spf-discuss
[Top] [All Lists]

Re: first spf-enabled spam

2004-04-14 00:27:25
On Tue, 2004-04-13 at 20:31, David wrote:
 No way to
avoid that unless the ISP requires SMTP AUTH (which is rare),

rare ? well, here in spain what is rare is that any isp does not use
smpt auth.

and even then,
a clever hacker could probably obtain the hacked person's login info
somehow... 

i think it's not possible for a virus to get the username/password
from the hacked computer.

I'd have to disagree here.

I'm on the DSBL admin mailing list (trying to help out people having
trouble de-listing their servers from the DSBL.org open relay/proxy
listing system) and I can tell you that SMTP AUTH abuse is already in
widespread use by spammers. The most common technique is just to
brute-force guess passwords, as described at:

http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669

There's also been at least one case where a Yahoo! user had an open
relay that itself was configured to use SMTP AUTH as a client to
Yahoo!'s outgoing mail server, resulting in the listing of Yahoo!'s
server as a multihop open relay:

http://dsbl.org/message?13954231

As for a virus not being able to get SMTP AUTH passwords, you must be
forgetting about the very widespread virus "Swen", which popped up a
window and got the victim to type in their password for their POP
account. See:

http://securityresponse.symantec.com/avcenter/venc/data/w32(_dot_)swen(_dot_)a(_at_)mm(_dot_)html

This technique could easily be used to grab SMTP AUTH passwords too.

Cheers, Paul.
-- 
Paul Howarth <paul(_at_)city-fan(_dot_)org>


<Prev in Thread] Current Thread [Next in Thread>