[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040304182724.4282639FC@mprdmxin.myway.com>
From: orangganjil at myway.com (orangganjil)
Subject: Backdoor not recognized by Kaspersky
One thing that I have not seen discussed in this thread is tarpitting spammers. This has been discussed before on BugTraq:
http://www.securityfocus.com/archive/119/292053/2004-03-01/2004-03-07/1
In addition, there is a neat tool for doing this in conjunction with an MTA, called Spam Cannibal:
http://www.spamcannibal.org
I run a spam tarpit using an e-mail address that should never receive legitimate communications. The MX record for that e-mail address points to a tarpited IP with 25/TCP open. When remote mail servers (or zombied DSL/Cable users) connect to that tarpit their connection is held and their IP is logged. I have a Perl script that parses the logs and e-mails me a diff of the top 50 offenders. Those folks end up being blocked by my firewall from accessing SMTP on my mail server. If they are a home user, they can still access my web pages, etc. This goes a long way to decreasing the spam I receive, and in addition, my tarpit holds or slows their connection - making it less likely they will move on to the next spam recipient.
Test have been done verifying that, in most cases, spam software freezes, hangs, or crashes when tarpitted - forcing manual intervention. There are potential ways around this without breaking TCP (if you ignore window size changes you are breaking TCP), but all of the work-arounds require manual intervention or slow down the rate of spam and consume bandwidth. All of these, even if the software doesn't crash or hang, increase the cost of spamming. Making spam unprofitable is the only way to combat it, IMHO.
Thanks.
_______________________________________________
No banners. No pop-ups. No kidding.
Introducing My Way - http://www.myway.com
Powered by blists - more mailing lists