ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Asrg] zombies && spam

2005-02-03 09:02:27
from [Gadi Evron] [Permanent Link] 
Much of what I had to say about this was posted to NANOG, here it is.

        Gadi.


Michael(_dot_)Dillon(_at_)radianz(_dot_)com wrote:
CNET reports 
http://news.com.com/Zombie+trick+expected+to+send+spam+sky-high/2100-7349_3-5560664.html?tag=cd.top

that botnets are now routing their mail traffic through the local
ISP's mail servers rather than trying their own port 25
connections.



Both on ASRG and here on NANOG, many of us said many times, and most of
the times people called me crazy;

1. Block port 25 for dynamic ranges - that will kill the current strain
of worms.
2. It won't solve spam, and neither will SPF or anything else of the
sort, as when you have 100K zombies, you don't need to act a server, you
can use the real credentials for the user, and even if limited to a 1000
messages, that times 100K drones is...

The issue is numbers, and how to reduce them, not stop the tide.

Currently there is a discussion of this on Spam-Research [1], quite
interesting.

    Gadi.

1 - Spam-Research archives:
https://linuxbox.org/cgi-bin/mailman/listinfo/spam


----------
Did you actially read the article? This was about drones sending out 
via its ISP mailserver. Blocking outbound 25 doesnt help a bit here. In
general sure, good ide, and also start using submission for example. But
in this contect its silly.


No, it is relevant or I wouldn't have mentioned it.

Allow me to elaborate; and forget about this article, why limited ourselves?

Once big ISP's started blocking port 25/outbound for dynamic ranges, and
it finally begun hitting the news, we once again caused the spammers to
under-go evolution.

In this particular case, they figured they'd have to find better ways to
send spam out, because eventually, they will be out of working toys.

Using the user's own mail server, whether by.. erm.. just utilizing it
if that is possible, sniffing the SMTP credentials or stealing them from
a file/registry, maybe even using Outlook to send is all that's about to
happen.

heck, I don't see how SMTP auth would help, either. They have local
access to the machine.

Now, once 100K zombies can send *only* 1000 spam messages a day instead
of 10K or even 500K, it makes a difference, but it is no solution.

I am happy to see people are starting to move this way, and I personally
believe that although this is happening (just go and hear what Carl from
AOL says on Spam-R that they have been seeing since 2003), this is all a
POC. We have not yet begun seeing the action.

Should I once again be stoned, or will others see it my way now that the
tide is starting to turn?

    Gadi.


----------
If a pro cannot clean it out safely, then i cannot imagine our 
typical homeuser would be able to... and with some luck he installs a
firewall and antivirus next time, after reinstalling his system for the
4th or 5th time.


You may want to check out some AT (Anti-Trojan) software such as The
Cleaner and BOclean.

    Gadi.

----------



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Asrg] zombies && spam, Gadi Evron <=
Previous by Date:  RE: [Asrg] [Fwd: Time to check the rate limits on your mail serve rs], Hannigan, Martin
Next by Date:  [Asrg] more notes on zombies and spam, Gadi Evron
Previous by Thread:  RE: [Asrg] [Fwd: Time to check the rate limits on your mail serve rs], Hannigan, Martin
Next by Thread:  [Asrg] more notes on zombies and spam, Gadi Evron
Indexes:  [Date] [Thread] [Top] [All Lists]