Darin,
I would pretty much skip over #1 except for some obvious things like
not allowing the username to be the password, and having a minimum
length of 4 or more characters. I think that hackers of this type can
get the passwords pretty much no matter how hard they are to unencode
in brute force fashion (which is what strong passwords are designed
for). Companies like IMail need to also stop using default passwords
because they represent a significant vulnerability.
As far as #2 goes, this is definitely what needs to be done. Just like
port 587 support is now becoming common among mail servers, abuse
detection (volume monitoring) will also likely become common within the
next two to three years. For the time being though, even services like
Yahoo and Hotmail which are commonly abused, lack sufficient mechanisms
to detect hacked and abused accounts. Once you limit the number of
messages that a single account can sent to less than 1,000 a day, they
are next to useless for a spammer due to the volume that they require.
Even if you aren't worried about your AUTH being hacked there is plenty
of reason for concern among ISP's since it is not that uncommon for a
customer to just assume that they can bulk mail from your server.
Matt
Darin Cox wrote:
So the upshot of this is we need to
1. Figure out a way to enforce
strong passwords for mail users
and
2. Monitor traffic for individual
user accounts on an intra-day basis, perhaps even have a means of
detecting sharp increases in traffic from a particular account and
alerting an admin to investigate. We do review a daily report the
following morning of traffic by domain, but don't have anything in
place to monitor by account, or to alert on an intra-day basis.
Something to look into...
Darin.
-----
Original Message -----
Sent: Wednesday, November 16, 2005 6:18 PM
Subject: Re: [Declude.JunkMail] OT: another SOBERing
though
Hmm, who would have thunk?
Subject: Re: [Declude.JunkMail] SPF Success
Date 12/24/2004 9:24 AM
http://www.mail-archive.com/declude.junkmail@declude.com/msg22584.html
IMO, the best way to stop forging is to stop zombie spammers. The way
to do this is FIRST implement port 587 as AUTH-only, and then widely
block port 25. This means that mail clients would exclusively use AUTH
on private networks and connect to their mail server on port 587 where
only AUTHed connections would be allowed. Then only servers would
share non-AUTH E-mail on port 25. The only reason why blocking port 25
is not very common currently is because it is severely limiting to
customers and would cause support issues for the ISP. If you first did
the migration to port 587 AUTH-only connections, which would take
several years to accomplish in good order, ISP's could move forward
with port 25 blocking and cause many fewer issues as far as support and
their clients were concerned.
Basically what I am saying is that forging isn't the issue, it's spam
zombies, and to go after it as a forging issue is to miss the point.
The big caveat here is that spammers will turn to hacking AUTH in much
larger numbers, and E-mail server software should also widely implement
a 'hijack' detection mechanism in order to help stem the abuse. I have
already noted much more hacking going on, first with Earthlink's
properties, and now with Prodigy as well. I have little faith that
these things will happen in the proper order or with the expedience
necessary unfortunately, especially because of what I consider to be a
distraction focused on forging coming from the likes of SPF, Microsoft
and Yahoo. I feel that the big players are missing the point, and they
are the ones that heavily influence E-mail client and server software
which is where the changes first need to be implemented.
Subject: Re: [Declude.JunkMail] Question on SPF Setup. Was under You
**May** etc **May** etc
Date 6/30/2004 12:33 PM
http://www.mail-archive.com/declude.junkmail@declude.com/msg19684.html
What I do think would work much better in the near term would be for
every mail server to support and require SMTP AUTH through port 587 as
proposed, and then have every ISP out there block port 25 which would
be used exclusively for non-AUTH'ed E-mail between systems. That would
cut the zombie problem down dramatically without interrupting service,
but this will probably take 5 years or more to widely implement. I
think this would have a much larger effect than SPF in terms of
blocking forging E-mail, the majority of which comes from PC's attached
to these residential ISP's presently. AUTH hacking, or even server
hacking however will become much more predominant when the bar is
raised in this manner, but there should be many fewer machines to track.
While this is certainly a bit of me patting myself on my back, it is
also a reminder to all that the worst is yet to come and for the most
part people are totally unprepared for this sort of thing. So what's
next? Maybe Geocities spam sent through hacked Yahoo accounts??? Oh
wait, that's already happening.
Matt
Colbeck, Andrew wrote:
So, we've seen the recent SOBER variants used their own SMTP engine to
propagate as well as a predefined list of usernames and passwords at
ISPs to send themselves.
We've also seen that keeping viruses and spam out of our mailboxes is
easier when we can identify the sender as a zombie, and that it is
harder when the junk is coming from a valid ISP and/or user at an ISP.
http://www.viruslist.com/en/weblog?done=vlpolls_resp155596558
Well, Kaspersky is reporting that the latest SOBER is also stealing (at
least) Outlook usernames and passwords from infectees.
Therefore, we can reasonably expect more junk coming from AUTH'ed
senders.
Andrew.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
|
