Serge,
The references to port 587 were mainly topics from past posts and not
directly what is being addressed here. It is related though by the
fact that raising the bar on spammers by blocking port 25 encourages
them to seek new ways to exploit their bots and progressing to AUTH
hacking is the obvious next step and we are definitely seeing that now
in increasing numbers, and I expect for it to become much more common
over time. Before many ISP's blocked port 25, and before most spam
blocking was worth a dime, spammers didn't need to worry much about
going the extra step of hacking real E-mail accounts, but were only
underachievers due to the necessity of the situation. It should go
without saying that people that can control 1.5 million or more bots in
a single network can be quite crafty, and much more crafty than they
are being now if they really felt that it was necessary.
Because of these things, now is the time, if not already being too
late, to push hard at getting every server out there to implement some
form of account hijacking protection that is on by default.
Unfortunately I know of no such servers at this moment that either have
such protection or have it turned on by default, though I don't doubt
for a second that such protection exists for some servers. Declude's
Hijack is a fine tool for an administrator wishing to protect their own
server from being exploited, but it doesn't do much for the greater
good, and we all face much bigger issues from spammers and virus
writers that compromise others' servers.
Matt
Serge wrote:
Andrew
I understand the need for 587 auth
We are an ISP, and we have been
blocking outbound port 25 for years
Moving to port 587 auth only will be
a major undertaking, until all mail clients become auto-negotiating
It was already a long undertaking
to force all our clients to smtp auth on port 25
Anyway
I was only reffering to the subject
of this thread; the threats of a new type of viruses
and i think we agree on this issue,
port 587 is not a solution
-----
Original Message -----
Sent:
Thursday, November 17, 2005 11:31 PM
Subject:
RE: [Declude.JunkMail] OT: another SOBERing though
Serge, that's a misleading line
of reasoning.
Here's the thing:
Auth on port 587 is the right
best practice for ISPs (and some corporations) so that they can
properly secure their MTA against misuse by 3rd parties, including
worms on their client subnets.
It cuts off large swaths of
current flaws: the ISP won't have any open relays, won't have
whitelisted client subnets, thereby allowing the ISP to firewall
outbound port 25 from their personal clients. Auth on 587 also allows
the client to wander all over the Internet with their laptop and still
send mail with their own mailfrom name from the expected ISP's MTA.
As you've surmised, this doesn't
help if the bad guys have auth that they've stolen from one of your
clients.
However, this becomes the same
case as if the bad guy is one one of your clients, and the answers are
the same; the ISP needs traffic logging and alerts, e.g. the mail
volume restrictions over time that were discussed earlier today.
Is that clearer?
Andrew 8)
not sure how using port 587 will
solve this
cant the spammers/virus writers
eventualy use this port
why would that be a long term
solution ?
-----
Original Message -----
Sent:
Thursday, November 17, 2005 7:24 PM
Subject:
Re: [Declude.JunkMail] OT: another SOBERing though
I think one of the issues here is that Hijack was designed to solve a
problem that existed due to omission on the part of IMail, but being a
separate app, it might not be the most optimal method, though for now
it definitely is.
Most servers on the Internet have no policies in place to restrict the
volume of E-mail through authenticated accounts. This is a gaping hole
and it is now being exploited. The best way to effectively stop such
things is to integrate that functionality into the servers themselves,
and all servers need such settings defaulted to being enabled in order
to protect the Internet from the garbage that hacked accounts can spew.
Clearly people aren't taking this seriously enough, including the often
exploited likes of HotMail/Microsoft and Yahoo. I figure that
eventually everyone will begin to take this seriously, but only after
things have become much worse. Keep in mind that most of us were
operating as open relays up until about 2000, and most of us had no
alternative. E-mail systems with their very loose or completely
lacking policy enforcement in combination with being the most often
attacked system on the Internet with the most financial gain should be
a primary focus as far as security goes.
What really gets me is that in the last couple of years, there was a
huge focus on SPF, Caller-ID and Domain Keys, but very little focus on
propagating port 587/AUTH-only support on mail servers, and seemingly
no focus in getting E-mail clients to auto-negotiate such settings.
Now we are seeing another completely predictable situation in which
spammers and virus writers are automating the hacking of E-mail
accounts, and there are virtually no protections in place. IMO, it's a
shame that the biggest players were pushing for what I consider to be almost
valueless functionality while the big names behind them were also the
ones that were being exploited the most and still are. These are also
the same fools that paid-off the Congress so that they 'can'-Spam.
Matt
Serge wrote:
hijack will work, but it
will be much better if it works based on the authenticated user instead
of ip
also we need to be able to
set different limits/categories for different users
declude, are listening?
-----
Original Message -----
Sent:
Thursday, November 17, 2005 6:36 PM
Subject:
RE: [Declude.JunkMail] OT: another SOBERing though
Wow!
It's like 1995 - 2005 had never
been. :-|
ok, I must say I never worked
with Declude Hijack. It's not simply this what we need now?
Markus
You
can read about or get your own version of the password stealing app
here:
Andrew
8)
|
