Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [SPAM] Spam sent via spambots?

From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Mon, 1 Nov 2004 07:27:15 +0100 (CET)
On Mon, 1 Nov 2004, Nick FitzGerald wrote:


In another thread Hugo van der Kooij wrote:


Securing every machine on the internet would be a good start. 95% of all
spam messages I have seen lately gets send from DSL or Cable IP addresses.
These are machine which run spamware without the user knowing (s)he is
sending out spam by the buckets untill their ISP shuts them down.


Does anyone have sound statistics on how much spam comes from DSL/Cable
IP-space?


The figures are based on several anti-spam boxes with Dutch clients. I am
sure it is not significant in numbers but it might be acurate enough to
hold some value.


And further, does anyone have any idea how to pick apart how much of
that is simply relaying type activity vs.dedicated spam-bot activity?

On the first question, I've seen many estimates over the last year or
so suggesting everything from 25% (admittedly that was one of the
earliest such estimates) to 40% and 60%, and recently a few claims of
the "as much as..." variety pegging it at 75% and 80% (don't ask for
references -- this is all from memory...).

So, has any really good, large-scale sampling of these issues been
done, perhaps by the large Email/anti-spam managed services folks??


I have only done an analyses on spam I collect directly based on host
headers and reverse SMTP connections. You can almost always easily see
where the fake Received: headers start. But I have not been able to put it
in code to automate the process. But it seems that spamcop is doing
something like that.

In almost none of the cases was there a SMTP server alivei on the last
real hop. Nor any other proxy I could detect easily.

Sendmail logs also show a significant number of false recipients which
are known to be part of worms that are by now over 6 months old. Like:

Nov  1 07:16:06 gandalf sendmail[17575]: iA16G3QU017575: ruleset=check_rcpt, arg1=<mary () vanderkooij org>, 
relay=[221.232.95.12], reject=550 5.7.0 <mary () vanderkooij org>... - REJECTED: KEEP YOUR VIRUS JUNK!; SEE ALSO: 
http://hvdkooij.xs4all.nl/email.cms
Nov  1 07:16:07 gandalf sendmail[17575]: iA16G3QU017575: lost input channel from [221.232.95.12] to MTA after rcpt
Nov  1 07:16:07 gandalf sendmail[17575]: iA16G3QU017575: from=<maria () tencent com>, size=0, class=0, nrcpts=0, 
proto=ESMTP, daemon=MTA, relay=[221.232.95.12]

If there are that many worms going around it only shows how easy it is to
write your own little SMTP engine. Spammers may have deployed similar
backdoors/trojans/bots/...

Due to the current policy to round numbers to 0.05 Euro in shops I do not
know if my 0.02 Euro will do any good.

Hugo.

-- 
        I hate duplicates. Just reply to the relevant mailinglist.
        hvdkooij () vanderkooij org             http://hvdkooij.xs4all.nl/
                Don't meddle in the affairs of magicians,
                for they are subtle and quick to anger.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: