Symantec: the Kent Hovind of security?
(mug shot of Kent Hovind courtesy of Escambia
County Sheriff's Office after his arrest)
EVERY once in a while Symantec aims its FUD pistol at some innocent element of computing which Symantec claims has a problem (and Symantec of course offers a solution to this problem). We have already explained this business strategy (using examples that misuse Free software [1, 2]), which characterises many quacks and pseudo-science. That's why we put Kent Hovind at the top, for those who still wonder.
The latest MessageLabs Intelligence Report from Symantec Hosted Services is filled with interesting and useful information regarding the current state of malware and e-mail borne threats as well as the trends over time. Of particular interest to me is the assertion in the report that "any given Linux machine is five times more likely to be sending spam than any given Windows machine."
A pretty clear case of sensationalist metrics from a company which wants to sell their hosted security solutions to Linux box admins. But one interesting thing that comes out of the story is that many of the security researchers believe that misconfigured POSTFIX and SENDMAIL installations are cloaking the actual amount of spam coming from infected Windows hosts.
“GNU/Linux drives many mail servers, so if it obeys a request from a Windows zombie, then it will deliver SPAM.”Quoting Symantec a little further from its 'report' (which assumes bogus numbers about the market share of GNU/Linux), "by calculating a ratio of spam from a given operating system compared to the market share, we can get a “spam index” which shows relative to its market share, the likelihood that a particular computer is sending spam, based on its operating system. In the current spam climate, this index shows that relative to its market share, any given Linux machine is five times more likely to be sending spam than any given Windows machine..."
Another translation was sent to us by a reader who says: "Despite a total lack of evidence and being unable to detect the source OS of spam, we conclude that Linux machines are sending more SPAM because there are less of them."
As our IRC logs will show later today (fragment posted below), there are even better explanations for that. ⬆
Join us now at the IRC channel.
| tessier__ | http://www.v3.co.uk/v3/news/2262681/botnets-exploit-linux-owners | May 10 09:29 |
|---|---|---|
| tessier__ | Someone is smoking crack. | May 10 09:29 |
| tessier__ | crap | May 10 09:31 |
| schestowitz | Windows is not used much for E-mail | May 10 09:31 |
| tessier__ | There is something fishy about that website | May 10 09:31 |
| schestowitz | Which one? | May 10 09:31 |
| schestowitz | V3? | May 10 09:31 |
| tessier__ | Not intentionally, no. But that's what the botnets are doing with Windows: sending mail | May 10 09:31 |
| tessier__ | Yeah | May 10 09:31 |
| schestowitz | VNUNEt? | May 10 09:31 |
| tessier__ | Have you heard of v3 before? | May 10 09:31 |
| tessier__ | I never have. | May 10 09:31 |
| schestowitz | Yes | May 10 09:31 |
| schestowitz | Linux relays spam | May 10 09:32 |
| schestowitz | It runs mail servers | May 10 09:32 |
| schestowitz | It does what it's supposed to do | May 10 09:32 |
| schestowitz | Which is to relay requests | May 10 09:32 |
| tessier__ | I cannot post a comment on that site. The captcha does not work. No matter what you put in there it does not accept it. | May 10 09:32 |
| tessier__ | Linux by default is not an open relay. | May 10 09:32 |
| schestowitz | I wonder what sends those requests though | May 10 09:32 |
| tessier__ | No distro ships their mail servers that way. | May 10 09:32 |
| schestowitz | It's spammers | May 10 09:32 |
| tessier__ | it will deliver the spam to you that someone injected via a Windows box though. | May 10 09:33 |
| schestowitz | They use open relays | May 10 09:33 |
| schestowitz | Running Linux because it's better | May 10 09:33 |
| tessier__ | Open relays are hard to find these days. | May 10 09:33 |
| schestowitz | They get blacklisted | May 10 09:33 |
| tessier__ | And spammers don't run open relays either. They don't want other spammers stealing their resources. | May 10 09:33 |
| schestowitz | What was that list that gather IPs of spam relays? | May 10 09:33 |
| schestowitz | many services used to look it up and in 2008 it had sustainability issues | May 10 09:33 |
| tessier__ | Whenever I have investigated IP addresses that were sending me spam it was Windows boxes. | May 10 09:33 |
| tessier__ | There are lots of DNSBLs | May 10 09:34 |
| tessier__ | And they operate quite successfully | May 10 09:34 |
| tessier__ | SORBS is one of the big ones these days | May 10 09:34 |
| schestowitz | I can't recall the one I think about. Articles about it were widespread 2 years ago. | May 10 09:34 |
| *schestowitz creates http://techrights.org/wiki/index.php/Facebook | May 10 09:35 | |
| Techrights | Title: Facebook - Techrights .::. Size~: 12.91 KB | May 10 09:35 |
| tessier__ | There have been quite a few | May 10 09:35 |
| -BNtwitter/#boycottnovell-[popey] Mark proposes that 10.10 is released on Sunday 10th October 2010. Where 101010 = 42 = Meaning of Life / Universe / Everything! | May 10 09:37 | |
| -BNtwitter/#boycottnovell-[nsisodiya] need a student volunteer for modifying C++ book #schoolos | May 10 09:40 | |
| *benJIman has quit (Ping timeout: 252 seconds) | May 10 09:42 | |
| -BNtwitter/#boycottnovell-[popey] There will be no public ISO of #Ubuntu Light with Unity, but will be tailored specifically for OEMs. | May 10 09:49 | |
| -BNtwitter/#boycottnovell-[davidgerard] From @cracked - 5 Insane File Sharing Panics from Before the Internet - http://tinyurl.com/2ubthnw | May 10 09:53 | |
| Techrights | Title: 5 Insane File Sharing Panics from Before the Internet | Cracked.com .::. Size~: 81.74 KB | May 10 09:53 |
| -BNtwitter/#boycottnovell-[satipera] Liberal Democrat negotiations with Labour look likely if Brown goes quickly. | May 10 09:55 | |
| *narendra (~79f5e1b0@gateway/web/freenode/x-xaqdkqksysommyyc) has joined #boycottnovell | May 10 10:08 | |
| narendra | where I can upload secrect document anonymousy ? | May 10 10:08 |
| narendra | wikileaks is not working i think !! | May 10 10:08 |
| tessier__ | http://Ãâ¦ÃËÃâù.ÃËòçñé-çÃâçêõçÃâçê.Ãâ¦ÃµÃ±/Default.aspx | May 10 10:16 |
| tessier__ | Awesome. | May 10 10:16 |
| *benJIman (~benji@benjiweber.co.uk) has joined #boycottnovell | May 10 10:17 | |
| MinceR | i'm not so enthusiastic about it. | May 10 10:17 |
| *benJIman has quit (Client Quit) | May 10 10:17 | |
| tessier__ | Why not? | May 10 10:17 |
| *benJIman (~benji@benjiweber.co.uk) has joined #boycottnovell | May 10 10:17 | |
| MinceR | because it allows even more domains that are difficult to type, read and compare | May 10 10:18 |
| MinceR | IDN already lets you create identical-looking but distinct domains that can confuse users trying to check whether a certificate really applies to a supposedly secure connection. | May 10 10:18 |
| MinceR | domain names used to be easy to handle (as such names should be) | May 10 10:19 |
| MinceR | 7bit US-ASCII should have been enough. | May 10 10:19 |
| tessier__ | SSL CA was broken from the beginning anyway. This doesn't make things any worse. | May 10 10:21 |
| tessier__ | Everyone just clicks ok regardless. | May 10 10:21 |
| tessier__ | Although I am curious to know how you would work that sort of thing into a bind zone file. | May 10 10:21 |
| MinceR | no, not everyone. | May 10 10:26 |
Comments
your_friend
2010-05-12 04:03:40
There is not true in any sense. It is difficult to see how Phil Muncaster, the article's author, could have taken this out of context and there is no forgiving Muncaster's lack of critical thinking. If more than 90% of all spam comes from Windows, virtually all spam comes from Windows. Alternate interpretations have been debunked above, but the original statement was even dumber than its following missinterpretation by Muncaster.
There are many good explanations mentioned above for what Symantic saw when they looked at, "the passive fingerprinting signatures of spam email traffic for the first time in this month's report, in order to learn the type of operating system running on the infected spam-sending machines." The most obvious are that GNU/Linux is efficient and well placed in networks. Windows' poor network stack and zombie load mean that any Windows machine will only be able to do about 10% of a comparable GNU/Linux box. The later explanation, that most of the traffic comes because GNU/Linux is acting as a relay is even more damning for Windows - this means that GNU/Linux is just doing its job on networks where the administrators have made the mistake of using Windows on the desktop. The conclusion, backed by reasonable estimates of Windows infection rates and the fact that default GNU/Linux setting that preclude the bogus "open relay" explanation, is that all spam comes from Windows.