On Tue, 6 May 2003 13:02:47 -0400
Eric D Williams <eric(_at_)infobro(_dot_)com> wrote:
On Tuesday, May 06, 2003 12:30 PM, J C Lawrence
[SMTP:claw(_at_)kanga(_dot_)nu]
wrote:
On Tue, 6 May 2003 11:42:47 -0400 Damian Gerow <damian(_at_)sentex(_dot_)net>
wrote:
So all that really happens is that things like open relays and open
proxies become less and less valuable, and anonymous remailers
become infinitely more popular. However, they are no more
/valuable/ than they are right now -- the provide the same service,
they do the same thing.
We currently have compromised Windows systems being used as spam
origination points. Are we next going to see such zombie systems
used as anonymous remailers? Or are they more likely to use the
compromised system to extract appropriate mailing credentials to tack
onto spam (creds which for instance satisfy RMX etc)?
How would such an attack work? Although you present an interesting
issue re: security and 'zombie' eMail how would RMX break (if that is
your implication) in the proposed scenario. What credentials other
than domain name and IP address would satisfy an RMX query if stolen?
In any event the 'zombie' (or maybe zonebie is better :) would be a
security concern first and a spam origination concerns second IMHO.
The trivial approach:
BoxA is compromised.
The zombie code sucks in a spamming engine (SE).
The SE determines the mail configuration of BoxA in terms of
appropriate SMTP envelope etc from the registry.
BoxA spams away using the stolen credentials from its registry.
Notes:
Yeah, its illegal. So is a significant percentage of the spam I
receive. Additionally, chasing law breaking spammers across
international borders is not a fun game.
This is a bad scenario, not just for RMX, but on almost all scores.
Most automated authentication or credential schemes can be broken if
subjected to localhost compromise. In essence its a reply attack
using the same source node. Its not clear to me that it is possible
to defend against this case in any reasonable fashion, with or without
RMX.
RMX suffers in this scenario as perfectly legitimate mail cannot be
distinguished from spam. This pain is not exclusive to RMX, its just
a side effect.
It makes the ISP a target and gives some, very marginal and slight,
encouragement for ISPs to __attempt__ to police their user's systems
and pro-actively search out and shut down compromised systems. This
will not be welcomed by ISPs or the ISP's users. Prediction: One big
finger pointing whining profit margin eating tar baby morass.
--
J C Lawrence
---------(*) Satan, oscillate my metallic sonatas.
claw(_at_)kanga(_dot_)nu He lived as a devil, eh?
http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg