RE: [Asrg] [IP] do-not-email list canned

["Larry Seltzer" <larry at larryseltzer.com>]

>>It would be relatively trivial, for example, to drop their mail into the outgoing
mailbox of Outlook or Outlook Express, or most other mail client programs.
>>The (authenticated) E-mail address of the host computer's user is generally readily
available either in the registry, or in the To: address of lots of E-mail usually to be
found laying around on the system that's been infected.

It's harder than you think. With Outlook there is no outbox folder to drop into and I
think it's harder than that with outlook Express too. And every version of these
programs for several years (since Melissa basically) has blocked outside programmatic
manipulation of the mail client without explicit user consent. Or perhaps I'm wrong and
if it's so trivial you can provide a proof of concept.

>>> Whatever ISPs are left that don't require SMTP AUTH will need to, but 
>>> that's
common sense.
>>Again, that's not a big problem.  SMTP authorization information is generally readily
available on the system that's been infected, and that means it can be sent to anywhere
(including other infected machines hosted by the same ISP).

Like I said, it's in there but it's not so readily available. I've tested several
commercial programs that claim to crack these passwords (see www.lostpassword.com for
example) and I remember them requiring user input to find all the information they
needed. I don't assume it's so easy, but I'm sure a good job can be done. 

>>Comcast has what, six million subscribers?  AOL has more, and swbell.net probably does
too.  And those users will be able to send via ANY E-mail server approved for use from
the swbell.net domain (making Wong's SPF nearly worthless, for example).

First, I don't see how you can assume that any Comcast user can use any mail server
approved for the domain. You don't know that. Second, so what if they can?

>>>>Two points about this scenario: all the zombied mail will come from 
>>>>the actual
addfress of the user with the infected system, so they and their ISP will find out about
it very fast. 

>>Sure, and they'll respond with the same glacial speed that they respond to complaints
about spamming, shilling, and phishing today.  That's not terribly comforting, but in
any case spammers are used to having their zombies discovered and disabled in a matter
of hours or days.  They just recruit more.

Simple blacklisting would work at this stage. But clearly Comcast has shown a
willingness to block port 25 from demonstrated spammers. Your attitude is a little too
reflexive.

>>> Also, authentication will wipe out the existing endemic population of
mass-mailer worms.
>>So we see a new generation.  We used to see boot sector viruses, too.  Time 
marches on.

You really think this is not a big deal? I think most of the rest of the world would
disagree.

>>Virus authors could reconfigure their zombies LITERALLY overnight to start using 
"real" authenticated E-mail addresses of victims.  

Nonsense. If it's so easy show us an example.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
larryseltzer at ziffdavis.com 


_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg