RE: New types of Trojans coming

> -----Original Message-----
> From: Sean B. Straw
> 
> At 18:16 2005-02-03 +0100, Dallman Ross did say:
> >http://news.zdnet.com/2100-1009_22-5560664.html
> >
> >Precis: Spam levels expected to rise with suddenness
> >soon, as blacklists become less effective.
> 
> Er, spammers have been using trojans for a while now already.  Yes, 
> traditionally, the user's own PC is converted into a mail 
> server and it 
> delivers mail directly.  With some large ISPs (earthlink 
> comes to mind) 
> blocking outgoing SMTP originating from user systems, this 
> technique isn't 
> very effective.
> 
> However, viruses have for some time used the user's own ISP 
> mail server (or 
> at least that of the forged address snarfed from their saved 
> email) to 
> deliver messages, thereby lending some apparent legitimacy to 
> the message 
> (for instance, you can't block them using a dial-up list type DNSBL, 
> because the machine passing the message to your host is an actual ISP 
> mailserver, not the user's own machine).
> 
> Yes, blacklists aren't particularly effective against this 
> chuff.  

Well not sure where your getting your info from but my maillog and the
feedback from many other mail server admins seems to refute your stand.

We block literally thousands of emails on a weekly basis using those
same DNSBL lists. Sendmail configured to use the 'dnsbl' FEATURE with
one or more lists is a highly effective method of spam stomping. These
lists don't care what address there is on the inbound email, only what
IP address was given by the relays (or the server it's self) as to where
it was coming from.

As for virii worms using the ISP's mail servers for relaying, not true.
The SMTP server in the virii does it's own DNS look up for the target
domains MX record and then does the connection it's self. You might be
confusing 'zombie' spam from spam sent from spam servers that have not
been identified or those dynamic IP ranges that were missed. Once
identified it's rare you see mail from that IP again once they are on
the list(s).

> Ironically,  effecive post-reception filters are 
> still successful 
> at eliminating virtually all the spam, 

No more so than a good 'dnsbl' setup at the MTA level is/was. In fact
it's best to do both so your bases are covered. 

The funny thing is that one of the most popular post-reception filters
(Spamassassin) uses DNSBL lists also and I'm sure a few others do as
well. So they too will be affected by this since they look for the same
info and it will no longer be as effective or useful as it was before.

> but once they've brought the crap 
> INTO my server is when I get especially pissed about it - the 
> messages 
> rejected during the SMTP connection have a minimal impact - 
> they don't 
> generate a lot of net traffic or CPU load (though gobs and 
> gobs of them can 
> still borderline a DoS).  once you've forced your way into my 
> mail host, 
> you're providing me with further identifyable information - complete 
> headers, URLs in the spew, etc - which can be used to identify the 
> spammer.  Plus, for those areas which have anti-spam "laws" 
> (such as they 
> are), actually having the spam in hand is a crucial part of 
> being able to 
> prosecute them - rejecting a billion SMTP connections based on the 
> originating IP wouldn't prove to be concrete evidence that 
> those POTENTIAL 
> messages would have actually been spam.
> 

I'd prefer to not waste the CPU cycles in allowing these onto my server.
MTA level rejecting is the best method in dealing with spam. The amount
of load for doing a 'REJECT' is far less than letting them in and having
other filters work on each message. True that some do come through
anyway but you want to kill spam in stages and not let just one filter
deal with it all. Think of it as lines of defense where each message
must get through them all before it arrives at a mailbox.

As for prosecuting, unless you have deep pockets it's a waste of time
and money. All you need to do is look at how "effective" the courts have
been at enforcing the few monetary judgments. I think they are 1 for 2
right now. This only after a ton of money on lawyers was spent. Sorry
but no thanks, I'll just keep nuking spam at the gate.

Paul Pettit
CTO and IS Manager
Consistent Computer Bargains Inc.

I've heard it said that the proof of lunacy is when you repeat the same
steps expecting different results.  I say it's proof that you're a
Microsoft user. - comment by deshi777 on experts-exchange.com