Compliant spammers (II)

| Comments (4) | TrackBacks (11) |
There's been a lot of traffic on NANOG about CNET's report about spammers sending to port 25 on the ISP mail server (start here). The consensus seems to be that this is old stuff and CNET just noticed:
From: Suresh Ramasubramanian
Date: Thu Feb 03 07:13:18 2005

On Thu, 3 Feb 2005 11:42:55 +0000, Michael.Dillon@radianz.com
 wrote:
http://news.com.com/Zombie+trick+expected+to+send+spam+sky-high/2100-7349_3-5560664.html?tag=cd.top
> that botnets are now routing their mail traffic through the local
> ISP's mail servers rather than trying their own port 25
> connections.

Now?  We (and AOL, and some other large networks) have been seeing
this thing go on since over a year.

> Do you let your customers send an unlimited number of
> emails per day? Per hour? Per minute? If so, then why?

Doing that - especially now when this article has hit the popular
press and there's going to be lots more people doing the same thing -
is going to be equivalent of hanging out a "block my email" sign.

One additional thing that I think wasnt mentioned in the article -
Make sure your MXs (inbound servers) are separate from your outbound
machines, and that the MX servers dont relay email for your dynamic IP
netblock. Some other trojans do stuff like getting the ppp domain name
/ rDNS name of the assigned IP etc and then "nslookup -q=mx
domain.com", then set itself up so that all its payloads get delivered
out of the domain's MX servers

This kind of stuff is just really hard to stop.

11 TrackBacks

Listed below are links to blogs that reference this entry: Compliant spammers (II).

TrackBack URL for this entry: http://www.educatedguesswork.org/cgi-bin/mt/mt-tb.cgi/123

paxil cr fda withdrawn from ceixnoirs.dyndns.org on July 18, 2005 11:27 AM

is a holiday from paxil for 2 days ok does cialis help with paxil orgasm side effects of paxil cr paxil cr recall paxil cr common side effects paxil in layman terms paxil vs. prozac paxil and suicide paxil harmful effects paxil drug interactions subs... Read More

abbreviation bbw clothed ssbbw tan bbw ass supersize bbw bbw calander bbw sex videos bangin bbw dee dee adultfriendfinder bbw california nude bbw facesitting bbw norge bbw smother blac free hard plumper porn bbw clips Read More

literature review outline from role of early american literature on September 22, 2005 7:05 AM

1920s literature classic american literature erotic literature nobel prize literature american literature of the 1920 roman literature childrens genre literature characteristics postmodern literature book reviews childrens literature asian literature r... Read More

web literature from literature activities for the mysterious tadpole on September 22, 2005 10:22 AM

romanticism literature classic literature multicultural childrens literature literature essays italian renaissance literature history of childrens literature online readers guide to periodical literature literature teacher literature in the dark ages b... Read More

postmodernism literature from f104 starfighter in literature and film on September 25, 2005 2:07 AM

because of winn dixie literature activities cardboard literature holder early 20th century american literature online readers guide to periodical literature readers guide to periodical literature online literature rack contemporary literature world lit... Read More

gay literature from readers guide to periodical literature online on September 27, 2005 3:04 AM

honduras literature imagery in literature african american literature 1700 1865 response to literature korean war and literature 1920s literature activities for teaching british literature norton anthology of english literature romanticism in literatur... Read More

personal loans from personal loans on October 1, 2005 11:34 AM

personal loans A common-placeness spurnd purring on the hearth, and a basto was sleeking on the lop-stick. And he hims Read More

Home Equity Loans from Home Equity Loans on February 3, 2006 10:57 AM

Home Equity Loans Read More

online poker game from online poker game on February 7, 2006 4:41 PM

sizes Timon code attempting picture romped Heinz viagra http://www.useful-pills.com/ tumors holds consecutive neurontin http://neurontin.op-clan.com/ Read More

Payday Loans No Credit Check from Payday Loans No Credit Check on February 19, 2006 10:24 AM

Payday Loans No Credit Check Read More

4 Comments

Old trick it may be, but it's about to become a LOT more prevalent; as Brian McWilliams reports at http://spamkings.oreilly.com/archives/2005/02/proxy_lock_emai.html , Send-Safe (the biggest spamware tool) has just added support for it.

(I didn't post this on NANOG, because it's off-charter there btw. Unfortunately, NANOG isn't a great place to pick up reliable spam-related info as a result.)

Thanks. Can you suggest a good mailing list for spam info?

Goodman & Rounthwaite had a good paper in EC on mechanisms for stopping outgoing spam on the ISP side, focusing on the incentives of the spammers. (They focus especially on email service providers that provide free e-mail.)

They show that limiting message on a time basis is unlikely to work: spammers usually get to send about 1000 messages before their account is terminated as spam, so this just makes them get there more slowly or set up accounts in parallel rather than in series. Their solution is to provide a cost (computational challenges or HIPs) for the first, say, 100 messages, and then never again. This works about as well as imposing the cost forever because spammers (but not legitimate users) get caught after 1000 messages.

It's a bit off-topic, but pretty interesting.

Paper here: http://research.microsoft.com/~joshuago/outgoingspam-final-submit.pdf

the good antispam mailing lists I know of are Spam-L: http://www.claws-and-paws.com/spam-l/spam-l.html#subscribe and spam-research: https://linuxbox.org/cgi-bin/mailman/listinfo/spam .

The latter seems quite useful, I've just come across it recently, but the members are clueful and volume low. Spam-L has a few vocal members, so a pinch of salt may be necessary; but there's clueful people there too.

The ASRG list and IETF lists are to be avoided; they're a wingnut-magnet.

Leave a comment