At 11:38 PM -0500 8/13/07, billc imposed structure on a stream of
electrons, yielding:
At 9:17 PM -0500 8/13/07, Lewis Butler wrote:
On Aug 13, 2007, at 9:03 AM, Charles Mangin wrote:
since i took over hosting, all of these dictionary-style spams
have been going nowhere, being rejected out of hand with "<<< 550
Unrouteable address". i know i can't do anything more than ignore
them and hope they will move on to some other target but...
sheesh. six months? with nothing to show for it? you'd think
there'd be some sort of list purging in all that time.
Well, you can do something about it, you can blacklist IP addresses
that send too many bad messages where too many is a number you
chose.
I wish that were true. Recently the dictionary attacks are coming
from completely unrelated IPs - you can sit there and watch the logs
roll by and know that it's a dictionary attack, but none of the IPs
match any other. It's obviously a botnet or an IP spoofing scheme.
OUCH! You've pushed one of my buttons there....
IP spoofing for SMTP or any other chatting protocol over TCP is
effectively impossible in the wild. The legends about IP spoofing
date to the early 90's and are grounded in very narrow facts. The
Mitnick attack only worked against rsh and rexec on machines using
the traditional (perfectly predictable) BSD initial sequence number
selection pattern. Those protocols (and in particular the BSD
implementations of the time) could be made to do harm with commands
carried in single packets, so a spoofer did not have the problem of
having to guess about the target system's response to make the attack
work. On the modern net, ISN prediction is always a low-yield game
and maintaining the charade past the first packet is extremely hard
for a protocol like SMTP where every server responds a little
differently. There are complex multi-box attack modes that have been
theorized for IP spoofing of TCP-based traffic, and special cases
like BGP where low-yield probabilistic approaches can be made to
work, but there is a commonality to those: they attack very specific
high-value targets that have very valuable trust of particular IP's.
There is no known way to just pick any random IP to spoof for TCP
traffic and change it on a whim, and anyone who had such a capability
would almost certainly not be wasting it on a low-return trick like
spamming that has such high visibility.
In short: you can forget about IP spoofing as an explanation for
anything based on TCP and involving a shotgun approach. Botnets of
tens of thousands of cracked Windows machines are available for rent
and provide a far more useful tool than spoofing for most such
purposes.
Blacklists likely won't help much there.
Actually, they can. The Spamhaus Zen list (particularly the CBL and
PBL components) does a pretty good job keeping up with compromised
machines and the Spamcop BL has become a far better tool for such
machines than it used to be, Ironport having apparently decided to
turn it into a serious operational tool rather than a way for
anti-spam activists to annoy big dumb ISP's. (as a professional mail
admin who is also an anti-spam activist, I have some mixed feelings
about that...)
I've also found that for small sites (anyone running SIMS today has
to qualify) it is likely to be very helpful to handle your own local
blacklist in a way that would be unsuitable for most public lists.
For example, most small sites in the US could forbid all of 80-92.*,
210-211.*, and 122-125.* and never lose any legitimate mail.
--
Bill Cole
[EMAIL PROTECTED]
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[email protected]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
