ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Asrg] Spammer proxies using legitamate mail relays

2005-02-15 21:13:29
from [George Ou] [Permanent Link] 
-----Original Message-----
From: Jonathan Morton 
[mailto:chromi(_at_)chromatix(_dot_)demon(_dot_)co(_dot_)uk] 
Sent: Tuesday, February 15, 2005 7:43 PM
To: George Ou
Cc: ASRG
Subject: Re: [Asrg] Spammer proxies using legitamate mail relays


Thanks for the detailed response Laird.  I was well aware that once 
malware is installed on a computer, the computer is "owned" by the 
author of that malware.  I'm simply curious about the actual state of 
implementation that spamware has achieved.



I don't think spamware has gone as far as emulating physical user input.

It hasn't needed to so far, not by a long way.  Instead, it will simply
harvest various databases on the machine (Outlook's address book, for
example), then start opening sockets and spewing SMTP.

Not according to the theme of that Spamhaus article.  Spamware now sends
email via the user's legitimate SMTP relay which may even have a legitimate
SPF and/or SenderID record.  This escalates the problem because the spam has
added legitimacy to bypass certain black lists or direct outbound TCP 25
restrictions.  This forces it to the next level where we will need to start
throttling user accounts on the number of SMTP messages it can send using
per hour and per day quotas.  I'm simply curious if Spamware has the ability
to steal user passwords "yet" which is somewhat trivial to a good
programmer. 


The content and immediate destination(s) of the messages spewed in this

manner is pretty much irrelevant, although the engine appears to be able to
do various kinds of replacements and mangling on the message to get it past
content filters.  I imagine a lot of the content production work is still
done offline, before a spam run.


The above is just an educated guess, however.  I don't actually have any of

this software to hand for examination, nor do I think I want to. 
  I'd much rather work on the solution than the problem.

Ah, but a solution provider must first fully understand the nature of the
threat in order to counter that threat.  Developing a solution based on a
theory is a waste of time if it can't meet real world threats.  This has
gone way beyond just spewing SMTP with direct connections to the victim's MX
records, an additional layer of counter measure and counter-counter measure
has been added.  We're now in a fight against a product that was designed to
counter SPF and SenderID.  The problem (according to Spamhaus) has now been
shifted to legitimate mail relays.  Still, at least we know who's neck to
choke and we can black list an entire domain that refuses to police it's
users by throttling them and forcing them to clean up, or we can blacklist a
specific user account within that domain.


George


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Spammer proxies using legitamate mail relays, Jonathan Morton
Next by Date:  Re: [Asrg] Spammer proxies using legitamate mail relays, Jonathan Morton
Previous by Thread:  Re: [Asrg] Spammer proxies using legitamate mail relays, Jonathan Morton
Next by Thread:  Re: [Asrg] Spammer proxies using legitamate mail relays, Jonathan Morton
Indexes:  [Date] [Thread] [Top] [All Lists]