Re: spam warning from zd net
Kenneth Porter wrote: There can't be, because the password must be recovered to submit to the remote authentication system. Paul Russell suggests on the MIMEDefang list that the ratware could simply pop up a password dialog. Many users will just enter their credentials, not understanding why they got a random authentication request. I vaguely remember there being a virus that already did this, but I can't remember which one. Make it look like a MUA dialog and people will fill it in. Heck, Thunderbird randomly pops up dialogs demanding my news server password from time to time, for reasons I can't fathom.
RE: spam warning from zd net
--On Thursday, February 03, 2005 1:43 PM -0500 Rob McEwen <[EMAIL PROTECTED]> wrote: Even though that may be correct in theory, isn't there one-way encryption involved for these passwords? (you know, the kind which can't be retrieved by anyone, only reset). But even if that is not the case, regular strong encryption ought to be enough. There can't be, because the password must be recovered to submit to the remote authentication system. Paul Russell suggests on the MIMEDefang list that the ratware could simply pop up a password dialog. Many users will just enter their credentials, not understanding why they got a random authentication request.
RE: spam warning from zd net
Kenneth Porter said: >If you know how the password is stored, you don't even need to launch >Outlook to actually connect to the ISP server. The same vulnerability would >also work with Thunderbird; you'd just need to know how to extract the >saved password from the Mozilla profile. Even though that may be correct in theory, isn't there one-way encryption involved for these passwords? (you know, the kind which can't be retrieved by anyone, only reset). But even if that is not the case, regular strong encryption ought to be enough. Also, is there a virus, worm, or other exploit in existence which has been able to do this? Rob McEwen
RE: spam warning from zd net
--On Wednesday, February 02, 2005 9:38 PM -0500 Rob McEwen <[EMAIL PROTECTED]> wrote: I couldn't tell from the article... but are SMTP Servers which REQUIRE password authentication for sending immune from this particular type of spam? Or does the system somehow route the spam through a person's outlook, making use of the saved password for the default mail account? If you know how the password is stored, you don't even need to launch Outlook to actually connect to the ISP server. The same vulnerability would also work with Thunderbird; you'd just need to know how to extract the saved password from the Mozilla profile.
Re: spam warning from zd net
At 02:49 AM 2/3/2005, Jeff Chan wrote: > The only problem I see with the tactic is the ISP itself is likely to deal > with the infected users pretty quickly, instead of dragging their feet, > since the spam will now be bogging down their servers, instead of bypassing > them. And the answer is: scan outbound mail using SURBLs. Or as I was discussing in another thread "Negative score on spams".. disable ALL_TRUSTED and scan outbound email as well as inbound. Use grep to check your logs for outbound spam and fix the infected machines on a proactive basis instead of waiting for a spam report to come in. Note: me and Jim Maul sorted out our differences in that thread off-list. His objection was treating scanning outbound mail was a sole fix for having spammers in your network. If you couple it with some proactive checking for outbound spam and actually cut off the source we both agree this is a good thing...
RE: spam warning from zd net
One area where this might cause additional problems (even for those who successfully block ALL these spams) is tarpitting settings. Basically, many servers will place the IP address of the sending server into a tarpit if that server just got finished attempting to send X number of viruses or spams within Y number of minutes or seconds. Before, if that IP address was a dynamic dial-up IP address, it didn't really matter if it was tarpitted. However, if that IP address is a major ISP's mailserver, this alone could cause other mail to get blocked. Basically, the main purpose of tarpitting is to minimize DOS-like attacks. (Even if a DOS-attack wasn't the original intention of the malicious sender... it still can slow down a server to have to process 10,000 spams in one day from one single source.) I think that a happy medium might be to continue tarpitting, but lower the time it takes for the IP to be removed from the tarpitting list. This way, the server is protected from short intense bursts, but doesn't keep the IP listed long enough to do too much collateral damage. Any comments? Suggestions? Rob McEwen PowerView Systems
Re: spam warning from zd net
On Wednesday, February 2, 2005, 6:20:50 PM, Matt Kettler wrote: > At 09:11 PM 2/2/2005, Shane Mullins wrote: >>Here is a link from ZDNet warning of a spam increase. I can't wait to see >>SA smat it down. > Hmm.. so zombies are going to start using the legit mailserver instead of > acting as a direct delivery... Hmm.. Well, we should see the DUL RBL hits > drop off pretty fast. Won't affect SURBL hits though. > The only problem I see with the tactic is the ISP itself is likely to deal > with the infected users pretty quickly, instead of dragging their feet, > since the spam will now be bogging down their servers, instead of bypassing > them. And the answer is: scan outbound mail using SURBLs. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: spam warning from zd net
Sounds like the pc's will act like a smtp server. But they were very vague. Shane - Original Message - From: "Rob McEwen" <[EMAIL PROTECTED]> To: Sent: Wednesday, February 02, 2005 9:38 PM Subject: RE: spam warning from zd net I couldn't tell from the article... but are SMTP Servers which REQUIRE password authentication for sending immune from this particular type of spam? Or does the system somehow route the spam through a person's outlook, making use of the saved password for the default mail account? (Too bad the article wasn't more technically specific) Rob McEwen -Original Message- From: Shane Mullins [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 02, 2005 9:11 PM To: users@spamassassin.apache.org Subject: spam warning from zd net Here is a link from ZDNet warning of a spam increase. I can't wait to see SA smat it down. http://news.zdnet.com/2100-1009_22-5560664.html?tag=nl.e589 Shane
Re: spam warning from zd net
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rob McEwen writes: > I couldn't tell from the article... but are SMTP Servers which REQUIRE > password authentication for sending immune from this particular type of > spam? Or does the system somehow route the spam through a person's outlook, > making use of the saved password for the default mail account? > > (Too bad the article wasn't more technically specific) http://spamkings.oreilly.com/archives/2005/02/proxy_lock_emai.html gives more details. So far, the spam malware doesn't do it. Note that the Swen virus, however, did -- it just wasn't a generic spam proxy. - --j. > Rob McEwen > > -Original Message- > From: Shane Mullins [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 02, 2005 9:11 PM > To: users@spamassassin.apache.org > Subject: spam warning from zd net > > Here is a link from ZDNet warning of a spam increase. I can't wait to see > SA smat it down. > > > http://news.zdnet.com/2100-1009_22-5560664.html?tag=nl.e589 > > Shane > -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCAZZ8MJF5cimLx9ARAiD7AKCnkOEUAxex/KccljtU0aELN5Lz9QCfe/Ir BrrhUXqTlp8aM9Paw3bd5Mg= =Hxe4 -END PGP SIGNATURE-
RE: spam warning from zd net
I couldn't tell from the article... but are SMTP Servers which REQUIRE password authentication for sending immune from this particular type of spam? Or does the system somehow route the spam through a person's outlook, making use of the saved password for the default mail account? (Too bad the article wasn't more technically specific) Rob McEwen -Original Message- From: Shane Mullins [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 02, 2005 9:11 PM To: users@spamassassin.apache.org Subject: spam warning from zd net Here is a link from ZDNet warning of a spam increase. I can't wait to see SA smat it down. http://news.zdnet.com/2100-1009_22-5560664.html?tag=nl.e589 Shane
Re: spam warning from zd net
On Wed, 02 Feb 2005 21:20:50 -0500, Matt Kettler <[EMAIL PROTECTED]> wrote: > Hmm.. so zombies are going to start using the legit mailserver instead of > acting as a direct delivery... Hmm.. Well, we should see the DUL RBL hits > drop off pretty fast. Won't affect SURBL hits though. Or see legit mailservers being added to the RBL lists... > The only problem I see with the tactic is the ISP itself is likely to deal > with the infected users pretty quickly, instead of dragging their feet, > since the spam will now be bogging down their servers, instead of bypassing > them. I think this is a good thing, though. The article doesn't mention if the zombies will "authenticate" with the server or not. We're moving towards an SMTP-AUTH *only* setup where there is no ability to relay without giving up your credentials. -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: spam warning from zd net
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Kettler writes: > At 09:11 PM 2/2/2005, Shane Mullins wrote: > >Here is a link from ZDNet warning of a spam increase. I can't wait to > >see SA smat it down. > > Hmm.. so zombies are going to start using the legit mailserver instead > of acting as a direct delivery... Hmm.. Well, we should see the DUL RBL > hits drop off pretty fast. Won't affect SURBL hits though. all blocklists looking at the last-untrusted host in the Received headers will have a problem; XBL, SORBS, NJABL. That host will be the ISP's mailserver. Perhaps it's time to re-enable DNSBL lookups further into the Received headers, as we used to do in pre-3.0.0 versions... > The only problem I see with the tactic is the ISP itself is likely to deal > with the infected users pretty quickly, instead of dragging their feet, > since the spam will now be bogging down their servers, instead of bypassing > them. yep! that's the good news. kind of. - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCAYxHMJF5cimLx9ARAkwRAJwOo5lv2/KG7+I8Msbp9WQKrhmFDwCcDJgo oDeBwEzPrDn7HkYZ/WI2F8o= =0j4T -END PGP SIGNATURE-
Re: spam warning from zd net
At 09:11 PM 2/2/2005, Shane Mullins wrote: Here is a link from ZDNet warning of a spam increase. I can't wait to see SA smat it down. Hmm.. so zombies are going to start using the legit mailserver instead of acting as a direct delivery... Hmm.. Well, we should see the DUL RBL hits drop off pretty fast. Won't affect SURBL hits though. The only problem I see with the tactic is the ISP itself is likely to deal with the infected users pretty quickly, instead of dragging their feet, since the spam will now be bogging down their servers, instead of bypassing them.