Full Disclosure mailing list archives
Re: [SPAM] Spam sent via spambots?
From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Mon, 1 Nov 2004 07:27:15 +0100 (CET)
On Mon, 1 Nov 2004, Nick FitzGerald wrote:
In another thread Hugo van der Kooij wrote:Securing every machine on the internet would be a good start. 95% of all spam messages I have seen lately gets send from DSL or Cable IP addresses. These are machine which run spamware without the user knowing (s)he is sending out spam by the buckets untill their ISP shuts them down.Does anyone have sound statistics on how much spam comes from DSL/Cable IP-space?
The figures are based on several anti-spam boxes with Dutch clients. I am sure it is not significant in numbers but it might be acurate enough to hold some value.
And further, does anyone have any idea how to pick apart how much of that is simply relaying type activity vs.dedicated spam-bot activity? On the first question, I've seen many estimates over the last year or so suggesting everything from 25% (admittedly that was one of the earliest such estimates) to 40% and 60%, and recently a few claims of the "as much as..." variety pegging it at 75% and 80% (don't ask for references -- this is all from memory...). So, has any really good, large-scale sampling of these issues been done, perhaps by the large Email/anti-spam managed services folks??
I have only done an analyses on spam I collect directly based on host headers and reverse SMTP connections. You can almost always easily see where the fake Received: headers start. But I have not been able to put it in code to automate the process. But it seems that spamcop is doing something like that. In almost none of the cases was there a SMTP server alivei on the last real hop. Nor any other proxy I could detect easily. Sendmail logs also show a significant number of false recipients which are known to be part of worms that are by now over 6 months old. Like: Nov 1 07:16:06 gandalf sendmail[17575]: iA16G3QU017575: ruleset=check_rcpt, arg1=<mary () vanderkooij org>, relay=[221.232.95.12], reject=550 5.7.0 <mary () vanderkooij org>... - REJECTED: KEEP YOUR VIRUS JUNK!; SEE ALSO: http://hvdkooij.xs4all.nl/email.cms Nov 1 07:16:07 gandalf sendmail[17575]: iA16G3QU017575: lost input channel from [221.232.95.12] to MTA after rcpt Nov 1 07:16:07 gandalf sendmail[17575]: iA16G3QU017575: from=<maria () tencent com>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=[221.232.95.12] If there are that many worms going around it only shows how easy it is to write your own little SMTP engine. Spammers may have deployed similar backdoors/trojans/bots/... Due to the current policy to round numbers to 0.05 Euro in shops I do not know if my 0.02 Euro will do any good. Hugo. -- I hate duplicates. Just reply to the relevant mailinglist. hvdkooij () vanderkooij org http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of magicians, for they are subtle and quick to anger. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: [SPAM] Spam sent via spambots? Hugo van der Kooij (Oct 31)
- Re: [SPAM] Spam sent via spambots? James Riden (Nov 01)