Re: New types of Trojans coming

At 17:25 2005-02-03 -0500, Robert Arnold wrote:

>This solution of smtp authentication assumes that creating accounts with
>the given provider is secure against fraudulent signups. If fraudulent

That's a matter between the ISP and their customer base.  The point of 
using SMTP Auth is that only customers have access to your 
mailserver.  Sure, the login can be compromised - but it tracks directly to 
a customer, and can be independantly disabled.

I wish ISPs would adopt a "we're going to charge your credit card if you 
send spam" policy.  Right there on your signup.

>account signups can be easily scripted/automated,

Uh, I'm not talking about Yahoo, Hotmail, and other freemail 
providers.  I'm talking about real ISPs, providing dialup lines, 
etc.  There needs to be more accountability.  Heck, if ISPs maintained a 
list of deadbeat customers, tracking names associated with creditcards 
(and, say, the verifyable billing addresses associated with same), there 
could be an ISP blacklist to keep problematic users from signing up for 
accounts with ISPs which want to stick to reputable users.

>25).  Whats more, this allows the possibility (and already practiced)
>spamming vector of:
>
>          A) Spammer signs up fraudulent account

Solution: ISP requires use of credit card or electronic cheque for 
signup.  Sure, they can use stolen materials -- but that handily turns 
their offence from some vague and hardly prosecuteably "spam" thing into a 
very real credit card fraud and/or identity theft matter, where the 
authorities may take more of a direct interest in prosecuting someone.

>          B) Spammer then spews from numerous zombie hosts through
>             provider's ASMTP rotor using fraudulent login,

.. which could be disabled at will by the ISP once they realize there's a 
spam situation.  This beats the turd out of relaying for everything that 
has a From: at the domain (regardless of who is ACTUALLY sending 
it).  Further, since SMTP AUTH is generally database driven, it wouldn't be 
too much of a chore to manupulate that database based on criteria as I 
mention below...

>        'random zombie host' -> 'provider's ASMTP server' -> Internet

Some hosting services "throttle" mail.  Now, this technique could be 
morphed into one which limits the number of remote IP addresses which can 
be used by a single account in some time span.  An excess of messages 
and/or varying IPs triggers an account lock.  Likewise, an excess of NDNs 
could trigger an account lock.

As already indicated, this is running far afield of procmail at this point.

---
  Sean B. Straw / Professional Software Engineering

  Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
  Please DO NOT carbon me on list replies.  I'll get my copy from the list.