Re: spam warning from zd net
At 09:11 PM 2/2/2005, Shane Mullins wrote: Here is a link from ZDNet warning of a spam increase. I can't wait to see SA smat it down. Hmm.. so zombies are going to start using the legit mailserver instead of acting as a direct delivery... Hmm.. Well, we should see the DUL RBL hits drop off pretty fast. Won't affect SURBL hits though. The only problem I see with the tactic is the ISP itself is likely to deal with the infected users pretty quickly, instead of dragging their feet, since the spam will now be bogging down their servers, instead of bypassing them.
Re: spam warning from zd net
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Kettler writes: At 09:11 PM 2/2/2005, Shane Mullins wrote: Here is a link from ZDNet warning of a spam increase. I can't wait to see SA smat it down. Hmm.. so zombies are going to start using the legit mailserver instead of acting as a direct delivery... Hmm.. Well, we should see the DUL RBL hits drop off pretty fast. Won't affect SURBL hits though. all blocklists looking at the last-untrusted host in the Received headers will have a problem; XBL, SORBS, NJABL. That host will be the ISP's mailserver. Perhaps it's time to re-enable DNSBL lookups further into the Received headers, as we used to do in pre-3.0.0 versions... The only problem I see with the tactic is the ISP itself is likely to deal with the infected users pretty quickly, instead of dragging their feet, since the spam will now be bogging down their servers, instead of bypassing them. yep! that's the good news. kind of. - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCAYxHMJF5cimLx9ARAkwRAJwOo5lv2/KG7+I8Msbp9WQKrhmFDwCcDJgo oDeBwEzPrDn7HkYZ/WI2F8o= =0j4T -END PGP SIGNATURE-
Re: spam warning from zd net
At 02:49 AM 2/3/2005, Jeff Chan wrote: The only problem I see with the tactic is the ISP itself is likely to deal with the infected users pretty quickly, instead of dragging their feet, since the spam will now be bogging down their servers, instead of bypassing them. And the answer is: scan outbound mail using SURBLs. Or as I was discussing in another thread Negative score on spams.. disable ALL_TRUSTED and scan outbound email as well as inbound. Use grep to check your logs for outbound spam and fix the infected machines on a proactive basis instead of waiting for a spam report to come in. Note: me and Jim Maul sorted out our differences in that thread off-list. His objection was treating scanning outbound mail was a sole fix for having spammers in your network. If you couple it with some proactive checking for outbound spam and actually cut off the source we both agree this is a good thing...
RE: spam warning from zd net
--On Wednesday, February 02, 2005 9:38 PM -0500 Rob McEwen [EMAIL PROTECTED] wrote: I couldn't tell from the article... but are SMTP Servers which REQUIRE password authentication for sending immune from this particular type of spam? Or does the system somehow route the spam through a person's outlook, making use of the saved password for the default mail account? If you know how the password is stored, you don't even need to launch Outlook to actually connect to the ISP server. The same vulnerability would also work with Thunderbird; you'd just need to know how to extract the saved password from the Mozilla profile.
RE: spam warning from zd net
Kenneth Porter said: If you know how the password is stored, you don't even need to launch Outlook to actually connect to the ISP server. The same vulnerability would also work with Thunderbird; you'd just need to know how to extract the saved password from the Mozilla profile. Even though that may be correct in theory, isn't there one-way encryption involved for these passwords? (you know, the kind which can't be retrieved by anyone, only reset). But even if that is not the case, regular strong encryption ought to be enough. Also, is there a virus, worm, or other exploit in existence which has been able to do this? Rob McEwen
RE: spam warning from zd net
--On Thursday, February 03, 2005 1:43 PM -0500 Rob McEwen [EMAIL PROTECTED] wrote: Even though that may be correct in theory, isn't there one-way encryption involved for these passwords? (you know, the kind which can't be retrieved by anyone, only reset). But even if that is not the case, regular strong encryption ought to be enough. There can't be, because the password must be recovered to submit to the remote authentication system. Paul Russell suggests on the MIMEDefang list that the ratware could simply pop up a password dialog. Many users will just enter their credentials, not understanding why they got a random authentication request.