Re: New types of Trojans coming2005-02-03 11:13:33
At 18:16 2005-02-03 +0100, Dallman Ross did say:
http://news.zdnet.com/2100-1009_22-5560664.html Precis: Spam levels expected to rise with suddenness soon, as blacklists become less effective.
Er, spammers have been using trojans for a while now already. Yes, traditionally, the user's own PC is converted into a mail server and it delivers mail directly. With some large ISPs (earthlink comes to mind) blocking outgoing SMTP originating from user systems, this technique isn't very effective.
However, viruses have for some time used the user's own ISP mail server (or at least that of the forged address snarfed from their saved email) to deliver messages, thereby lending some apparent legitimacy to the message (for instance, you can't block them using a dial-up list type DNSBL, because the machine passing the message to your host is an actual ISP mailserver, not the user's own machine).
Yes, blacklists aren't particularly effective against this chuff. Ironically, effecive post-reception filters are still successful at eliminating virtually all the spam, but once they've brought the crap INTO my server is when I get especially pissed about it - the messages rejected during the SMTP connection have a minimal impact - they don't generate a lot of net traffic or CPU load (though gobs and gobs of them can still borderline a DoS). once you've forced your way into my mail host, you're providing me with further identifyable information - complete headers, URLs in the spew, etc - which can be used to identify the spammer. Plus, for those areas which have anti-spam "laws" (such as they are), actually having the spam in hand is a crucial part of being able to prosecute them - rejecting a billion SMTP connections based on the originating IP wouldn't prove to be concrete evidence that those POTENTIAL messages would have actually been spam.
One solution (until the miscreants decide to rummage PCs looking for login data) is for affected ISPs to start REQUIRING SMTP authentication - whereby you can send mail only if you authenticate to the server. Of course, this doesn't stop someone from relaying mail into a server for delivery INTO that server - even with SMTP auth on the server, an earthlink customer could connect to an earthlink mail server and (without authenticating) send spew to OTHER earthlink customers. unless the server were configured to recognize that the sending host is within it's own user address space, and not an external mail host of sorts (which wouldn't require auth, or they'd be rejecting virtually all their mail).
--- Sean B. Straw / Professional Software Engineering Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html> Please DO NOT carbon me on list replies. I'll get my copy from the list. ____________________________________________________________ procmail mailing list Procmail homepage: http://www.procmail.org/ procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail