Brennan’s Blog

In the last week I have noticed a greater amount of spam getting passed the spam filters. I predict that it will only dramatically increase before January. According to this Iron Port study, 80% of spam is coming from zombie computers. The zombies have been quietly infected with a virus so they can be used by a remote server to send out spam emails. And cleverly enough, each zombie may only send out a small number of messages so it goes undetected by the user and their ISP. It works because there are literally thousands of these infected zombies out there.

This sad state has been brought on by the fact that easily infected computers sit idle on constantly connected broadband connections. Any number of exploits could have compromised these computers. Typically these infected computers are running a variation of Windows which dominates the home desktop market which has been plagued by viruses and spyware these last few years. But there is hope that this major source of zombies will soon disappear.

In January Microsoft will release Vista and will likely also release Internet Explorer 7. Both of these new revisions have put a great deal of focus on the virus and spam problems. In reaction to these releases, I believe spammers will increase the number of sent messages prior to January to maximize their earnings while they still can. I see a couple tangible reasons this large population of zombies will shrink or even completely disappear.

The sure reason is that a freshly installed operating system will not be infected with these viruses. Secondly, these new releases will not be infected as easily as the previous versions. We can only hope they do sustain a reasonable level of protection. The same Iron Port study shows that spam has grown dramatically over the past few years, using constantly changing tactics to overcome the spam filters which have also adapted to new techniques. And while this email epidemic has continued, the industry seems powerless to stop it.

Attempts to curb spam include the Sender Policy Framework (SPF) and Domain Keys which have been complimented by Real-time Blackhole lists (RBL). The SPF technique uses TXT records which are added to domain records to identify which addresses are supposed to send and receive email messages. When applied universally, this could curb the effect of zombie servers. If a zombie sends a message, it will not have a TXT record referencing it and it can be treated as a potentially unwanted message. By marking the "good" servers, the RBL lists are more effective because all that is left are servers which cannot change IP addresses so quickly.

The Domain Keys approach is to include a header with each email which provides a cryptographic key which uses a public key lookup to verify the sender matches what the header is claiming. Both Yahoo! and Google are supporting the Domain Keys effort and have done so for the past 2 years. But somehow spam continues.

This leads back to the great computer upgrade of January 2007. Could it really happen? It is doubtful that a significant number will upgrade in the first month. Most of the computers which have been infected are already older computers which are not even upgraded to Windows XP. In fact, according to a report from Netcraft, many of these computers are government computers. Another major source of infected computers may be large corporations which may not upgrade to a newer operating system for quite a while after Vista is released.

Alternatively, Internet Explorer 7 will be made available for Windows XP when it is released. This browser upgrade may be released at the same time as Vista. It will most certainly be the default web browser for Vista. It is just not clear that Windows XP users will get their hands on it right away. But once they do, one of the major entry points for viruses, spyware and general malware will be tightened up significantly as it comes with anti-phishing support. However, an upgrade to IE7 does nothing to help previously infected computers. It would be best for those who do install IE7 to first run a full virus scan of their computers or even re-install WinXP altogether and start fresh.

It would be much better if it was easy to determine if your computer is infected. Just because you have scanned for viruses with the latest updates and did not find anything does not mean your computer is not infected. The only sure way to prevent your computer from acting as a zombie is to take it offline when you are not using it. Doing so may actually save you 15% on your electric bill. You can automatically have your computer go to sleep when it is not in use. You can do so with the Power Options in the Control Panel. Simply set the Power scheme for Home/Office which will put it in standby mode after 20 minutes of inactivity and to hibernate after 3 hours. If enough people did it, that could make a dent in the zombie effect.

Ultimately, I think we need to hold a "kill the zombies" day. On that day everyone will run either a full virus scan (use ClamWin AV for free), re-install their copy of Windows, or even switch to MacOS X. We will see if we can make a dent in the level of spam being sent. That could be a top New Year resolution... kill all zombies on January 15th. Mark your calendar!