At 13:20 2005-02-03 -0600, Pettit, Paul wrote:
> (for instance, you can't block them using a dial-up list type DNSBL,
> because the machine passing the message to your host is an actual ISP
> mailserver, not the user's own machine).
>
> Yes, blacklists aren't particularly effective against this
> chuff.
Well not sure where your getting your info from but my maillog and the
feedback from many other mail server admins seems to refute your stand.
I *DID* *NOT* say that blacklists are ineffective. What I said is that
they're ineffective for blocking zombie-spew being relayed via legitimate
ISPs (by CUSTOMERS of those ISPs) - that'd be the "this chuff" which was
outlined in the paragraphs preceeding my DNSBL comment.
Go grab another coffee and put less milk in it this time.
As for virii worms using the ISP's mail servers for relaying, not true.
Yes, the vast majority of viruses deliver directly from the infected host
to your MX. There are tens upon tens of thousands of viruses - every last
one of them doesn't do it's thing the exact same way as all the others.
I assure you, there are viruses which relay using either the mailserver for
the infected user or the mailservers associated with the email addresses
they're forging themselves to be from - while outbound SMTP servers are not
necessarily the same as the inbound ones (for small outfits, they often
are, but larger shops generally segregate them on performance grounds), and
the latter are the only ones which have a defined standard for identifying
in DNS, since such viruses are most often extracting addresses from saved
email, they've got access to headers right there. It's all pretty trivial
to do.
I am NOT confusing a bogus hostname provided in the SMTP EHLO greeting here
either. Here's an example set of received headers from malware using an
ISP mailserver:
Received: from mwinf0809.wanadoo.fr (smtp8.wanadoo.fr [193.252.22.23])
by **DELTED** (8.12.10/8.12.10) with ESMTP id i98KiF2O003931
for <**DELETED**>; Fri, 8 Oct 2004 13:44:16 -0700
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf0809.wanadoo.fr (SMTP Server) with SMTP
id 5113C180009E; Fri, 8 Oct 2004 22:44:06 +0200 (CEST)
Received: from djxmsy (Mix-Lyon-301-4-106.w193-250.abo.wanadoo.fr
[193.250.23.106])
by mwinf0809.wanadoo.fr (SMTP Server) with SMTP
id C587318000B7; Fri, 8 Oct 2004 22:43:27 +0200 (CEST)
From: "Microsoft Program Security Department"
<vzrrmsno(_at_)bulletin(_dot_)msdn(_dot_)net>
versus an infected system using the ISP relay associated with the user's
own ISP (but differing from the forged address):
Received: from maynard.mail.mindspring.net (maynard.mail.mindspring.net
[207.69.200.243])
by **DELETED** (8.12.10/8.12.10) with ESMTP id i5N2Ynh9029005
for <**DELETED**>; Tue, 22 Jun 2004 19:34:49 -0700
Received: from user-uinj168.dialup.mindspring.com ([165.121.132.200]
helo=computer)
by maynard.mail.mindspring.net with smtp (Exim 3.33 #1)
id 1BcxWP-0003MS-00; Tue, 22 Jun 2004 22:29:57 -0400
From: Robin<wtlxpik(_at_)twics(_dot_)com>
I don't track the names of all the viruses, but one virus I specifically
recall made use of ISP mailservers to relay was Klez.
I've really got better things to do with my time than to rummage through
old message headers looking for examples to prove a statement. If you want
to maintain that viruses have never used ISP mailservers to relay
themselves, instead going direct to the recipient SMTP server, that's
fine. That won't change the reality of it however.
The SMTP server in the virii does it's own DNS look up for the target
domains MX record and then does the connection it's self.
Many do exactly this (which is why refusing connections from
dialup/broadband netblocks is effective in stopping the crap that does
this). I also employ a weighted score for number of received: headers -
only one means they submitted it directly to my MX, which means it didn't
relay through their own SMTP host, and that jacks up the score.
The point here is that the concept of relaying using a legitimate ISP
really isn't novel. Unwanted mail has already been arriving via legitimate
ISPs - now more of it is likely to be spam, rather than malware.
It's actually sort of good news when you think about it: insecure
establishments will be forced to secure their hosts (and/or filter for
malware and spam before relaying messages) or possibly find themselves on
DNS blocklists, and in turn, lose customers who tire of having their
legitimate email refused because their ISP isn't processing outbound mail.
It's not ideal (ideal would be no spam and no malware to begin with), but
it should lead to some improvements, esp among the larger ISPs which are
responsible for connecting so many of the clueless to the internet.
I'd prefer to not waste the CPU cycles in allowing these onto my server.
Which is why one uses DNSBLs to block the crap at the SMTP connection. No
argument there. Re-read my original post after you've had some coffee.
I'm a huge fan of DNSBLs - anyone who's been on this list for very long
should be aware of that.
As for prosecuting, unless you have deep pockets it's a waste of time
and money. All you need to do is look at how "effective" the courts have
Which is why I quoted "laws", much as you have quoted "effective". My
point in raising that was that those messages which manage to get through
DNSBLs and are tackled by the filters end up being potential material
evidence IF a case were ever to be pursued, whereas DNSBL entries in your
maillog are circumstantial at best, since no actual spam was received. I
did not indicate that bringing a legal action would in any way be feasable.
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail