hit more fairways. make more putts. avoid the hazards. play by the rules.
Why I Hate Windows

Posted on Monday 6 February 2006

< Caution, major rant ahead>
I try to stay off the OS soapbox, but I’m just fed up enough to rant today. I don’t have any hard evidence that what I’m about to discuss is actually caused by Windows, but I know just as sure as I’m pounding the keyboard that it ain’t a Mac problem, nor is it a Linux problem. What the rant? It’s the explosion in spam attempts made against my mail server since late last year. More specifically, it’s the zombied personal computers that host the attacks and the inherently insecure piece-of-dung operating system that allows them to launch them.

First, here’s a minor annoyance. The goofball who owns the computer at 67.52.164.163, apparently on the end of a cable modem in Palm Springs, needs to wake up. See, his computer has been logging onto my mail server 59 times between midnight and 2:30PM today. In the 72 hours which ended this morning at 12:01AM that fool’s machine made 208 attempts to log in to my server fraudulently. I finally got tired of the jerk not paying attention and I’ve banned the IP in my firewall. But that’s minor.

In the same 72 hour period my server has blocked 3203 attempts to deliver spam or probes to find out if it can be used to send or deliver spam. Now I’m sure that some ISPs would look at that rate – an attempt every 45 seconds or so – and laugh it off. But for my little mail server, which hosts fewer than 20 total mail accounts, it’s a staggering number.

Here’s how the 3203 attempts break down: (None of these actually got through.)

  • 1 attempt to log in as a known user. Idiot.
  • 38 connections from machines who claimed to be from domains which do not exist.
  • 157 scans of port 25 to see if my server is a mail server, and thus a target of spammers. I haven’t bothered to go back and look to see how many of those scans originated on machines which later attempted to deliver spam. My assumption is that sooner or later all port scans on port 25 come from spam suspects. I wonder if building a filter to automatically block connections from a machine which port scans my server would have any effect?
  • 199 messages were sent to “spam trap” addresses I’ve set up. If a message addressed to one of these addresses hits my server, my server accepts it then dumps it in a bit bucket rather than in a mailbox.
  • 264 connections from machines with misconfigured host names. A sure sign of a poorly written spam server running on a Windows zombie.
  • 335 connections from machines pretending to be my server, including the 59 from the chowderhead mentioned above. A favorite trick of spammers is to log into a server, then send email to other users on the server.
  • 414 messages were blocked by my own keyword filters.
  • And a whopping 1795 messages were blocked by so-called DNS blacklist filters. These filters look up the IP address of a machine attempting to connect to my server in a worldwide database of known spamming machines. If the filter hits it blocks the connection.

As far as I can count 32 spam messages actually did get through the gantlet.

Don’t get me wrong, the constant pounding at my electronic mail box is having no noticeable effect on my server’s performance, but it’s annoying as hell, and I’ve just had it up to here. I can imagine, however, than network providers – especially broadband providers like the cable companies – are getting pretty tired of watching their bandwidth get chewed up by this stinking deluge. For example, consider this series of log entries from earlier today (slightly edited for space):

2:21:09 PM spamhaus blocked connection from flocculate@chalky.com at ICEBOX.bzc1.org (12.211.88.118)

2:21:09 PM spamhaus blocked connection from russ@realtyagent.com at ICEBOX (12.211.88.118)
2:21:10 PM spamhaus blocked connection from mildew46@buttonpushers.com at ICEBOX (12.211.88.118)
2:21:10 PM spamhaus blocked connection from motorcycle64@darkcorner.com at ajieybe.ovqos5o.verizon.net (12.211.88.118)
2:21:11 PM spamhaus blocked connection from lexicographer34@akkadian.com at ICEBOX (12.211.88.118)
2:21:11 PM spamhaus blocked connection from marketplace32@boster.com at 486fxi7.55tir6.ameritech.net (12.211.88.118)
2:21:11 PM spamhaus blocked connection from membrane32@blowitup.com at ICEBOX.our2u4.org (12.211.88.118)
2:21:12 PM spamhaus blocked connection from gullible75@bellybuster.com at ICEBOX (12.211.88.118)
2:21:12 PM spamhaus blocked connection from misanthrope34@chasing.com at ICEBOX (12.211.88.118)
2:21:13 PM spamhaus blocked connection from wally@nycmail.com at 62ineqi.kein7tza.aol.com (12.211.88.118)

Let me give you a quick translation: in the space of 4 seconds at machine at IP address 12.211.88.118 (which is apparently located just across the Ohio River from Cincinnati) connected to my server 10 times. It pretended to be 6 different machines and purported to be trying to deliver mail from 10 different users. How many times each hour is 12.211.88.118 sending out these bursts? How long has this machine been infected? Why hasn’t the user noticed that something’s wrong? Why hasn’t his or her ISP shut down the connection yet? How many spam messages does this machine actually deliver?

This is not at all atypical. But it is beyond pathetic, and all completely preventable. The problem, at its heart, is simple. Microsoft Windows allows programs to be installed and run without intervention/approval of the machine’s administrator. Users open attachments to messages and bango, their machine is infected with a virus. True, some of those viruses destroy data. Some harvest email addresses from address books and email programs, then send the addresses to the spammers. Others set up a nifty little stealth mail server on the unwitting host then take instructions from the spammer via remote control. These are the real ‘zombie’ machines.

It’s not practical to stop it all at once, but it can be done. First, I’d think the ISPs would make it known to Microsoft that their OS is costing the ISPs money. Second, those same ISPs need to get serious about the problem themselves. They should pay more attention to abuse complaints and shut down service as soon as a zombied machine, or a ‘real’ live spammer, is discovered. Nothing will get the attention of the Average Frustrated Internet User than having his service yanked. Third, I’d think that Microsoft, for all their well-known arrogance, would finally get off their backsides and take steps to fix the problem. They would argue that they have taken steps, but the reality is that they’ve been band-aids against shotgun wounds – less than cosmetic. Fourth, users need to wise up and a) stop opening email from strangers and b) install and run anti-virus software. In the longer term, perhaps they’ll stop buying cheap crap that makes the problem worse.

</rant>


No comments have been added to this post yet.

Leave a comment

(required)

(required)


Information for comment users
Line and paragraph breaks are implemented automatically. Your e-mail address is never displayed. Please consider what you're posting.

Use the buttons below to customise your comment.


RSS feed for comments on this post | TrackBack URI