Home / Blogs

Raspberries! Botnet Spam Just Got a Whole Lot More Dangerous

Neil Schwartzman

Many have heard of botnets, but for those that aren't certain what they are: Botnets are armies of hacked zombie computers that have malware on them, and send spam email at the command of operators anywhere in the world. They can also be told to deploy denial of service attacks, by all hitting the homepage of a given company, or attacking the DNS server or a service or country. There are a lot of ways to become infected; through malicious emails, on 'driveby infection' websites and even through search results. Once a machine is infected it continues to operate normally, but surreptitiously does malicious things behind the owner's back.

As messaging champions we are most concerned about their email activity, and that is actually pretty easy to deal with:

Blocklist services like Spamhaus' PBL (policy blocklist) allow ISPs and mailbox providers to determine what IP addresses should never-ever send email. So, for example, my ISP Comcast will announce to the world which IPs they own are dynamic, assigned to residential end users and should never send any email. My machine should never send email itself, rather, it should be using Comcast's outbound facing servers, or Gmail, or something of that sort. If email is seen coming directly from my IP address they then know something is wrong and they can safely ignore the mail.

ISPs and other receiving domains then leverage services like SURBL's domain blocklist into play, checking messages that make it past the first few layers of protection, looking at content within the message for bad domains.

So if I email from a legitimate source but include a link to criminalbank.com — SURBL will stop it from ever making it to someone's inbox. This offers recipients and mailbox providers several levels of security and methods of dealing with botnets. One is focused on identifying non-legitimate sources of mail traffic, and the other verifies the content of a message for links to malicious.

The botnet operators have begun using an old trick, which is to hack into a website (usually running a badly configured version of WordPress software) and then using a URL to a page they create in the body of spam emails, which redirects to their criminal domain; they purloin the good reputation of a small site to their own ends.

SURBL and the other domain blocklists like the DBL and URIBL have a heck of a time catching these spams, since the URLs appear to be legitimate, which means more spam in the inbox for you and me.

This past week or so, the botnet has been sending out hundreds of millions of spam with these compromised-redirect domains (they can be bought on the criminal black-market for pennies) and promoting a scam weight-loss program involving The Raspberry Ketone Diet, and using a stolen clip from the Dr. Oz Show to lend some legitimacy to their wares.

I've personally seen at least 250 different Raspberry-related domains registered recently, all of them related to this spam blast. This is the continuation of a multi-platform spam campaign that started in February — spammers, probably the same ones, were also abusing social media and skewing search results earlier this year. This is truly a second-hand spam attack.

Unfortunately there isn't much the normal user can do to protect themselves from becoming 'botted' apart from updating their software and operating system daily, and even then, with the proliferation of 'zero-day' exploits, it is always a game of catch-up. People who are running WordPress can lock down their software, that would help a lot. And, of course, never buy anything spam tries to sell you.

All of this talk of food makes me want to go eat some toast, with raspberry jam, of course!

Originally published at Message Bus – reposted with permission.

By Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCE
Follow CircleID on
Related topics: Cyberattack, Cybercrime, Malware, Spam
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

To post comments, please login or create an account.

Related

Topics

Cybersecurity

Sponsored byVerisign

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

New TLDs

Sponsored byAfilias

Domain Names

Sponsored byVerisign