Bedford Ramblings
Steve Mills

Can someone help me understand botnets, spam, etc.?

Posted Tuesday, January 17, 2012, at 7:34 AM
View 4 comments
Note: The nature of the Internet makes it impractical for our staff to review every comment. Please note that those who post comments on this website may do so using a screen name, which may or may not reflect a website user's actual name. Readers should be careful not to assign comments to real people who may have names similar to screen names. Refrain from obscenity in your comments, and to keep discussions civil, don't say anything in a way your grandmother would be ashamed to read.
  • No, cause they are using multiple proxies, other botnet infected systems to do all the work.

    Best case scenario. Clean your system, get a good router, and never click a link you don't know what it is. You can even get infected by a picture you click on. That's how sophisticated they can be.

    How can you tell if a picture has Trojan or malicious software embedded? Check the physical size of the image and the data size, if they don't seem like it could be possible. It is a good possibility its infected.

    -- Posted by Evil Monkey on Tue, Jan 17, 2012, at 8:51 AM
  • Also, in many cases the computer that seems to be sending the e-mail isn't -- some of this malicious software is sophisticated enough to be able to forge the return address. So Fred Flintstone's computer might be infected, but the virus randomly chooses a return address out of Fred's address book, and all the e-mails list Barney Rubble as the "from" address, even though Barney's computer is clean as a whistle, hasn't been infected and isn't the true source of the e-mails.

    -- Posted by Jicarney on Tue, Jan 17, 2012, at 9:11 AM
  • I think you're mixing together two things here: an email address, and a (possibly infected) computer.

    You write "... say my computer is sending out garbage, how does sending a reply tell the network it is a live email address?"

    First, as far as your infected computer is concerned, the botnet already "knows" that that computer is infected and available to send spam, because the malware running on your machine "checks in" with its controller to say "Here I am! What do you want me to do?" That's what a botnet is: it's a network of machines that have been infected and have checked in with the network controller (also known as a C&C - command-and-control - host), another computer directly or indirectly run by the human manager of the botnet.

    When you reply to a piece of spam - by which I mean that you read the spam message in your email program and you click the 'Reply' button - various things can happen. Let's assume that the address in the 'From' or 'Reply-To' line of the spam actually belongs to the spammer (in most cases, addresses on spam are either fake, or belong to someone totally unrelated to the spammer). In that case, your reply goes to a mailbox set up by the spammer. The spammer can then say "Oh look, we got a message from stevemills@wherever - that must be a valid address. Let's add that to all our mailing lists and send him more spam! And then sell our lists to other spammers, so that they can send him spam too!" (the spammer actually has programs to do this automatically, but that's the idea).

    The spammer knows nothing about the state of your computer - infected, uninfected, maybe you don't even have a computer and just use a smartphone. What they do know, however, is that stevemills@wherever is someone who reads and replies to his mail. So you get more spam.

    Your second question: why can't you just send an email back to the computer that sent you the junk? Again, I think you're mixing up a computer and an email address. Remember, a computer doesn't have an email address: its owner has an email address.

    Suppose you get a piece of spam. You look at the headers of the message, and see that the spam was posted from a computer with the IP address (an IP address is sort of like a telephone number for computers). But that isn't an email address - you can't send a message back to that number and say "Hey, you're infected, fix your stuff!"

    OK, you say, but someone must own that computer. Why can't I figure out what their mail address is and let them know?

    First of all, there's nothing in the spam message to tell you what the actual mail address of the owner of the infected computer is. The address in the 'From' line might belong to the spammer. It might belong to a random stranger. It might even belong to you.

    So you have to look elsewhere to find the email address that belongs to the person who owns that computer. Suppose you recognize that belongs to a particular Internet service provider (ISP), like AT&T or Verizon. To get from that address to the email address of the owner of the computer, you'd have to persuade the ISP to give you the email address of the person who owns the computer that was using at the precise moment that you got sent some spam (IPs aren't fixed: different computers can have the same address at different times). Not only would the ISP have to be willing to tell you (and they generally won't tell anyone except law enforcement), but they'd have to know, which is not guaranteed. For example, my ISP has assigned me an email address - but I never use it. I don't even check mail there. If you want to reach me, you need to use a different address, and my ISP has no idea what that is.

    So in most cases, there's no easy way to let someone know that their computer is infected. Sure, if we could mail everyone whose computer is infected and tell them "Hey! Fix your computer!" and they did, then that would be an end to botnets. Unfortunately, in most cases there's simply no practical way to tell which email address belongs to the owner of a particular infected computer.

    -- Posted by spamnation on Tue, Jan 17, 2012, at 9:35 AM
  • Whew, a lot to think about! Thanks folks.

    The bottom line is no, there is not solution.

    Oh well.....just dreamin'.

    -- Posted by stevemills on Tue, Jan 17, 2012, at 10:36 AM
Respond to this blog

Posting a comment requires free registration: