Re: New types of Trojans coming

At 21:56 2005-02-03 +0100, Dallman Ross wrote:

>But, look: if a worm or zombie spam now gets sent by the virtual
>server coded into the Trojan/zombie/worm program itself, it's one
>thing.  The mail typically arrives at the recipient's server with
>a fake server name and very few Received headers.

_typically_ (i.e. MOST malware) yes.  There's a small number that relay 
through legit ISP SMTP hosts (and no, not your own inbound servers).  Not 
forged EHLO either.  It isn't a new technique there, and since spammers 
have been shifting towards virus/trojan applications to take over computers 
for bandwith, address lists, and obfuscating the true source of the spam, 
this "new" twist with spam should come as no surprise since it's already 
been employed with viruses.

>the ISP's usual channels, then the heuristic for identifying it
>gets a bit tougher.  That's what caught my interest.

The heuristic to catch the message via header-only criteria would be very 
difficult indeed.  IIRC, SA spots forged Outbreak headers - that may be 
something to check for with spam relaying.

---
  Sean B. Straw / Professional Software Engineering

  Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
  Please DO NOT carbon me on list replies.  I'll get my copy from the list.