Re: Botnets exploit Linux owners' ignorance

Updated: May 2, 2011

After Flaming retort, I have another rebuttal. Another piece of scaremongering, with overhyped drama and sensationalism, wrapped in tech lingo to make the crowds shudder with fear and reverence. While the general rule says: don't feed the trolls, as in I'm merely bringing attention to an article that does not merit any, I think it's important to show the other side of the spectrum.

Today, I want to talk to you about a short article called Botnets exploit Linux owners' ignorance, which presents a grim picture of botnets actively engaging in cyber warfare against Linux [sic] and its owners. Naturally, there's always the not so subtle hint that the solution is in your pocket. Let's digest the original report, see what it says and what it means, and how thing relates to the average computer user.

Botnets can't do anything

Botnets are not a living entity. They are just a bunch of computers, controlled remotely. If anything, it's the botnets' owners who do or do not exploit their remote assets. Second, the word Linux is misleading here. Third, the world owners is misleading as well. Linux is a diverse pool of systems and kernels, often with little common operability. For instance, you will have a hard time running a kernel 2.4 RPM-based package on a 2.6 Debian-based machine.

Owners implies personal ownership, so the home user might be under the impression that we're talking home boxes here. But the article is in fact all about mail servers, none of which are normally in use at home. Now, let's go through the more interesting bits in the article.

Disassembling the fear

First line of this report thingie:

Symantec warns that port 25 could be the problem.

Oh, really! Symantec says. Oh noes! First, Symantec is a security company. They make money by selling security products. They can't be trusted for an opinion on security.

Port 25 could be a problem? The first use of tech lingo - port 25 - is designed to make simple people humble. How can a port be a problem? It's just a logical end to a network connection. If anything, a misconfigured service using the port and listening on it for incoming traffic might be a problem.

Now, there's no rule that says what service uses port 25. Normally, it's SMTP, which is mail, in layman's terms. But you can configure your Linux box to use any which port and then register the service under /etc/services. Second bit:

A lack of knowledge and awareness about how to use Linux mail servers could be contributing to the disproportionately large number of Linux machines being exploited to send spam, according to new Symantec Hosted Services research.

Emphasis on could be - in that regard anything could be contributing to anything. Now, there's a research, which could be or could not be accurate, claiming that Linux machines send disproportionately large numbers of spam.

Let's begin with the fact 90% of all mail is spam. People generate 90% junk no matter what they do. But that's not so important. What is important is that Linux mail servers seem to serve a higher throughput of spam than Windows machines.

Note: Image adapted from Wikipedia, licensed under CC BY-SA 3.0.

Well, to make this claim valid, we need to take into account the actual percentage of Linux mail servers in comparison to Windows. In the commercial space, Linux outnumbers Windows by two to one, so yes, they ought to create more spam, at least twice as much. Furthermore, Linux mail servers are more EFFICIENT than Windows and have a much higher uptime, fewer reboots or downtime for patching, better overall performance, so YES, they produce more output in a given time unit. You see! Linux is better than Windows as a server box - so expect better results.

Some fancy PDF reads that Linux sends five times more spam. Okay. So? How does that relate to anything? Statistics 101. Damn. Normalization of factors is the first thing that has to be done to make this report relevant.

For example - none of the these have been take into account - the number of CPU cores or threads available to the mail server, the memory size, the quantity of mail service providers hosted on a particular server.

If you have a Windows box with 4GB RAM, four cores and 90% uptime, it will generate far less mails than a Linux box with 64GB RAM, 24 cores and 99.63% uptime. What if the Windows box serves seven low-volume websites, whereas the Linux box provides mail services for 53 high-traffic sites. What if the Windows average load is 13.4% CPU, whereas the Linux box churns happily at 60% utilization all the time? How do these figures translate into actual spam volume?

Lastly, Linux is more reliable - and a better choice for infrastructure servers, which is why customers will prefer to run a Linux mail server, including the better built-in security, than a Windows alternative. Hell, there was a time when Microsoft Hotmail was hosted on Linux boxes, because Windows NT couldn't cope.

Now, take a million boxes and things become more complex. The third interesting bit:

On investigating the originating IPs of a random selection of spam from Linux, I found that in most cases it came from a machine running an open-source mail transfer agent, such as Postfix or SendMail, that had been left open, he said.

Well, this is Major Obvious here. What kind of mail services are Linux boxes supposed to run? Furthermore, the ports have to be left open, otherwise there's no point in being a mail server, now is there? In other words, SendMail - spelled Sendmail, correctly - with port 25 open as opposed to Sendmail with port 25 closed. That's LULZ materials, right there.

And what's exactly a random selection? Did you check the entropy of your random number generator? Did you use a radioactive source emissions for that? Or did you randomly use your eyes to scan the list and choose what seem to be pretty numbers? Here's the hot part:

This suggests that one reason there is so much spam from Linux could be that many companies that have implemented their own mail servers, and are using open-source software to keep costs down, have not realised that leaving port 25 open to the internet also leaves them open to abuse.

Companies have implemented their OWN mail servers and are using OPEN-SOURCE software to keep costs down - have not realized that leaving port 25 open leaves them open to abuse. So they ought to PAY money to some company so they can misconfigure their mail? What's wrong with open-source? And what open-source has anything to do with costs? Here's my usual response to that - make sure you listen to Pink Floyd, Money:

But the paradox is that companies have chosen whatever software to run mail servers and that they don't realize they leave port 25 open, when this is exactly what these boxes are designed to do. Mail = port 25. Otherwise, it's not a server. Paradox, right there.

Why would anyone want to pay some inferior third-party consultant company to get their stuff in place, when they can do it properly on their own, with superior results. In the worst case, pay money to RedHat or Novell for support, and they'll fix it for you. BTW, Sendmail is THE MOST common and used Mail Transfer Agent in the world!

Finally, there's a bit about having properly configured systems in place, but that's not interesting. However, one more bit that does draw the attention is the fact Symantec mixed desktop share with corporate share, to create the marketable 5x spam volume effect in the report. This could have been done intentionally, but it's even worse if it hasn't. I guess that's it for this time.

Conclusion

My warmest recommendation is simply not to read any security report that reads a company name at the top or the bottom. Sponsored security is like asking a prostitute if you are a good lay.

Second, if you ever read an article that supposed to make you scared, vulnerable, hesitant, doubting, or mistrustful, rest assured it's a work of careful marketing designed to milk your shekels from your proverbial teat. Such pieces of journalism and propaganda are not worth their time.

The only pieces of work you ought to read are those that give POSITIVE and DETAILED advice on how things ought to be. There's spam, ok. What next? How do you make sure there's no spam? That's the whole of it. Actual advice on making things better, solving the root cause of the problem. It has nothing to do with brand names.

Linux could be more likely to have more spam, because Linux rules the corporate infrastructure market, it's more reliable, it has better performance and uptime, and people choose it over proprietary solutions, because of the costs, quality, expertise, and service. Even if Linux has more spam, it has nothing to do with the home users or their software setup, including, or rather, excluding security programs. Finally, statistics can be molested more effectively than a Mongol horde invading a little village in the foothills of Ural. Lean back, relax, and don't let anyone trick your mind with nonsense.

P.S. The homepage teaser also adapted from the Spam image, same terms apply. The image of two soldiers fixing a satellite dish is in public domain.

Cheers.