lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0411010711570.4421@gandalf.hugo.vanderkooij.org>
From: hvdkooij at vanderkooij.org (Hugo van der Kooij)
Subject: [SPAM] Spam sent via spambots?

On Mon, 1 Nov 2004, Nick FitzGerald wrote:

> In another thread Hugo van der Kooij wrote:
>
> > Securing every machine on the internet would be a good start. 95% of all
> > spam messages I have seen lately gets send from DSL or Cable IP addresses.
> > These are machine which run spamware without the user knowing (s)he is
> > sending out spam by the buckets untill their ISP shuts them down.
>
> Does anyone have sound statistics on how much spam comes from DSL/Cable
> IP-space?

The figures are based on several anti-spam boxes with Dutch clients. I am
sure it is not significant in numbers but it might be acurate enough to
hold some value.

> And further, does anyone have any idea how to pick apart how much of
> that is simply relaying type activity vs.dedicated spam-bot activity?
>
> On the first question, I've seen many estimates over the last year or
> so suggesting everything from 25% (admittedly that was one of the
> earliest such estimates) to 40% and 60%, and recently a few claims of
> the "as much as..." variety pegging it at 75% and 80% (don't ask for
> references -- this is all from memory...).
>
> So, has any really good, large-scale sampling of these issues been
> done, perhaps by the large Email/anti-spam managed services folks??

I have only done an analyses on spam I collect directly based on host
headers and reverse SMTP connections. You can almost always easily see
where the fake Received: headers start. But I have not been able to put it
in code to automate the process. But it seems that spamcop is doing
something like that.

In almost none of the cases was there a SMTP server alivei on the last
real hop. Nor any other proxy I could detect easily.

Sendmail logs also show a significant number of false recipients which
are known to be part of worms that are by now over 6 months old. Like:

Nov  1 07:16:06 gandalf sendmail[17575]: iA16G3QU017575: ruleset=check_rcpt, arg1=<mary@...derkooij.org>, relay=[221.232.95.12], reject=550 5.7.0 <mary@...derkooij.org>... - REJECTED: KEEP YOUR VIRUS JUNK!; SEE ALSO: http://hvdkooij.xs4all.nl/email.cms
Nov  1 07:16:07 gandalf sendmail[17575]: iA16G3QU017575: lost input channel from [221.232.95.12] to MTA after rcpt
Nov  1 07:16:07 gandalf sendmail[17575]: iA16G3QU017575: from=<maria@...cent.com>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=[221.232.95.12]

If there are that many worms going around it only shows how easy it is to
write your own little SMTP engine. Spammers may have deployed similar
backdoors/trojans/bots/...

Due to the current policy to round numbers to 0.05 Euro in shops I do not
know if my 0.02 Euro will do any good.

Hugo.

-- 
	I hate duplicates. Just reply to the relevant mailinglist.
	hvdkooij@...derkooij.org		http://hvdkooij.xs4all.nl/
		Don't meddle in the affairs of magicians,
		for they are subtle and quick to anger.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ