Re: [Mimedefang] Greylist-busting ratware?
On 19/04/2006, at 12:23 PM, David F. Skoll wrote: Anyone else seeing this? We see it quite a lot, and always from cable modem or DSL machines (probably cracked Windoze boxes.) i haven't had time to do the forensics yet but i'm definitely of the opinion that greylist aint working so well at the moment and suspect i'll find the same when i do get around to looking.. :-/ ..S. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Greylist-busting ratware?
[EMAIL PROTECTED] wrote: ... in which case you can infer that they're infected, and the problem has gone from a technical one to a business one. Do you cut off the customer's access, fix their infection, send them a warning note... ? I would think it depends on who you are... an ISP, a company network, and so on. The univ here offers free anti-virus. I think their policy is that you go get it, install and clean your system (or bring it in for a tech to do it) and then they'll let you access the email servers again. I could see in a business the IT departments raining down on your cubicle.. (ala "Geek Squad" in not so sheik bugs) I could see an ISP just blocking you out until you fix it... And in all three, maybe they just stop your port 587 submissions and make you use some form of web mail. Lots of potentials for that one, -Ben -- Ben Kamen - O.D.T, S.P. -- Email: [EMAIL PROTECTED] http://www.benjammin.net ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Greylist-busting ratware?
WBrown wrote: > Are the credentials really stolen, or is the ratware actually using > the credentials that belong on the zombied computer. I would bet the > later. User changes password without cleaning off the infection and > goes right back to sending spam. ... in which case you can infer that they're infected, and the problem has gone from a technical one to a business one. Do you cut off the customer's access, fix their infection, send them a warning note... ? -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Greylist-busting ratware?
[EMAIL PROTECTED] wrote on 04/21/2006 02:05:52 PM: > I see this as a good thing. You can tie the spam back to a > particular user. They change their password, and the ratware is blocked. Are the credentials really stolen, or is the ratware actually using the credentials that belong on the zombied computer. I would bet the later. User changes password without cleaning off the infection and goes right back to sending spam. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Greylist-busting ratware?
John Rudd wrote: > On Apr 20, 2006, at 16:34, nathan r. hruby wrote: >> - Inbound ratware using SMTP AUTH to authenticate as a real user > > Hm. We haven't seen this at all yet. That's not a good sign. I see this as a good thing. You can tie the spam back to a particular user. They change their password, and the ratware is blocked. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Greylist-busting ratware?
--On Friday, April 21, 2006 9:30 -0400 "nathan r. hruby" <[EMAIL PROTECTED]> wrote: - Inbound ratware using SMTP AUTH to authenticate as a real user Hm. We haven't seen this at all yet. That's not a good sign. Yeah. We were *thrilled* to see this happening. *Thrilled* I tell you. Would you send more detail about this? Do you think it ran a client using stored configuration in that client? If not, they had to know a username, password, and smtp server name to do it. Joseph Brennan Columbia University Information Technology ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Greylist-busting ratware?
On Thu, 20 Apr 2006, John Rudd wrote: On Apr 20, 2006, at 16:34, nathan r. hruby wrote: - ratware infected boxen on campus use campus relays which relay by IP. They spew, we queue. Badness for everyone. We no longer have our student-residential IP block in our relay domain for this reason. They were, by far, our biggest source of this problem. Sadly, our resnet only accounts for about 50% of these incidents. We see nailed desktops, roaming laptops of professors and visiting folk, lab machines, etc On occasion we even see misconfigured machines that are open relays abused in this fashion :( We have policy in the works to disable most of this and go to SMTP AUTH, but it'll be a few more months until that happens and we'll still need to make provisions for automated non-authing systems (unix machines running an MTA, web scripts, etc... all of which will be filtered through MIMEDefang, to stay on topic). - Inbound ratware using SMTP AUTH to authenticate as a real user Hm. We haven't seen this at all yet. That's not a good sign. Yeah. We were *thrilled* to see this happening. *Thrilled* I tell you. -n -- --- nathan hruby <[EMAIL PROTECTED]> uga enterprise information technology services core services support --- "In 1972 a crack commando unit was sent to prison by a military court for a crime they didn't commit" ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Greylist-busting ratware?
On Apr 20, 2006, at 16:34, nathan r. hruby wrote: - ratware infected boxen on campus use campus relays which relay by IP. They spew, we queue. Badness for everyone. We no longer have our student-residential IP block in our relay domain for this reason. They were, by far, our biggest source of this problem. - Inbound ratware using SMTP AUTH to authenticate as a real user Hm. We haven't seen this at all yet. That's not a good sign. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Greylist-busting ratware?
Sorry for the delayed reply... On Tue, 18 Apr 2006, David F. Skoll wrote: Hi, I think greylisting is nearing the end of its useful life. I'm noticing a new kind of ratware that retries every 5 minutes like clockwork, mutating message bodies. Our CanIt software tempfails mail until it's approved by a human, and this mechanism has the side-effect of illuminating ratware behaviour. For example: http://www.roaringpenguin.com/canit/showtrap.php?o=71.0.177.139&status=spam (Login/password = demo/demo) Anyone else seeing this? We see it quite a lot, and always from cable modem or DSL machines (probably cracked Windoze boxes.) *sigh* We don't greylist (yet) but I can confirm that in the past 6-8 months we've seen a rise of certain modes of operation: - ratware infected boxen on campus use campus relays which relay by IP. They spew, we queue. Badness for everyone. - Inbound ratware using SMTP AUTH to authenticate as a real user (using stolen credentials) and thus use us as MSA for their spam. (These have been exclusively phishes) I strongly feel that the rise of these incidents is a direct response to greylisting and rate throttling. -n -- --- nathan hruby <[EMAIL PROTECTED]> uga enterprise information technology services core services support --- "In 1972 a crack commando unit was sent to prison by a military court for a crime they didn't commit" ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Greylist-busting ratware?
On 18 Apr 2006 at 22:23, David F. Skoll wrote: > For example: > > http://www.roaringpenguin.com/canit/showtrap.php?o=71.0.177.139&status=spam > > (Login/password = demo/demo) > > Anyone else seeing this? Yeah, I get some...it's that stock spam, right? The funny thing is that I haven't seen *any* to my mail server...it's all come in through the server at my work (usually for dns@, although some are for my work e-mail). Both have milter-greylist plus MIMEDefang, and the mimedefang-filter files are very similar, so I have no idea why I get it at one and not the other. -- Jeff Rife | "Ahhh, what an awful dream! Ones and zeroes | everywhere...and I thought I saw a two!" | -- Bender, "Futurama" ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang