[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Asrg] Re: SPF abused by spammers
On Thu, Sep 09, 2004 at 06:54:59PM -0500, Jim Witte wrote:
> Why not try to get the press to grab something the SPF *can* do -
> like perhaps stop the flood of V1 at GR@ and C10L1S ads that keep filling
> my inbox, coming from God-knows where. Or the porn, or the occassional
> spam I get that's in either Chinese, Japanese, or Korean (I read none,
> but it's in *something* I can't read).
Sorry, but I really fail to see how SPF can do all this.
SPF *could* do it *if* the spammers forge a domain that is using
SPF records *and* the sending IP is not authorized by the SPF settings.
Spammers run bot networks with up 500000 hosts - maybe more.
Just have a look at your maillogs
cooldictionary.com
forbetterjobs.net
ioffer.info
antlcard.biz
talkstocksnow.com
directresponseback.com
stockinet9618nx.com
archaway.us
antncard.biz
antcardl.biz
dailyserving.com
lendingiqrefinance.com
forbetterjobs.com
essentialmarketing.biz
goldminemarketing.net
solaria8488nx.com
atonement9529pirrs.com
1stmortgagecorp.com
This list is endless. Take the format
stockinet9618nx.com
4 digits x 2 characters this makes for 6.76 million domains. This is
about the size the DE domain has. But for the start we "only" get
a subset of 1000. Should be possible to get for about 5000 USD.
Now we'll use our bot network. First of all we load SPF records for the
first domain with a TTL of say 30 minutes for a list of the first 50-100
hosts. Target domains roughly sorted by name and MX so we won;t run in
too much problems later. Fire! All the target MX hosts should have SPF
records loaded within the first minute and filled their caches. Move
over to the net 50-100 hosts, change SPF records again, next set of
domains, same game again.
Proceed until 2000 hacked hosts in the bot network are doing their job.
At that time you could probably recycle the hosts from the first wave.
As soon as rejections start to significantly increase above the usual
50% or so switch over to the next domain and other sets of hosts in the
botnet. Burn 10 to 20 domains a day, because they get listed in domain
blacklists, who cares. After 3 month get the next set of domains.
Oh, while you botnet is working and the money is flooding in have some
kewl d00dz hack on W32/Netsky-XQF and distribute W32/Netsky-XQE to get
fresh meat for you bot network.
Now, could you please explain to me how
> the SPF *can* do -
> like perhaps stop the flood of V1 at GR@ and C10L1S ads that keep filling
> my inbox, coming from God-knows where. Or the porn, or the occassional
> spam I get that's in either Chinese, Japanese, or Korean (I read none,
> but it's in *something* I can't read).
Thanks,
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"
_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg