At 5:00 AM +0200 11/27/04, Gadi Evron wrote:
As everyone probably knows, there is a pretty large outbreak going
on right now. According to our mail filters at
http://aves.f-prot.com,
10.56% of all filtered E-mail contains W32/Sober(_dot_)J(_at_)mm(_dot_) In
addition,
there is a significant number of bounces as well.
We've reached 1.5 GB an hour of this s**t since Tuesday. Only our AV
calls it Sober(_dot_)I(_at_)mm(_dot_)
I agree, bounces are the very evil of the net itself.
No, they are not. They are a critically important part of the
robustness of email. Broad acceptance of the idea that bounces are
evil will be the last nail in the coffin of email.
Systems which generate bounces as a result of determining that
particular messages are untrustworthy are evil. Software which
determines that mail is spam (or viral, which is logically a subset
of spam) and then goes on to trust that mail enough to generate a
bounce message is designed by people who are either evil or stupid
enough to be indistinguishable from evil.
Where I'd have to disagree is here:
* Doing SPF checking will block the vast majority of the worms, but it
will not help with the bounces or the filter alerts.
It may block the vast majority of current worms, but I doubt it
would stop the tide for long.
VX-ers will find other ways of abusing infected victims.. they might
even send out email using the user's own email account and/or email
client.
Uh, have you heard of Swen???
Viruses are already using the victim machine's mailer configuration
to send mail. They have been doing so for a year and more.
The problem is deep design flaws in Microsoft's mailers and operating system.
The problem is Microsoft.
As long as there are huge drone armies out there, and their likes -
I don't see how spam solutions today would really work as people
hope. They will help reduce the numbers by a 0 or two though (if
widely implemented in a reasonable period of time). I may actually
get hundreds instead of thousands of spam messages a day.
I reject about 10,000 port 25 connection attempts ever day from
various parts of the net that I believe to house no valid
correspondents and to house an inordinate number of zombies and
machines owned 'legitimately' by slimeballs like Alan Ralsky, Scott
Richter, Verisign, DoubleClick, and other untrustworthy, deceptive,
spamming entities. The domains behind that router house less than a
dozen distinct mail receivers.
I reject a few thousand spam attempts daily in SMTP based on the IP
address of the connecting system. Most of that is done by rejecting
machines which have been seen by others to be spam and worm zombies
(Spamhaus XBL) or which are in networks I've seen machines trying to
deliver in zombie-like ways.
95%+ of the mail delivered here is not spam. 99%+ of the attempts to
send mail here are spam, much via zombie armies. Killing the zombie
armies would let me move some router blocking back to SMTP and reduce
some SMTP blocking. Global SPF adoption would kill off today's zombie
armies, but with Swen out there as an example, that would be a brief
respite.
--
Bill Cole
bill(_at_)scconsult(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg