Building A Web-Based Neighborhood Watch

At any given time, tens of millions of personal computers around the globe are infected with malicious software that criminals use to turn them into spam-relaying "zombies." But many machines could be inoculated if there was a distributed, Internet-wide system for notifying Web surfers that their machines were being used to defraud and attack others online.

That's one of the long-term visions behind a free technology launched last week by The Project Honey Pot, a community dedicated to making life more frustrating for junk e-mail purveyors and their ilk. The group's "http:BL" - the "BL" stands for black list -- allows Web site owners using the popular Apache Web servers to block or curb access to their sites by a visitor whose Internet address has been recorded as involved in spamming activity or in harvesting e-mail addresses.

While the goal of this approach is to prevent spammers and other online miscreants from cluttering a blog with comment spam or harvesting e-mail addresses for use in spam runs, there could be a huge ancillary benefit to this technology if widely deployed.

The http:BL specification allows Web site operators to take one of various actions when a blacklisted visitor appears. For example, they could block a specific machine from visiting the site. Another option would require a visitor to take a simple test proving his validity by, for example, being able to enter a displayed alpha-numeric sequence called a "captcha."

But Web sites that want to take a more proactive approach could send blacklisted visitors to an explanatory page. The page could inform a visitor that her machine has been observed exhibiting behavior often associated with PCs that have been infected with a computer worm, and offer suggestions on how the visitor could diagnose the infection and clean it.

A lot of the zombie problem could be cleaned up if one of the Web's busiest marketplaces would deploy this system. We can discount one of the top three Web sites - Microsoft.com - as a potential user because it runs its entire Web presence on Microsoft IIS servers, not Apache. But Google.com, Yahoo.com or state and federal Web sites could make a big impact in a short time with this approach.

Many colleges and universities already do something like this, adopting what's known as a "walled garden" approach: If a user's machine is attacking or spamming others, the offending PC is prevented from accessing the larger Internet, and the user is temporarily confined to a Web page explaining why they are being sidelined, and offers step by step instructions for diagnosing and fixing the problem.

Security experts have long cited the need for more Internet service providers to build walled gardens to warn customers if their machines show signs of spam bot infestations or other unwelcome digital parasites. So far only a handful of larger ISPs have adopted this approach.

Security Fix placed numerous calls trying to contact different ISPs to talk with them about their experiences with the walled garden tactic, but only one - Cox Communications - appeared interested in chatting about it.

In 2005, Cox started blocking customers from reaching Web sites that it knew were serving Trojan horse programs designed to download keystroke loggers and other spyware. Around the same time, it implemented a walled garden for customers who appeared to have been infected with some type of malware that was causing problems for other customers or other ISPs.

Prior to initiating this program, Cox was taking roughly 22,000 customers offline each year for Trojan infections. By 2005, that number was down to 8,000. And in 2006, the first full year in which it had those mechanisms in place, it confined slightly more than 1,800 users out of a user base of more than 3.3 million.

"Prior to our walled garden approach, we would take customers offline and they wouldn't know why...All they would know is their modem had stopped working," said Matt Carothers, a member of Cox's security and abuse team. "With the walled garden, sure, the customer's first response is to be angry when we take them offline, but once they realize they have a program on their computer that is sending their credit card and Social Security number to some guy in Romania, they're actually pretty grateful that we took them offline."

Paul Vixie, a security expert and founder of the Internet Software Consortium, said most ISPs have resisted implementing a walled garden approach because they fear it will raise customer support costs.

"Most ISPs don't care about spam, and they can't measure the money they lose when their customers are misbehaving or when customers' machines get abused," Vixie said. "What they can measure is the cost of a telephone call from a customer. Most of these companies think it is far better for them to beef up the strength of their network so they can just carry the bad traffic along with the good."

By Brian Krebs |  April 30, 2007; 12:18 PM ET Fraud , From the Bunker , Misc.
Previous: Lawmakers Aim to Crack Down on Caller ID Spoofing | Next: Apple Patches QuickTime Security Hole

Posted by: FreewheelinFrank | April 30, 2007 12:29 PM

Posted by: Bk | April 30, 2007 12:42 PM

Posted by: Mark | April 30, 2007 1:07 PM

Posted by: gwgoldb | April 30, 2007 4:23 PM

Posted by: Anonymous | May 1, 2007 10:12 AM

Posted by: Gerald | May 1, 2007 12:55 PM

Posted by: Matt | May 1, 2007 4:36 PM

Posted by: Matt | May 1, 2007 4:37 PM

Posted by: Externality | May 1, 2007 4:47 PM

The comments to this entry are closed.