On Sat, 13 Nov 2004, Peter P. Benac wrote:
> You could stand over their shoulders?
>
> I really doubt that any real spammer will use a cybercafé to send spam.
> These idiots use software that generate messages and send them thru any open
> relay they can find. Just because the reply to address says hotmail.com or
> yahoo.com doesn't necessarily mean the message originated at Yahoo or
> Hotmail.
No, Cigan is right. A substantial number of the "419" scammer spams
come from criminals noodling away in cybercafes.( My hat's off to you,
Cigan, for being concerned about this problem.) This has become the
"cottage industry" of the criminal world.
There was a story in the Register (or some net-news site) about a
scammer being caught in the UK because his victim in the US had a
freind living in that UK city who was able to 'stake out' the cybercafe
and catch the crook in the act. ;)
This is a technically tough problem to solve. Your network does not
'see' any SMTP traffic, the traffic is just HTTP get/post operations,
so nothing for spamassassin to easily filter.
You would need to do something like set up a transparent HTTP proxy
(such as squid) so all web traffic (incoming and outgoing) would pass
thru it. Then you would need to configure it with a custom filter that
would look for 'POST' operations going to specfic destinations (Yahoo,
hotmail, etc) and then hand the data to a custom local program that
would synthesize a SMTP like message to pass to your spamassassin.
(not a trivial task but do-able).
However if the crooks were smart enough to encrypt their traffic
(use 'https://' rather than 'http:'') the proxy would only see the
encrypted traffic and not be able to "look inside" it to see what the
actuall message was. You could block traffic to the https port (443)
to prevent that but that would be a disservice to your customers who
wanted to do on-line shopping. ;(
keyboard loggers would be the hi-tech equivalent of looking over their
shoulders, but would not stop the act, just enable later aprehension.
(not to mention the considerable work of grubbing thru the keylogger
data to find the possible crook).
Good luck in this effort.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
