RE: [Asrg] [IP] do-not-email list canned

[gep2 at terabites.com]

>>>>I'm curious to know how a zombie machine will have a legitimate SPF, 
CallerID, or Domain Key.  Are you suggesting each worm/virus infected zombie 
will somehow register it's own legitimate domain and authoritative DNS server?  

No.  Clearly they could use the mail authorization (and maybe even the mail 
client) of the host computer they've infected.
 
>>I've thought this over and the only possibility is that worms will start to 
crack the cached SMTP AUTH credentials on the system and send through the ISP 
account. This is possible although not easy. 

It would be relatively trivial, for example, to drop their mail into the 
outgoing mailbox of Outlook or Outlook Express, or most other mail client 
programs.

The (authenticated) E-mail address of the host computer's user is generally 
readily available either in the registry, or in the To: address of lots of 
E-mail usually to be found laying around on the system that's been infected.

> Whatever ISPs are left that don't require SMTP AUTH will need to, but that's 
common sense.

Again, that's not a big problem.  SMTP authorization information is generally 
readily available on the system that's been infected, and that means it can be 
sent to anywhere (including other infected machines hosted by the same ISP).

Comcast has what, six million subscribers?  AOL has more, and swbell.net 
probably does too.  And those users will be able to send via ANY E-mail server 
approved for use from the swbell.net domain (making Wong's SPF nearly worthless, 
for example).

>>Two points about this scenario: all the zombied mail will come from the actual 
addfress of the user with the infected system, so they and their ISP will find 
out about it very fast. 

Sure, and they'll respond with the same glacial speed that they respond to 
complaints about spamming, shilling, and phishing today.  That's not terribly 
comforting, but in any case spammers are used to having their zombies discovered 
and disabled in a matter of hours or days.  They just recruit more.

> Also, authentication will wipe out the existing endemic population of 
mass-mailer worms.

So we see a new generation.  We used to see boot sector viruses, too.  Time 
marches on.

Virus authors could reconfigure their zombies LITERALLY overnight to start using 
"real" authenticated E-mail addresses of victims.  It doesn't do us very much 
lasting good to spend two or three years developing a fix for a hole if spammers 
have a workaround for our "new security" within a matter of hours.  And that's 
about how hard it would be for spammers to work around the ideas I've been 
seeing discussed.

>Larry Seltzer
>eWEEK.com Security Center Editor
>http://security.eweek.com/
>http://blog.ziffdavis.com/seltzer
>larryseltzer at ziffdavis.com 

Gordon Peterson                  http://personal.terabites.com/
1977-2002  Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections!  http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.



_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg