RE: [Full-Disclosure] E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky)

• Previous message: Martin Mačok: "Re: [Full-Disclosure] RFC and silent discarding of e-mails"
• In reply to: Nick FitzGerald: "RE: [Full-Disclosure] E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky)"
• Next in thread: Szilveszter Adam: "Re: [Full-Disclosure] E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky)"
• Reply: Szilveszter Adam: "Re: [Full-Disclosure] E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <full-disclosure@lists.netsys.com>
Date: Thu, 4 Mar 2004 07:31:10 -0500

 Having a MS record would not eliminate spam coming from users validated on
the sending server, but it would identify the server that it comes from as
"knowing" the sender name. Compromised client boxes would need to use the
ISP mail server to send mail, rather than spewing it directly, since the
servers allowed on the MS entry for that domain would not include the client
host.
  Either the ISP owing the server blocks spam spew or that ISP gets a
blackhole block that would be very effective.
   Yesterday I inspected the spam I had in my spam bucket for kinds of
actual senders (last sender on Received header for my ISP). Of 11 spam
messages in the last hour, 9 were from compromised machines sending
directly. If they had to send this stuff through their ISP (comcast,
telstra, swbell etc.), they would be blocked fairly quickly. The envelope
from address was often Yahoo, so the ISP would block on this as well.
  Requiring MS entries would not block spam or viruses immediately but would
help make RBL lists more effective and prosecution of spammers easier
(easier to trace a registered user of an ISP).

-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Nick FitzGerald
Sent: March 4, 2004 3:00 AM
To: full-disclosure@lists.netsys.com
Subject: RE: [Full-Disclosure] E-mail spoofing countermeasures (Was:
Backdoor not recognized by Kaspersky)

"Bill Royds" <broyds@rogers.com> wrote:

<<snippage>>
> Using authenticated SMTP, this would still allow a different return
> address in headers since envelope from would be user who authenticated to
> SMTP server. But it would prevent spoofed email (although spam would
still
> arrive, it could be tied to actual sender, allowing things like CAN-SPAM
to
> work).

Wrong. It would, at best, identify the sending _machine_, not the
"actual sender".

There is far too much prior art in the Windows malware armory to not be
aware of how easily an agent program on a "compromised" Windows box can
steal whatever configuration and authentication data it may need to
"properly" send mail "just like" the user's preferred MUA. Just
because, of late, spam and mass-mailing viruses have used randomized
From: and SMTP envelope FROM addresses does not mean thay have to
continue to do so, nor that not doing so will necessarily be less
effective for them...

These are important considerations to not overlook despite the fact
that the SPF, etc pushers make a habit of ignoring such. Further,
several IRC bot-nets in tens-of-thousands of active bots size range
have already been found and there are probably several million such
compromised mnachiens out there waiting for the fateful order to "wake
up" and answer the call of their "master".

SMTP "sender authentication" is a far less trivial problem to solve
that the SPF, aller-ID, etc folk would have you believe (and, of
course, they don't like us pointing out that their preferred
"solutions" are already doomed to failure).

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Martin Mačok: "Re: [Full-Disclosure] RFC and silent discarding of e-mails"
• In reply to: Nick FitzGerald: "RE: [Full-Disclosure] E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky)"
• Next in thread: Szilveszter Adam: "Re: [Full-Disclosure] E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky)"
• Reply: Szilveszter Adam: "Re: [Full-Disclosure] E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]