windows, not that it’s virus-proof. I have come across several Linux boxes which have been infected with worms that spread across the network using an unpatched vulnerability, and the boxes weren’t logged in as root. How can this be?
It is estimated that 90% of the world’s spam comes from as little as 200 spammers. See spamhaus for more information. If spamming was really profitable, why this disparity? Surely there would be millions of spammers trying to make a profit?
In addition, as I pointed out earlier, spam emails are very poorly formatted, for no reason whatsoever. Surely making spam look a bit better will result in more hits? It’s going to take hours or days to send out the spam shot, why not spend 5 minutes extra to make the email look better? The answer is simple: they don’t expect you to buy the products!
n3rd: Going to the BIOS or the boot sector is a flaw in hardware design, not OS design. Even having a BIOS is a dumb move from a security point of view, as a matter of fact, especially since the BIOS has been obsolete for over a decade now.
All of your cracks against *nix systems are known and would be ineffective against a well-maintained system. They assume that certain directories and the crontab are world-writable, when in fact they would not be. Something as simple as a chroot jail would, in fact, contain nearly any worm, trojan, or virus you want to send at me. Is it even possible to make a chroot jail under XP?
About the fixes in Windows 2003: Why, then, is Windows XP so vulnerable to the Blaster worm? How come Code Red was able to do so much damage on relatively recent (XP-using) Windows boxes? Did Microsoft make the fixes in 2003 and then not in XP?
And, finally, about Linux and other Unix systems not being targeted: Linux and the Unices between them own most of the server and router markets. NT was edged out into a marginal position years ago. Since those machines (the high-end Internet computers) are so valuable to any attempt at creating and spreading a worm, how is it that they are not targeted more often?
A US consumer organization did a study of spam a while ago (reported in PC Magazine/ExtremeTech??), which found that more than half of all the spam they checked by responding to the message resulted in no reply from the supposed retailer.
This led them to conclude that the majority of these messages were sent solely to generate updated lists of valid e-mail addresses for sale to other spammers. This sounds a lot like “taking in each others laundry” economically, so there has to be a fair amount of income coming from the retailer side for the “real” messages to be viable.
The fixes were in 2003, not XP. But they didn’t help, because it was a vulnerability in an OS service.
In terms of Viruses, *nix is less targeted. There are hundreds of times as many viruses for Windows/DOS as there are for *nix. In terms of HACK attempts and successes, Linux is the most compromised operating system: see here. I find your other claims regarding server market share (and *nix owning most of the router market) quite dubious. You need to qualify this - is this web server market share you are referring to? Does this include every university student’s Linux server that he fiddles with? Who would want to target such a system? I’d be more interested to see on which operating systems the world’s top 10000 companies’ e-commerce sites run. According to this site, overall server shipments for Windows is running at 55%. This is not a marginal position.
You are correct about saying that a properly maintained Linux system being difficult to break into, but the same can be said for a Windows system. I don’t have any AV software installed on my system. I haven’t had for the past 7 years. I patch my system regularly (which on Windows is far easier than any other OS), and do not open any suspicious looking emails. As a precaution, I do a McAfee (DOS version) virus scan once a week, just to make sure. My PC is also behind a firewall (personal if I’m at home, or corporate at work).
Any operating system will have vulnerabilities, which will be able to be exploited. But if you keep them behind a firewall and patch them regularly, as well as not download/run suspicious programs, you should be safe. Locking down Linux (or any OS) 100% is not a simple task. I’d suggest that most Linux users do not have the know-how to do this. In my opinion, the best practices above are a better approach to keeping one’s PC (or server) clean and secure, as they are much easier to implement.
Unfortunately, there is no limit to user stupidity, so PC’s will always become infected.
I don’t think that follows. No one said spam was really profitable; from what I’ve read, the millionaire spammers are practically nonexistant. Looks to me like an extremely high-volume, very low-profit racket that takes some technical knowledge to pull off. To generalize broadly, smarter criminals ran Enron, dumber criminals sell drugs.
That’s my point. The spammers themselves don’t necessarily care about the hit rate, they’ve already sold their services to whoever’s actually offering the product. I know you’re arguing that they could just take the money and run, and I’m more than half-convinced that’s what they’re doing in many cases, but you’d have to have some base-line ‘credibility’ I would imagine.
They’re also advertising their own credit card scamming porno sites, MLM sites and the like.
The poorly formatted mails are most likely to evade and/or poison filters. In any case, the kind of guy who’d buy herbal viagra or equine erotica based on spam isn’t going to care that there’s a string of nonsical characters in the subject line.
I just don’t buy the conspiracy (your AV theory isn’t helping ).
People have been studying this problem for years and have yet to find a single, simple solution to the problem. How would someone implement an effective catch-all solution and seriously profit off of it? Is MS really that evil and secretly pushing for their own proprietary mail protocol?
Besides, could you imagine the fallout if a single entity was discovered to be behind 90% of spam? The CEO would be gunned down in the street.
n3rd: Cracks against Linux seem more prevalent because the Linux world has no reason (coughMARKETINGcough) to keep them secret. No Linux vendor will sue you if you make their flaws known (coughDMCAcough). Bugtraq is an Open-Source invention, not a Microsoft one. That tells you something.
As for the shipping with Microsoft OSes pre-installed: Look at the deals Dell and such have signed with MS. If they sell machine 1 with an MS OS on it, they must sell all machiness with MS OSes on them. MS will become extremely annoyed if they do otherwise, especially if they sell Linux.
About MS OSes being easier to patch: Uh, sorry, wrong. If you can’t see the source code, how are you going to patch it meaningfully? Do you actually trust the binary-only patches MS ships? I suppose you don’t have any choice, but the security-conscious among us do.
I’m not saying Linux is the most secure thing around. VMS might well be, or AIX, or something else of that ilk. But try to run VMS (as opposed to its bastard offspring, Windows NT) on modern hardware and then find support for it, all without paying an arm and a leg. (I’m aware of OpenVMS, but I don’t consider it fully mature.) But I am saying that MS has had to keep backwards-compatibility all the way back to MS-DOS, which is not meaningfully securable in any sense of the term, and that has put fatal flaws in their system design.
).