David wrote:
I'm on the DSBL admin mailing list (trying to help out people having
trouble de-listing their servers from the DSBL.org open relay/proxy
listing system) and I can tell you that SMTP AUTH abuse is already in
widespread use by spammers. The most common technique is just to
brute-force guess passwords, as described at:
http://www.spamhaus.org/rokso/search.lasso?evidencefile=2669
just to be curious, how did they know spammers where really using
smtp auth ? looks like the spammers have found a vulnerability in
MS Exchange that allows to relay even when smtp auth has failed
but nothing indicates that they have really found a working
username/password inspecting the user computer.
The article lists the 276 username / password combinations tried. They must
have had logging turned on on a server hit by the spammer's password cracker
so they could see this.
In the other hand,
brute force dictionary attacks have little chances of exit in
real life and are easely detectable.
You'd be surprised how many systems have weak passwords. In particular, the
astonishing number of Exchange servers that will relay if you authenticate
with user "administrator" and NO PASSWORD. The DSBL test suite now includes
this combination in its relay tester.
As for a virus not being able to get SMTP AUTH passwords, you must be
forgetting about the very widespread virus "Swen", which popped up a
window and got the victim to type in their password for their POP
account. See:
>
>http://securityresponse.symantec.com/avcenter/venc/data/w32(_dot_)swen(_dot_)a(_at_)mm(_dot_)html
true, but as far as i know this is the only effective way to get the
username/password from the user.
Depends on the mail client being used by the victim. Some hide the
username/password in the registry better than others.
Regards, Paul.