On Tue, Feb 03, 2004 at 04:26:40PM -0600, Seth Goodman wrote:
| > [David Brodbeck]
| > Ironically, Comcast *already* blocks port 25, but only incoming. They
| > don't want their customers running their own mail servers.
|
| That is amazing. Most of these hijacked boxes don't get their instructions
| via port 25, so it has no effect on the current epidemic of compromised home
| systems.
Check out what the spammers are doing at AOL.
From a guy who works there:
| We have essentially implemented port25 redirection on all of our
| outbound dial-up/dynamic IP space. But to my amazement, we are still
| getting reports of lots of connections from this space from people on
| this list. Thanks to some investigation from AlanB(_at_)digistar, I now have
| a better understanding of what is really happening. Here goes:
|
| 1. Spamster connects to a mail server he wishes to spam, for example,
| mta1.example.com.
| 2. Spamster forges his IP packets (software or router forgery) to say
| that the spamster's IP address is one of AOL's dynamic addresses, for
| example, ACBF28D5.ipt.aol.com [172.191.40.213].
| 3. mta1.example.com sends synack and other packets to
| ACBF28D5.ipt.aol.com [172.191.40.213] as that is what is contained in
| the inbound packets from the spamster.
| 4. These "return packets"go to the ACBF28D5.ipt.aol.com [172.191.40.213]
| address which is running a trojaned proxy-bot which is wired to proxy
| these packets back to the spamster's machine (perhaps directly or
| perhaps through other proxies). This completes the "connection".
So spammers are setting up an IP routing triangle just to spam.
Isn't that incredible?
Still, SPF would work in that situation. If nobody vouches for the
dialup IP address, we're golden.
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡