back to article Hackers hit where they live

The countries of hackers originating malware-laced spam runs have been exposed by new research, which confirms they are often located thousands of miles away from the compromised systems they use to send out junk mail. A third of targeted malware attacks sent so far in March came from the United States (36.6 per cent), based …


This topic is closed for new posts.
  1. Anton Ivanov

    Is it me being thick...

    So how exactly did they manage to guess the true origin of SPAM sent by zombies? There are not that many open relays left out there to actually have true header information suitable for analysis. In the case of zombies everything in the header is faked and nothing can be trusted. So what address is there is pretty irrelevant...

    1. Anonymous Coward
      Anonymous Coward

      Next stage analysis

      An originator cannot fake its IP address as it would not be able to complete the handshake. Secondly, you may be able to somehow fake stage 1, but the next stage is no longer under your control so you'll have at least a grip on the route.

      In summary, it appears the bad guys transmit from China/Romania et al, and the idiots who have their systems infected are in the US. That's fun - at least you could theoretically sue them through their own legal system for collaborating. Hmm...

    2. Nexox Enigma


      Looks like they were focused on webmail accounts, which generally record the user's IP in the headers. So you get a US-based server for the webmail host, but a web-client IP from somewhere else. I suppose it could be bots from other countries connecting up to US-based webmail services, but yeah, we'll never know the actual source of anything that comes out of a botnet.

    3. Charles 9 Silver badge

      Was wondering that myself...

      How do they verify that the SENDER e-mail addresses (which can easily be faked) are genuine?

    4. Destroy All Monsters Silver badge

      Read again...

      ...they checked the X-Originating-IP Header of e-mails coming from (presumably compromised) webmail accounts hosted on (presumably uncompromised) servers.

      You could still argue that baddies used additional redirection when submitting the e-mail, so that the machine in Shaoxing submitting the e-mail is actually a zombie PC controlled from Uppsala instead of the primary source, but that may be going too far.

      1. Charles 9 Silver badge

        Not if you're covering up tracks, it isn't.

        If you plan to make an action that could conceivably be traced to you, chanced are you're going to employ some means to disguise your origin so that, even if the law starts digging, they won't find the truth. They could for all you know using an anonymizer service, an onion router, or the like. IOW, odds are not only is the sender's e-mail not likely to be legit, neither is the originating IP.

    5. copsewood

      check your Received header chain

      You need to look at a few full email headers. If your postmaster rips open your envelopes, throws these away and cuts off your letterheadings as some webmail providers do, then you'll stay ignorant until you choose to use a decent incoming mail delivery service. When you can check your full headers, the IP address delivering to the first trusted gateway in your trusted incoming chain is the one you filter/reject it on, blacklist if you want to and check blacklists for. This can all be done automatically.

  2. Daniel B.

    How water discovered

    "Analysis of the sender’s IP address, rather than the IP address of the email server, reveals the true source of these targeted attacks.”

    No shit, Sherlock. I've known that since 1996, ever since Eudora allowed me to send email from my PC instead of directly sending it from the UNIX Workstations. That's why the headers usually stamp the originating SMTP server *and* the originating IP from which the email actually came from.

    The thing is that it is mostly the zombie PC sending the e-mail, so even this source IP might end up being irrelevant. :(

  3. Anonymous Coward
    Paris Hilton

    re: Is it me being thick...


  4. Neoc

    Wait a second...

    "The average additional inbound and outbound traffic due to TLS requires an overhead of around 1KB, smaller than the average size of spam emails"

    Surely you mean "..., larger than..."?

  5. Jared Earle
    Dead Vulture

    How to be sure?

    Dead simple: Honeypots.

    If you have total control of a zombie and its supporting infrastructure, you can trace the commands coming in and the previous step in the chain.

  6. TeeCee Gold badge

    Sending mail server.

    “A large proportion of targeted attacks are sent from legitimate webmail accounts....."

    In these cases the IP address of the sending mail server is highly relevant. It tells us which webmail providers need to get off their fat, complacent arses and beef up their security to stem the tide of sewage flowing from their shite services.

    Here's an idea. If the webmail providers' spam filters can pick up spam with very high accuracy inbound as they do, why the f*** can't they run outbound mail through the things? They could provide an O/B spam folder of things wot were blocked, giving the legitimate user the option to either flag individual items[1] as not spam or, far more likely, delete the lot and change their sodding password. They wouldn't even need to run the spam filters aggressively O/B, keeping false positives to a bare minimum, as just blocking the bleedin' obvious stuff would render this route unusable to spammers.

    [1] One at a time - with authentication. We don't want anyone scripting that.

  7. steogede
    Thumb Down

    Re: How to be sure?

    >> If you have total control of a zombie and its supporting infrastructure, you can trace the commands coming in and the previous step in the chain.

    Yes but that only gives you one step back in the chain. So that only tells you that the X% bots sending spam are downstream of bots in china/russia/US. I don't see how they can be certain if it is the original source, or just another bot - unless they have managed to successfully follow the chain and prosecute the spammer, however this would give misleading numbers as it is possibly easier to follow the chain in certain countries than others.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019