| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Subject: [SPAM] Spam sent via spambots? On Mon, 1 Nov 2004, Nick FitzGerald wrote: > In another thread Hugo van der Kooij wrote: > > > Securing every machine on the internet would be a good start. 95% of all > > spam messages I have seen lately gets send from DSL or Cable IP addresses. > > These are machine which run spamware without the user knowing (s)he is > > sending out spam by the buckets untill their ISP shuts them down. > > Does anyone have sound statistics on how much spam comes from DSL/Cable > IP-space? The figures are based on several anti-spam boxes with Dutch clients. I am sure it is not significant in numbers but it might be acurate enough to hold some value. > And further, does anyone have any idea how to pick apart how much of > that is simply relaying type activity vs.dedicated spam-bot activity? > > On the first question, I've seen many estimates over the last year or > so suggesting everything from 25% (admittedly that was one of the > earliest such estimates) to 40% and 60%, and recently a few claims of > the "as much as..." variety pegging it at 75% and 80% (don't ask for > references -- this is all from memory...). > > So, has any really good, large-scale sampling of these issues been > done, perhaps by the large Email/anti-spam managed services folks?? I have only done an analyses on spam I collect directly based on host headers and reverse SMTP connections. You can almost always easily see where the fake Received: headers start. But I have not been able to put it in code to automate the process. But it seems that spamcop is doing something like that. In almost none of the cases was there a SMTP server alivei on the last real hop. Nor any other proxy I could detect easily. Sendmail logs also show a significant number of false recipients which are known to be part of worms that are by now over 6 months old. Like: Nov 1 07:16:06 gandalf sendmail[17575]: iA16G3QU017575: ruleset=check_rcpt, arg1=<mary@...derkooij.org>, relay=[221.232.95.12], reject=550 5.7.0 <mary@...derkooij.org>... - REJECTED: KEEP YOUR VIRUS JUNK!; SEE ALSO: http://hvdkooij.xs4all.nl/email.cms Nov 1 07:16:07 gandalf sendmail[17575]: iA16G3QU017575: lost input channel from [221.232.95.12] to MTA after rcpt Nov 1 07:16:07 gandalf sendmail[17575]: iA16G3QU017575: from=<maria@...cent.com>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=[221.232.95.12] If there are that many worms going around it only shows how easy it is to write your own little SMTP engine. Spammers may have deployed similar backdoors/trojans/bots/... Due to the current policy to round numbers to 0.05 Euro in shops I do not know if my 0.02 Euro will do any good. Hugo. -- I hate duplicates. Just reply to the relevant mailinglist. hvdkooij@...derkooij.org http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of magicians, for they are subtle and quick to anger.
Powered by blists - more mailing lists