On Thu, 3 Feb 2005 11:42:55 +, [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
http://news.com.com/Zombie+trick+expected+to+send+spam+sky-high/2100-7349_3-5560664.html?tag=cd.top
that botnets are now routing their mail traffic through the local
ISP's mail servers rather than trying their own
Hi!
http://news.com.com/Zombie+trick+expected+to+send+spam+sky-high/2100-7349_3-5560664.html?tag=cd.top
that botnets are now routing their mail traffic through the local
ISP's mail servers rather than trying their own port 25
connections.
Now? We (and AOL, and some other large networks) have
On Thu, 3 Feb 2005, Suresh Ramasubramanian wrote:
On Thu, 3 Feb 2005 11:42:55 +, [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
http://news.com.com/Zombie+trick+expected+to+send+spam+sky-high/2100-7349_3-5560664.html?tag=cd.top
that botnets are now routing their mail traffic through the
On Thu, Feb 03, 2005 at 11:42:55AM +, [EMAIL PROTECTED] wrote:
CNET reports
http://news.com.com/Zombie+trick+expected+to+send+spam+sky-high/2100-7349_3-5560664.html?tag=cd.top
that botnets are now routing their mail traffic through the local
ISP's mail servers rather than trying their
UUQwest?
http://www.reuters.com/financeNewsArticle.jhtml?type=bondsNewsstoryID=75273
08
--
Martin Hannigan (c) 617-388-2663
VeriSign, Inc. (w) 703-948-7018
Network Engineer IV Operations Infrastructure
[EMAIL
On Feb 3, 2005, at 9:30 AM, [EMAIL PROTECTED] wrote:
One additional thing that I think wasnt mentioned in the article -
Make sure your MXs (inbound servers) are separate from your outbound
machines, and that the MX servers dont relay email for your dynamic IP
netblock. Some other trojans do stuff
Do you let your customers send an unlimited number of
emails per day? Per hour? Per minute? If so, then why?
Doing that - especially now when this article has hit the popular
press and there's going to be lots more people doing the same thing -
is going to be equivalent of hanging out a
[EMAIL PROTECTED] wrote:
CNET reports
http://news.com.com/Zombie+trick+expected+to+send+spam+sky-high/2100-7349_3-5560664.html?tag=cd.top
that botnets are now routing their mail traffic through the local
ISP's mail servers rather than trying their own port 25
connections.
Both on ASRG and here
[EMAIL PROTECTED] wrote:
On Thu, 3 Feb 2005, Suresh Ramasubramanian wrote:
snip
Easier said than done, especially if you're a small ISP that's been doing
POP before SMTP and changing this requires that every customer's settings
be changed.
drac http://mail.cc.umanitoba.ca/drac/
supports
Hi!
Now, once 100K zombies can send *only* 1000 spam messages a day instead of
10K or even 500K, it makes a difference, but it is no solution.
I am happy to see people are starting to move this way, and I personally
believe that although this is happening (just go and hear what Carl from AOL
If a pro cannot clean it out safely, then i cannot imagine our typical
homeuser would be able to... and with some luck he installs a firewall
and antivirus next time, after reinstalling his system for the 4th or
5th time.
You may want to check out some AT (Anti-Trojan) software such as The
Hi!
If a pro cannot clean it out safely, then i cannot imagine our typical
homeuser would be able to... and with some luck he installs a firewall and
antivirus next time, after reinstalling his system for the 4th or 5th time.
You may want to check out some AT (Anti-Trojan) software such as The
You will never be sure you have picked up all, only the known ones. For
a compromised system, unless running tripwire or something, reinstall!
You can never be sure, that's why it's a backdoor/Trojan horse.
Its a nice start, but it also tell people i am safe, and they dont know
Yes, it is. AV
Now, once 100K zombies can send *only* 1000 spam messages a day instead
of 10K or even 500K, it makes a difference, but it is no solution.
I'd like to see rate limits set much
lower than that. Perhaps one message per day
to begin with. After the message is sent,
send the customer a reminder
This is no POC, we have seen this happen many many times. Perhaps some
Wrong, and I will tell you why in a second.
drone networks are a little 'behind' but in general, they are perfectly
able to do this. Even with some static lists for some large ISPs
mailservers they can perfectly initiate it
- Original Message -
From: Gadi Evron [EMAIL PROTECTED]
Allow me to elaborate; and forget about this article, why limited ourselves?
Once big ISP's started blocking port 25/outbound for dynamic ranges, and it finally begun hitting the news, we once again caused
the spammers to under-go
I know that I'm in the middle of trying to figure this out with the mail
server software that is used where I work but if limits are going to be put
into
place per email box of say 1,000 messages per day and a total daily sending
limit of say 200 megabytes, I feel there also needs to be methods
Hello
I am a bit concerned that blocking any port at all preventing abuse of
the affected service will make the abusers go through other services
instead. Port 139/445 is already blocked by several isps due to
excessive abuse or I believe they call it 'a security measurement'. Even
port 23
On Thu, 03 Feb 2005 16:07:10 +0100, Raymond Dijkxhoorn said:
The only thing I don't see is a way to remove these bots!
Not everyone knows how to even look at their machines for signs of these
bots. Heck, I know most of my guys here don't even know how these bots
work.
For a compromised
On Thu, 03 Feb 2005 17:54:28 +0200, Gadi Evron [EMAIL PROTECTED] wrote:
Still, please tell me, how is not blocking un-used or un-necessary ports
a bad thing? It is a defensive measure much like you'd add barricades
before an attack.
Agreed. And depending on your service, there are different
On Thu, 3 Feb 2005, Raymond Dijkxhoorn wrote:
One additional thing that I think wasnt mentioned in the article -
Make sure your MXs (inbound servers) are separate from your outbound
machines, and that the MX servers dont relay email for your dynamic IP
netblock. Some other trojans do
On Thu, 03 Feb 2005 12:16:41 EST, Jason Frisvold said:
Agreed. And depending on your service, there are different ports
worth blocking. For residential users, I can't see a reason to not
block something like Netbios. And blocking port 25 effectively
prevents zombies from spamming.
On Thu, Feb 03, 2005 at 05:29:15PM +0200, Gadi Evron wrote:
You will never be sure you have picked up all, only the known ones. For
a compromised system, unless running tripwire or something, reinstall!
You can never be sure, that's why it's a backdoor/Trojan horse.
Its a nice start,
On 02/03/05, [EMAIL PROTECTED] wrote:
Is there any info on how this zombie is spread? ie, email worms, direct
port attacks, etc. If the former, there's hope of nipping it in the bud
with anti-virus filtering.
Yeah, that's been working really well for us so far. /sarcasm
--
J.D.
on Thu, Feb 03, 2005 at 04:07:10PM +0100, Raymond Dijkxhoorn wrote:
The only thing I don't see is a way to remove these bots!
Not everyone knows how to even look at their machines for signs of these
bots. Heck, I know most of my guys here don't even know how these bots
work.
For a
GE Date: Thu, 03 Feb 2005 17:14:40 +0200
GE From: Gadi Evron
GE heck, I don't see how SMTP auth would help, either. They have local
GE access to the machine.
User joe6pack is pumping out 100k messages/day. That can't possibly be
valid; let's disable his -- and only his -- SMTP access. He
GE Date: Thu, 03 Feb 2005 17:54:28 +0200
GE From: Gadi Evron
GE They now evolved, and are using user-credentials and ISP-servers. This
GE evolution means that their capabilities are severely decreased, at least
GE potentially.
This means that it's 1998 again. Direct-to-MX spam was an evolution
: I'd like to see rate limits set much lower than that. Perhaps one
: message per day to begin with. After the message is sent, send the
: customer a reminder about the limit and tell them how to get to a web
: page to increase the limit. The web page would only accept an
: incremental increase.
On Thu, 03 Feb 2005 12:26:55 -0500, [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
On Thu, 03 Feb 2005 12:16:41 EST, Jason Frisvold said:
Agreed. And depending on your service, there are different ports
worth blocking. For residential users, I can't see a reason to not
block something like
On Thu, Feb 03, 2005 at 12:26:55PM -0500, [EMAIL PROTECTED] wrote:
On Thu, 03 Feb 2005 12:16:41 EST, Jason Frisvold said:
Agreed. And depending on your service, there are different ports
worth blocking. For residential users, I can't see a reason to not
block something like Netbios.
--On Thursday, February 03, 2005 11:42 + [EMAIL PROTECTED]
wrote:
Do you let your customers send an unlimited number of
emails per day? Per hour? Per minute? If so, then why?
Because there are *NO* packages available that offer limiting. Free or
commercial.
Nils Ketelsen wrote:
Only thing that puzzles me is, why it took spammers so long to go in
this direction.
It didn't. It took the media long to notice.
Pete
- Original Message -
From: Jason Frisvold [EMAIL PROTECTED]
On Thu, 03 Feb 2005 17:54:28 +0200, Gadi Evron [EMAIL PROTECTED] wrote:
Still, please tell me, how is not blocking un-used or un-necessary ports
a bad thing? It is a defensive measure much like you'd add barricades
before an
Nils Ketelsen wrote:
Only thing that puzzles me is, why it took spammers so long to go in
this direction.
Nils
I am still confused why people think this is new behavior. The sky is
not falling (regardles of how many stories CNET publishes claiming it
is), nor should this really be relevant to
On Thu, 3 Feb 2005, Jason Frisvold wrote:
prevents zombies from spamming. Unfortunately, it also blocks
legitimate users from being able to use SMTP AUTH on a remote server..
There's a *reason* why RFC2476 specifies port 587
I assume you're referring to the ability to block port
Michael Loftis wrote:
Because there are *NO* packages available that offer limiting. Free or
commercial.
Strange. Our mail servers have had this ability for over a year. The
hard part is getting tens of thousands of legacy ISP customers to switch
to SMTP auth without drowning the support
Once upon a time, Robert Blayzor [EMAIL PROTECTED] said:
Michael Loftis wrote:
Because there are *NO* packages available that offer limiting. Free or
commercial.
Strange. Our mail servers have had this ability for over a year. The
hard part is getting tens of thousands of legacy ISP
Chris Adams wrote:
What does that have to do with SMTP rate limiting?
A lot since the original question was:
Do you let your customers send an unlimited number of
emails per day? Per hour? Per minute? If so, then why?
and an answer was:
Because there are *NO* packages available that offer
How come it is always about controlling the symptoms and not the
illness? The vast majority of these
spam drones are compromised WINDOWS machines. If the operating system
and dominant email applications so easily allows the users' machines to
be taken over by a third party, then there is
Miller, Mark wrote:
How come it is always about controlling the symptoms and not the
illness?
The illness is the user. That is uncontrollable.
On 02/03/05, Miller, Mark [EMAIL PROTECTED] wrote:
How come it is always about controlling the symptoms and not the
illness? The vast majority of these
spam drones are compromised WINDOWS machines. If the operating system
and dominant email applications so easily allows the users'
Michael Loftis [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote:
Do you let your customers send an unlimited number of emails per
day? Per hour? Per minute? If so, then why?
Because there are *NO* packages available that offer limiting. Free
or commercial.
My exim.conf calls you a liar.
--
On Thu, Feb 03, 2005 at 09:21:19PM +0200, Petri Helenius wrote:
Nils Ketelsen wrote:
Only thing that puzzles me is, why it took spammers so long to go in
this direction.
It didn't. It took the media long to notice.
Pete's correct. And there's another reason: spammers have long
since
Creating an invincible mail client, still only addresses the symptom, and
not the disease. I would contend that any attempts made to harden a mail
client, will, (and have always been..), be countered with a new exploit, a
new method of exploiting the system.
The only way to really control spam,
We've been doing this on postfix for some time now.
Michael Loftis wrote:
--On Thursday, February 03, 2005 11:42 + [EMAIL PROTECTED]
wrote:
Do you let your customers send an unlimited number of
emails per day? Per hour? Per minute? If so, then why?
Because there are *NO* packages available
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
J.D. Falk
Sent: Thursday, February 03, 2005 4:35 PM
To: nanog@merit.edu
Subject: Re: Time to check the rate limits on your mail servers
On 02/03/05, Miller, Mark [EMAIL PROTECTED] wrote:
On 02/03/05, Hannigan, Martin [EMAIL PROTECTED] wrote:
Upgrading and/or replacing the OS for every Windows user on the
planet is an educational issue. Keeping the network viable
while you figure out how to do that is an operational issue.
..or a cost issue. Most of these
Peter Corlett [EMAIL PROTECTED] wrote:
[...]
My exim.conf calls you a liar.
Since I've had a few private emails about my rude and abrupt comment
(although not complaining about it, which is encouraging :), I'd
better explain further, just in case there were people who are curious
but not
How come it is always about controlling the symptoms and not the
illness?
The illness is the user. That is uncontrollable.
A product that doesn't work as advertised has much to do with it as well.
Adi
How about using SMTP AUTH and verifying the envelope MAIL FROM to match
the actual user authenticating? This will make SPAM traceable and
hopefully ultimately users aware that their PC is sending junk.
Adi
On Thu, 3 Feb 2005, Adi Linden wrote:
How about using SMTP AUTH and verifying the envelope MAIL FROM to match
the actual user authenticating?
that doesn't work if you have more than one email address.
This will make SPAM traceable and
hopefully ultimately users aware that their PC is sending junk.
How about using SMTP AUTH and verifying the envelope MAIL FROM to match
the actual user authenticating?
that doesn't work if you have more than one email address.
Wouldn't address resolution take care of that if properly
configured? Some implementations allow you to specify what
email
JJ Date: Thu, 3 Feb 2005 15:41:34 -0800 (PST)
JJ From: Joel Jaeggli
JJ How about using SMTP AUTH and verifying the envelope MAIL FROM to match
JJ the actual user authenticating?
JJ
JJ that doesn't work if you have more than one email address.
The words overreaching and fallacious come to
On Thu, 2005-02-03 at 14:55 -0800, J.D. Falk wrote:
On 02/03/05, Hannigan, Martin [EMAIL PROTECTED] wrote:
..or a cost issue. Most of these users are people who have
decided not to spend the $40 to defend their machine at home.
So you educate them as to why it would be a good idea to
On Thu, 3 Feb 2005 09:30:58 -0500 (EST), [EMAIL PROTECTED] [EMAIL PROTECTED]
wrote:
I just implemented a patch to tcpserver which allows me to limit the
number of simultaneous SMTP connections from any one IP, but have not yet
looked into daily/hourly limits. I know Comcast has started
How about using SMTP AUTH and verifying the envelope MAIL FROM to match
the actual user authenticating? This will make SPAM traceable and
hopefully ultimately users aware that their PC is sending junk.
Ouch .. Then spammers may start using a From: matching the SMTP auth
user, and
How about using SMTP AUTH and verifying the envelope MAIL FROM to match
the actual user authenticating?
that doesn't work if you have more than one email address.
You should know all your users email addresses. It shouldn't be too
difficult to match the 'mail from' address with the user
* [EMAIL PROTECTED] (Adi Linden) [Fri 04 Feb 2005, 03:17 CET]:
You should know all your users email addresses.
You have got to be kidding.
-- Niels.
--
The idle mind is the devil's playground
JF Date: Thu, 3 Feb 2005 20:37:29 -0500
JF From: Jason Frisvold
JF Ouch .. Then spammers may start using a From: matching the SMTP auth
JF user, and effectively joe-jobbing the user.. Ick..
Exactly. The user then loses mail sending ability, but other services
remain functional.
Eddy
--
59 matches
Mail list logo