RE: [Asrg] Spammer proxies using legitamate mail relays

[Daniel Feenberg <feenberg at nber.org>]

On Wed, 16 Feb 2005, Larry Seltzer wrote:

> >>HKEY_CURRENT_USER -> Software -> Microsoft -> Internet Mail and News
> -> Mail:
> DefaultSMTPServer
> 
> This is not a standard value in Windows. It may be common, but you can't
> rely on it. I've just tested 3 systems and found it on none. 
> 
> Windows, Outlook, Outlook Express and other mail clients change the
> location of their server values even from version to version. This is
> far from an insurmountable obstacle, but it makes the job non-trivial.
> In all likelihood the encoding in the registry for the passwords changes
> from version to version. Outlook 2003 doesn't store even the SMTP server
> in plain text or an obvious location anymore.
> 
> But it can be done. See Passware (http://www.lostpassword.com/) for
> programs that can crack cached credentials for almost anything, and I've
> specifically tested it against SMTP AUTH credentials.
> 

Port 25 on "mail" or "smtp" is a valid smtp relay not requiring any
authentication for more than half of ISPs. The Windows resolver will fill
in the domain part of the relay host name. I have seen no claims that any
spamware *at the moment* goes any further than this, although of course as
time goes by it will do whatever is necessary.

I do hope that ISPs don't get the idea the way to fight this is to obscure
the MTA name.



_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg