RE: New types of Trojans coming

At 13:20 2005-02-03 -0600, Pettit, Paul wrote:
> > (for instance, you can't block them using a dial-up list type DNSBL,
> > because the machine passing the message to your host is an actual ISP
> > mailserver, not the user's own machine).
> >
> > Yes, blacklists aren't particularly effective against this
> > chuff.
>
>Well not sure where your getting your info from but my maillog and the
>feedback from many other mail server admins seems to refute your stand.

I *DID* *NOT* say that blacklists are ineffective.  What I said is that 
they're ineffective for blocking zombie-spew being relayed via legitimate 
ISPs (by CUSTOMERS of those ISPs) - that'd be the "this chuff" which was 
outlined in the paragraphs preceeding my DNSBL comment.

Go grab another coffee and put less milk in it this time.

>As for virii worms using the ISP's mail servers for relaying, not true.

Yes, the vast majority of viruses deliver directly from the infected host 
to your MX.  There are tens upon tens of thousands of viruses - every last 
one of them doesn't do it's thing the exact same way as all the others.

I assure you, there are viruses which relay using either the mailserver for 
the infected user or the mailservers associated with the email addresses 
they're forging themselves to be from - while outbound SMTP servers are not 
necessarily the same as the inbound ones (for small outfits, they often 
are, but larger shops generally segregate them on performance grounds), and 
the latter are the only ones which have a defined standard for identifying 
in DNS, since such viruses are most often extracting addresses from saved 
email, they've got access to headers right there.  It's all pretty trivial 
to do.

I am NOT confusing a bogus hostname provided in the SMTP EHLO greeting here 
either.  Here's an example set of received headers from malware using an 
ISP mailserver:

Received: from mwinf0809.wanadoo.fr (smtp8.wanadoo.fr [193.252.22.23])
         by **DELTED** (8.12.10/8.12.10) with ESMTP id i98KiF2O003931
         for <**DELETED**>; Fri, 8 Oct 2004 13:44:16 -0700
Received: from me-wanadoo.net (localhost [127.0.0.1])
         by mwinf0809.wanadoo.fr (SMTP Server) with SMTP
         id 5113C180009E; Fri,  8 Oct 2004 22:44:06 +0200 (CEST)
Received: from djxmsy (Mix-Lyon-301-4-106.w193-250.abo.wanadoo.fr 
[193.250.23.106])
         by mwinf0809.wanadoo.fr (SMTP Server) with SMTP
         id C587318000B7; Fri,  8 Oct 2004 22:43:27 +0200 (CEST)
From: "Microsoft Program Security Department" <vzrrmsno <at> bulletin.msdn.net>

versus an infected system using the ISP relay associated with the user's 
own ISP (but differing from the forged address):

Received: from maynard.mail.mindspring.net (maynard.mail.mindspring.net 
[207.69.200.243])
         by **DELETED** (8.12.10/8.12.10) with ESMTP id i5N2Ynh9029005
         for <**DELETED**>; Tue, 22 Jun 2004 19:34:49 -0700
Received: from user-uinj168.dialup.mindspring.com ([165.121.132.200] 
helo=computer)
         by maynard.mail.mindspring.net with smtp (Exim 3.33 #1)
         id 1BcxWP-0003MS-00; Tue, 22 Jun 2004 22:29:57 -0400
From: Robin<wtlxpik <at> twics.com>

I don't track the names of all the viruses, but one virus I specifically 
recall made use of ISP mailservers to relay was Klez.

I've really got better things to do with my time than to rummage through 
old message headers looking for examples to prove a statement.  If you want 
to maintain that viruses have never used ISP mailservers to relay 
themselves, instead going direct to the recipient SMTP server, that's 
fine.  That won't change the reality of it however.

>The SMTP server in the virii does it's own DNS look up for the target
>domains MX record and then does the connection it's self.

Many do exactly this (which is why refusing connections from 
dialup/broadband netblocks is effective in stopping the crap that does 
this).  I also employ a weighted score for number of received: headers - 
only one means they submitted it directly to my MX, which means it didn't 
relay through their own SMTP host, and that jacks up the score.

The point here is that the concept of relaying using a legitimate ISP 
really isn't novel.  Unwanted mail has already been arriving via legitimate 
ISPs - now more of it is likely to be spam, rather than malware.

It's actually sort of good news when you think about it: insecure 
establishments will be forced to secure their hosts (and/or filter for 
malware and spam before relaying messages) or possibly find themselves on 
DNS blocklists, and in turn, lose customers who tire of having their 
legitimate email refused because their ISP isn't processing outbound mail.

It's not ideal (ideal would be no spam and no malware to begin with), but 
it should lead to some improvements, esp among the larger ISPs which are 
responsible for connecting so many of the clueless to the internet.

>I'd prefer to not waste the CPU cycles in allowing these onto my server.

Which is why one uses DNSBLs to block the crap at the SMTP connection.  No 
argument there.  Re-read my original post after you've had some coffee.

I'm a huge fan of DNSBLs - anyone who's been on this list for very long 
should be aware of that.

>As for prosecuting, unless you have deep pockets it's a waste of time
>and money. All you need to do is look at how "effective" the courts have

Which is why I quoted "laws", much as you have quoted "effective".  My 
point in raising that was that those messages which manage to get through 
DNSBLs and are tackled by the filters end up being potential material 
evidence IF a case were ever to be pursued, whereas DNSBL entries in your 
maillog are circumstantial at best, since no actual spam was received.  I 
did not indicate that bringing a legal action would in any way be feasable.

---
  Sean B. Straw / Professional Software Engineering

  Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
  Please DO NOT carbon me on list replies.  I'll get my copy from the list.