« Four percent? Four percent? | Main | Compliant spammers (II) »
February 2, 2005
More compliant spammers
CNET reports that spam zombies have started to send mail through ISP mail servers rather than sending it directly. Many ISPs block direct outgoing port 25 connections, so this ought to circumvent that kind of block. I'm no expert on how spammers operate but I'm actually kind of surprised to hear that zombies haven't always done this.Posted by ekr at February 2, 2005 7:07 PM | Filed under:
Comments
that's spammers for you ;)
consider it -- there's no records in DNS indicating that a given IP address is the outbound-SMTP relay for another given IP. it's not as simple as looking up an MX.
A spammer doesn't have full control over the zombie -- typically they just have control of it as a proxy ("connect to this address:port", "relay this data", "close the connection").
Posted by: Justin Mason at February 2, 2005 7:21 PM
Can't the spammers just look in the registry or whatever to see what outlook uses?
Posted by: EKR at February 2, 2005 7:27 PM
They aren't doing it yet -- but the Swen virus did, IIRC, and I'm expecting it to start happening with compromised machines soon...
It'll take a new version of the trojan/proxy software that the worms are installing; and getting that written and deployed across enough machines takes a lot of work, as far as I can tell. I've heard no signs of it showing up yet.
Posted by: Justin Mason at February 2, 2005 10:46 PM
Actually, this is a good thing, but I doubt that much spam will be sent this way. When spam sent by your customers is clogging their mail servers, it's much harder for the ISPs to look the other way.
Most ISPs have deployed the technology that enables them to detect outgoing direct-to-MX spam these days, but they deliberately choose not to act upon this data because they would lose too much money.
Posted by: Florian Weimer at February 3, 2005 6:47 AM