On November 17, 2008 at 17:49 rsk(_at_)gsp(_dot_)org (Rich Kulawiec) wrote:
On Mon, Nov 17, 2008 at 03:57:33PM -0500, Barry Shein wrote:
Ya know, if confirmation from ISPs message queueing systems could just
ripple back to the end-user a message like:
Message Accepted.
You have sent 9,731 messages today.
If that seems wrong your computer may
be infected, please click here: [HELLLPPP!]
Were this done -- say, with a standard bit of code that could be
attached to sendmail and postfix and exim and the like -- then I
think it's fairly likely that the same attackers who control all
those zombied systems and use them to send spam might take the time
to craft the code to throw those messages away. Or perhaps to divert
them to their own C&C networks in order to help them keep better
track of how their spam-sending nodes are doing.
A zombied system is enemy territory: nothing it does can be trusted,
nor can it be trusted to do anything it's told to do.
Then I guess there's no hope. It's possible the response above was
generated by a zombied computer and not Rich Kulawiec.
But it does support one good principle of system administration which
is you really need to know what your system does normally in order to
recognize when it's acting abnormally.
You personally may have a really clear notion of how many messages
your machine should be sending normally per day or whatever, but a lot
of people probably have never really thought about it.
Now, as you suggest, we may run into some sort of Heisenberg
uncertainty principle where we can't trust any measurement.
But at least when one is shut off because their machine was sending
over 1,000 messages a day (a not crazy policy) they maybe won't sit
there drooling on your shoes wondering if that's too much or too
little.
Awareness of what's normal is useful.
And any large discrepancy with what the above box reports and what the
ISP claims (perhaps it's printed on your bill?) would indeed be cause
for further alarm (but it only says...hmm.)
But, yeah, I've dealt with rootkits.
Anyhow, WHAT'S THE HARM?
I mean what's your standard here, that there cannot exist a single
case in the universe where this information might be unreliable?
My suggestion is only that if a problem is volume (from zombied
end-user computers) perhaps it would be sensible to try to tell them
what their volume is, normally and otherwise.
--
-Barry Shein
The World | bzs(_at_)TheWorld(_dot_)com |
http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg