date:20140314

[Assp-test] DKIM spam

2014-03-14 Thread Colin Waring

Hi there,

 

I was wondering if anyone else was seeing an increase in spam messages that
come with a valid DKIM signature? It has gotten to the point where I have
had to set DoDKIM to disabled because so much rubbish is coming through and
I can't think of many circumstances where DKIM is actually used extensively.

 

All the best,

Colin Waring.

--
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] DKIM spam

2014-03-14 Thread Grayhat

:: On Fri, 14 Mar 2014 13:51:37 -
:: 
:: "Colin Waring"  wrote:

> I was wondering if anyone else was seeing an increase in spam
> messages that come with a valid DKIM signature? It has gotten to the
> point where I have had to set DoDKIM to disabled because so much
> rubbish is coming through and I can't think of many circumstances
> where DKIM is actually used extensively.

I don't think it's a DKIM issue (or an SPF one or whatever); see, the
number of bots trying to bruteforce credentials (either over SMTP or
POP3/IMAP) dramatically raised (and I'm not counting the malware which
steals them from victim's machines) and once those credentials are
upped to some botnet controller, the bots will just start pumping a
lot of junk through a server using the stolen credentials and DKIM or
SPF won't be able to do much; bottom line, ensure to check for bounces
and keep an eye on your servers; as for bounces; if someone here is
running on win and using the IIS SMTP as the outbound mail router, it
may (will !) be a good idea to configure it to also send a copy of NDR
emails to some mailbox you manage (say ndr...@example.com) so that
you'll be able to see the bounces and take action (ok, this is a raw
and straight approach but as a first step it's better than nothing)



--
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] DKIM spam

2014-03-14 Thread Colin Waring

Thanks for the reply, it is however somewhat off the mark. 

These messages don't come from authenticated sources or even trusted sources
- they are simply remote mail servers that have a valid DKIM record thus
causing them to score below the threshold.

It me, it looks like a smart spammer/botnet that is using throwaway domains
with DKIM records set up. The problem is that anyone can set up DKIM, though
up until now spammers haven't bothered going to the extra effort of doing
so. If spammers are now deploying DKIM for their messages then DKIM can no
long be relied on as an indicator of spam/ham.

This is why I asked if anyone else was seeing the same increase in DKIM
signed spam.

All the best,
Colin Waring.

-Original Message-
From: Grayhat [mailto:gray...@gmx.net] 
Sent: 14 March 2014 14:18
To: assp-test@lists.sourceforge.net
Subject: Re: [Assp-test] DKIM spam

:: On Fri, 14 Mar 2014 13:51:37 -
:: 
:: "Colin Waring"  wrote:

> I was wondering if anyone else was seeing an increase in spam messages 
> that come with a valid DKIM signature? It has gotten to the point 
> where I have had to set DoDKIM to disabled because so much rubbish is 
> coming through and I can't think of many circumstances where DKIM is 
> actually used extensively.

I don't think it's a DKIM issue (or an SPF one or whatever); see, the number
of bots trying to bruteforce credentials (either over SMTP or
POP3/IMAP) dramatically raised (and I'm not counting the malware which
steals them from victim's machines) and once those credentials are upped to
some botnet controller, the bots will just start pumping a lot of junk
through a server using the stolen credentials and DKIM or SPF won't be able
to do much; bottom line, ensure to check for bounces and keep an eye on your
servers; as for bounces; if someone here is running on win and using the IIS
SMTP as the outbound mail router, it may (will !) be a good idea to
configure it to also send a copy of NDR emails to some mailbox you manage
(say ndr...@example.com) so that you'll be able to see the bounces and take
action (ok, this is a raw and straight approach but as a first step it's
better than nothing)




--
Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the
definitive new guide to graph databases and their applications. Written by
three acclaimed leaders in the field, this first edition is now available.
Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test


--
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] DKIM spam

Re: [Assp-test] DKIM spam

Re: [Assp-test] DKIM spam

3 matches

Site Navigation

Mail list logo

Footer information