At 21:56 2005-02-03 +0100, Dallman Ross wrote:
But, look: if a worm or zombie spam now gets sent by the virtual
server coded into the Trojan/zombie/worm program itself, it's one
thing. The mail typically arrives at the recipient's server with
a fake server name and very few Received headers.
_typically_ (i.e. MOST malware) yes. There's a small number that relay
through legit ISP SMTP hosts (and no, not your own inbound servers). Not
forged EHLO either. It isn't a new technique there, and since spammers
have been shifting towards virus/trojan applications to take over computers
for bandwith, address lists, and obfuscating the true source of the spam,
this "new" twist with spam should come as no surprise since it's already
been employed with viruses.
the ISP's usual channels, then the heuristic for identifying it
gets a bit tougher. That's what caught my interest.
The heuristic to catch the message via header-only criteria would be very
difficult indeed. IIRC, SA spots forged Outbreak headers - that may be
something to check for with spam relaying.
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
procmail mailing list Procmail homepage: http://www.procmail.org/