Whow! I don't even have a pet goat (no matter what Leah may say)....... Every one of us that uses electronic mail has had to deal with spam at some level. Why does it persist?
My name is Jason Brown and I will be alternating with Leah to bring another opinion to the world of email and electronic communications. Stepping out of the office here in Big Sky Country, it is easy to get lost in the world and want to forget all about that growing spam folder eating up disk space and taking valuable CPU and RAM from starving MTA and related processes. Let's dig in a little and talk about why we even have to deal with it (at least in my opinion).
I see two distinct major person(s) that are in the spamming industry. I know there are others out there, but I'll stick to just two.
- People who allow others to use their bandwidth to send SPAM.
These folks are all too eager to accept the large amount of money that is available from people that want to actually send SPAM. There is no question for this group that providing this service is a good thing. Not only for their own pocket book, but they actually feel they are providing a quality service. I had an opportunity to speak with Brian Coppola last spring and within the first 60 seconds of our conversation, he had introduced himself as a "spam king" and wanted to clarify that he was indeed the Brian I had probably heard about.
How do you begin to do battle with this sort of attitude and thinking? Taking peoples birthdays away went out in the forh grade, so that is probably not the answer. Fortunately there have been stricter laws and legislation passed to make the penalty for this behavior much steeper. This will not stop it. There is a fundamental change that needs to take place here and it is a much larger problem than junk email. I continue to give humanity the benefit of the doubt, we'll see where it gets me.
- People who take other peoples bandwidth to send SPAM
This is where I wanted to focus tonight though. This is a problem we can actually do something about. I was fortunate enough to hear professor Anthony Joseph lecture earlier this year and he made a number of very very good points. Things I had seen over and over again and not related to the SPAM industry. These mostly had to do with passwords. I know, I know..... everyone reading this article has implemented strong passwords on the systems they are responsible for. Right, I said I give humanity the bennefit of the doubt, people are another story. I have spent far too many hours cleaning up messes that could have all been avoided by a password that wasn't "changeme" or "password".
Script Kiddie [skript] ['ki-dE]
| n. (Hacker Lingo) One who relies on pre-made exploit programs and files ("scripts") to conduct his hacking, and refuses to bother to learn how they work.
|
These people are not after the data on your server, they are after the server itself. This is not an act of attaining bragging rights, this is collecting as much bandwidth as possible in as short of a time as possible to use at a later date and time to make money. If I am a company that is looking to send out mass quantities of SPAM, this is who I am going to seek out. I can pay pennies per message and have them broadcast from thousands of machines (who I may add are legit mail systems, thus not blacklisted... yet) across the globe. I can get my message out quickly and for about half the price of my actual PR firm.
Setting strong passwords isn't difficult. It isn't as convenient (I use this term with great caution) as setting it to "corn", but it isn't difficult. I wish it was funny and I pulled those as examples from my imagination. Not the case, this is an actual administrator or super user level password I have seen in use. If you can look it up in a dictionary, it shouldn't be used as a password. If you ignore the builtin password checking utility of your system, please reconsider. I wish it was as simple as saying "Oh well, you get what you have coming to you". It isn't, you have taken upon yourself a responsibility, take some pride in this.
There are plenty of places online to get information about strong passwords, what to do and what not to do. I would recommend starting where the skiddies are going to start:
- insecure.org -- Fyodor knows what is up and his site is full of tools, tips, tricks and links to help.
- packetstormsecurity.nl -- this is one place where you can find information about the latest and greatest vulnerabilities out there. They have an RSS feed.
- Google -- if it isn't here, you are most likely not dealing with a script kiddie. I'm not sure who's bad side you are on, but good luck.
This all falls some where between rocket science and common sense. We all know how important it is to have strong passwords, especially for admin level users. This is a simple matter of being on the court or in the stands. Come down out of the stands and start playing ball, it is your system.
Professor Joseph relayed a story about an admin password being posted on a sticky note on the monitor. This was in a nuclear power plant. The rationale being that in the event of an emergency (e.g. nuclear meltdown) the last thing they want is to be trying to track down an admin for the system at 2am to get a password to shut something down before disaster. A good portion of us don't work in nuclear power plants and we don't have armed guards outside our facilities protecting the physical perimeter of our data centers. We have systems connected directly to the internet and are only trying to keep the lines of communications open for our end users.
Most all of answer to someone, take pride in your work and in doing so expect your peers to do the same. Implement the password schemes you know to be right and stand up for yourself. It isn't difficult to find information online to back up your decision if you feel you need to do so (if you are having issues finding info to do this, please let me know and I'll help you find it).
Thanks for listening,
jason
