By Mat Nisbet, Malware Data Analyst, Symantec Hosted Services In the April MessageLabs Intelligence Report we looked at the operating systems that were being used to send spam mails. To do this, we used a passive fingerprinting (PF) technique that looks at the network packets that are received when a remote machine attempts to make a connection, and used this to identify several characteristics of the remote machine, including the operating system it is using. After finding that the amount of spam originating from Linux was disproportionate to the number of Linux machines in the world, we decided to have a closer look at the spam and see if there is anything that differentiates it when compared to spam in general. The first thing we noticed is that there is far less botnet spam from Linux than there is in general spam. In the seven day period examined, 87% of the spam was identified as coming from a botnet. For Linux, only 36% of spam was sent by botnets. Unclassified Botnets refers to spam that we know comes from a botnet, but we have not yet identified which one Another thing which is a little different about spam from Linux is that there is a greater amount of spam that is in Portuguese (6%), much more than is found in spam from all sources (0.2%). As for the type of spam that comes from Linux, it is mostly the same as any other type of spam. Most of it is the usual pharmaceutical spam, like the examples below, which all lead to a “Canadian Pharmacy” website. There are also examples of phishing, like the one below. This example is aimed at customers of a well known international bank and asks users to follow the link to verify their information. At the time of writing, the linked site was unavailable, but typically this kind of email would link to a fake login page designed to look like the genuine login page of the bank being impersonated. This last screenshot is from one of the Portuguese spam emails. It is similar in style to a lot of other spam we see advertising pharmaceuticals, replica watches/bags, or other products. It is an image showing special offers, that when clicked takes the user to a website offering the same. On investigating the originating IPs of a random selection of spam from Linux, I found that in most cases it came from a machine running an open source mail transfer agent (MTA) such as Postfix or SendMail, that had been left open. This suggests that one reason there is so much spam from Linux could be that many companies that have implemented their own mail servers, and are using open source software to keep down costs, have not realized that leaving port 25 open to the internet also leaves them open to abuse. It is possible that some botnets may have the ability to search for machines that have left port 25 open so that they can send their spam through that instead of (or as well as) directly from the bot machine. Another contributor to Linux spam results from phishing. We are aware of one incident of a company that uses a free webmail server running on Linux that suffered a phishing attack. A number of their users were fooled and responded with their user details, and further accounts were broken by a brute force dictionary attack. The attack perpetrators then used these hijacked accounts for high volumes of automated spamming until the breach was noticed and rectified. The conclusion is that although the Linux family of operating systems is not currently targeted by large botnets, it is still open to abuse. One problem is that some ISPs force all their users’ mail to go through their ‘smarthosts’, which are often run on Linux systems. This means that a lot of botnet traffic which we would normally identify as something else, instead appears to be coming from Linux. Another problem comes not from malware, but from a lack of knowledge and awareness of the people using Linux for their mail servers. Anyone who wants to take advantage of the fact that Linux, and most of its software, is free, needs to be aware of how to correctly set it up so that it is secure. Make sure that the systems are correctly set up to restrict access on port 25 to only authorized users (for example, attached to the local network, or through VPN). Also important is to make sure your users are properly educated on the use of the system. Make sure they know exactly what the procedures are for password changes, or if there are problems with their account. If they know this then they will be able to spot a false email asking for their details and will not give away access to their account.