Re: [IMail Forum] concerns about new zombies

[Matt]

This has been going on for about a year with Earthlink.  The spammers using this technique (AUTH hacking, or trusted IP relaying) have so far created clear patterns that I have been able to filter out with Declude, making the absence of the last hop blacklist hit a non-issue.  They can however change patterns and randomize sufficiently to make filtering much harder, and this will eventually happen. On the other hand, providers like Earthlink should have in place anti-abuse measures that limit this to much less than 2% of traffic as they stated in that article.  It sounds like Earthlink wasn't even AUTH-ing their own SMTP traffic until recently, and may still be allowing non-AUTH'd stuff through.  Declude Hijack essentially does just this for IMail users, and some other platforms have protections (capabilities) built in. This is a situation created by raising the bar on spammers.  While they have been underperformers to date when compared to rather unsophisticated blacklisting techniques, there are a host of techniques that they can utilize that would make blocking much harder.  As you raise the bar on them, they will morph their techniques in order to continue spamming.  Spamming by way of legitimate servers and legitimate accounts also has the effect of destabilizing the techniques that we currently use to block them.  For instance tarpitting a legitimate server can have detrimental effects on legitimate traffic.  SpamCop also has had a nasty habit in the past of blacklisting even AOL's servers, though the incidence has diminished with time despite their refusal to address the problem.  So by making our techniques less reliable, they in effect lower the bar.  I believe that this will become not much different to what we have seen with viruses and how they have changed over time in order to adjust to the realities.  When was the last time that you saw a macro virus for instance?  Before macro's were king, it was boot sector viruses.  Broadband spam zombies will probably no longer be making direct connections after a few more years, and we'll be dealing with mostly legitimate servers that have been hacked or exploited in some way. Port 587 AUTH-only support in mail servers and mail clients is the best protection against this.  While everyone is touting the benefits of blocking port 25, they are overlooking the harm to legitimate use that they cause by leaving no alternatives.  The faster the industry introduces 587 support, the faster that you can shut down port 25 widely, and close that gaping hole and at least cause spammers to become more creative.  There are many fewer legitimate servers out there than there are broadband connected home PC's, so while they will morph techniques, it should reduce the volume.  Unfortunately port 587 support won't be effective until mail clients are released that either default to 587, or fail-over to 587 automatically.  Manually configuring port 587 on a preferences tab isn't going to start any kind of rush to use it.  Having E-mail servers like IMail with millions of mail boxes (for the time being) sit quiet and ignore the problem isn't going to inspire anyone either.  Heck, even Ipswitch's labeling of an open relay setting as "relay for local users only" is embarrassingly dim in light of current conditions. Matt Matrosity Tech Support wrote: I'm missing something here. If earthlink users are suddenly sending out email from "legit" servers instead of being the typical zombie then this negates the blacklist tests. I'm less concerned about our own users as we can check them but more concerned about blacklisting being pretty much disabled. Bill John Tolmachoff (Lists) wrote: If so, then that would be one more plus for Imail + Declude. By forcing Authentication and use of Declude Hijack, this would not get through any Imail + Declude server.   John Tolmachoff Engineer/Consultant/Owner eServices For You   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matrosity Tech Support Sent: Wednesday, February 02, 2005 7:39 PM To: IMail_Forum@list.ipswitch.com Subject: Re: [IMail Forum] concerns about new zombies   I believe this means that an earthlink user would send out the email using earthlink's server. John Tolmachoff (Lists) wrote: Well, briefly reading the article, what do they mean by sending it out via the ISPs e-mail server? Does that mean doing some kind of lookup to see who the IP belongs too, or does it mean sending it via the e-mail server that the e-mail client is configured to use?   John Tolmachoff Engineer/Consultant/Owner eServices For You       -----Original Message----- From: [EMAIL PROTECTED] [mailto:IMail_Forum- [EMAIL PROTECTED]] On Behalf Of Matrosity Tech Support Sent: Wednesday, February 02, 2005 4:59 PM To: IMail_Forum@list.ipswitch.com Subject: [IMail Forum] concerns about new zombies   http://news.com.com/Zombie+trick+expected+to+send+spam+sky-high/2100- 7349_3-5560664.html?tag=nefd.top   I know it's a long url but the story is a bit disconcerting. Thoughts?   To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/         To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/       -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================