0

Botnets are Spamming through web-mail services like gmail.com,hotmail.com,etc. by compromising email-accounts

I read a post from this forum about how online accounts are compromised. Following are some:

1.Same password to register everywhere

2.Common password

3.Phishing

4.Malware. Keyloggers

5.Secret question like (what's my name or my favourite color)

6.Malicious browser extensions,firefox user-scripts/plugins/extensions

These compromised accounts are mostly used by spammers/botnets to spam.

Could anyone kindly elaorate.

How do the individual bots of botnet not get caught for using the compromised accounts to send spam mails.Gmail,Hotmail are big fishes,how do these bots evade detection?

Thanks

user10012
  • 191
  • 1
  • 1
  • 9
  • What exactly do you mean with "getting caught"? Are you talking about the botnet operators? About individual zombie-systems of the botnet getting identified and blocked? Or about the email services identifying accounts which got compromised? – Philipp May 25 '16 at 11:40
  • @Philipp, i meant individual bots of the botnet,who are using the gmail a/cs to send spam. – user10012 May 25 '16 at 11:42

3 Answers3

0

Botnets often consist of thousands of machines. The largest ones count even hundreds of thousands. When one machine gets blacklisted by a service provider for spamming, another machine from the botnet is used instead.

Also, most members of botnets are machines at private internet connections which do not have static IP addresses. That makes them very hard to blacklist for two reasons: 1. the machine can start spamming again as soon as it got a new IP address and 2. the service can not hold up IP blocks for too long because they risk hitting a legitimate user when the blacklisted IP gets reassigned.

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • However,they are aware that some particular a/cs are involved in spamming,from Content analysis,bcoz we see spam mails in spam folder,out of which 70% are right,so rather they could suspend those a/cs,instead of giving scope for spamming. – user10012 May 25 '16 at 12:01
  • @user10012 But that's not what you asked about. You were asking about banning *the bots*. Banning *the accounts* abused by the bots is an entirely different problem. That's why I asked you to be specific in your question. When you are not specific, you won't get the answers you want. – Philipp May 25 '16 at 12:07
  • 2
    @user10012 Please not that this is a question and answer website, not a debate forum. We only answer the questions which were asked. – Philipp May 25 '16 at 12:22
0

I assume @user10012 is referring to the fact that google doesn't seem to take action against accounts sending malicious or unsolicited emails from "@gmail" accounts.

So that users can benefit from an instantaneous messaging service gmail doesn't screen outgoing messages except if the user has generated suspicious activity, which would require a captcha be filled in. Also users that have their account compromised are expected to have used their gmail account for some time and google trusts they aren't accounts created specifically for spambots or advertising motives.

EChan42
  • 111
  • 2
  • ,well said,however lots of spamming activities occur from all compromised a/cs (may be less from 1 a/c).Anyways there is google doing its good job for filtering spam mails and keeping it for user review. – user10012 May 25 '16 at 12:12
0

They haven't blocked them because the services can't block the spammer from forging their domain for malicious purposes.

Email has historically had a broken authentication system. And by broken I mean the authentication is built on rather than built in the protocol. So take note they might not be sending these emails through the services at all and might just be sending them directly to the target's mail servers. And if the target doesn't verify using a method such as DKIM, SenderID, SPF then the spam will be received. This is something the sender service cannot block since the service never actually processed their transmission.

Yes, there are instances where the actual SMTP authentication details of a user is comprised. Which is what an attacker would prefer since the sent email appears verified from the sender service.

But when it comes to the bot net they might have a list of target addresses, gather them from the victim's machine, or generate them. And then spam against those targets using randomly generated addresses and names in an attempt to get around the target service's spam detection. If you stop a bot net that uses an SMTP authenticated sender you shut down the bot net immediately. If the bot net is attacking without SMTP authentication it is much more difficult to shut down as they are looking at blocking individual machines by the hundreds, thousands, or even hundreds of thousands.

Bacon Brad
  • 3,340
  • 19
  • 26