|
|
|
Spammers Sidestep SMTP
By: Larry Seltzer
2008-12-08
Article Rating: / 6
There are 11 user comments on this Network Security & Hardware story.
We often think of fixing malicious activity in terms of systemic solutions, but spammers have moved on to private systems from which to conduct their abuse, and this makes it harder to stop.I saw a disturbing number the other day: According to the latest MessageLabs Intelligence Report,
by September of this year 25 percent of all spam originated from hosted
Webmail accounts, meaning Yahoo, Hotmail, Gmail and the like. This may
be a huge problem.
I've been a big fan over the years of SMTP authentication and
associated reputation-based systems. The idea behind them is to
identify with certainty the domain of the e-mail sender, something
which the SMTP protocol does not do. Reputation systems then say
whether this domain is one known to be trustworthy, untrustworthy or
some unknown status. Then it's a matter of you setting policy to deal
with this reputation data.
These ideas have been controversial, mostly out of obtuseness about
reputation systems or a distrust of them. Personally, I think they
would do a much better job than doing nothing, so I was for them. But
that may all be moot.
I've been hearing for years now how large numbers of users are
moving their e-mail onto Webmail systems, and the reasons are not hard
to understand. You can use your mail from any computer with a Web
browser, there's no local e-mail client to learn, your e-mail is not
stuck on one local store, and Web 2.0 interfaces make the clients
almost as rich as a real e-mail program.
But SMTP authentication is a systemic solution to the problem of
SMTP e-mail abuse, and Webmail spam gets around it by bypassing the
system. Recipients can no longer gauge reputation because they can't
distrust huge mail senders such as Google and Microsoft. In fact, some
recipients probably green-light some of this e-mail specifically
because it's from well-known domains with SPF records or DomainKeys
signatures.
SMTP authentication was always about identifying the domain of the sender,
not the specific user. The presumption in the system was that
legitimate domains are responsible for policing their users. The
MessageLabs data, if it's accurate, proves what we've been supposing
for a year or so now: the major Webmail services can't stop malicious
actors from registering accounts automatically and using them to spam
outsiders.
The MessageLabs report goes into detail on how attackers get these
accounts by breaking the CAPTCHA tests. All of them can be broken with
enough work, and a market exists for phony Webmail accounts. I think we
can all agree now that it's overreaching to call these "Turing tests."
The same basic techniques are used in spam on social networking sites
such as Facebook, and they can be used as well to spread malware, as in the Koobface worm.
I said this may be a huge problem, because there are reasons to think it could be dealt with. Not that I have a solution to the porousness of CAPTCHAs,
but if a more effective test were found the vendors could implement it
without having to deal with standards bodies and other such
time-consuming barriers. You could see the abuse stopping pretty
quickly based on some technical advance. By the same logic, as a higher
percentage of users have their mail on a smaller number of Webmail
providers, the prospect of systemic changes to SMTP e-mail becomes more
fathomable.
It's also true that Webmail systems are in a better position to
monitor patterns in e-mail use and abuse. Once they detect an abusing
account they can also see whether it was signed up as part of a massive
scripted signup of accounts, and delete all of them. Perhaps they're
just not good enough yet at detecting abusive addresses. The pattern of
use of a spambot account and a legitimate account must be quite
different. If 25 percent of spam is from Webmail then clearly they're
not as good as they need to be at detecting these accounts.
Who would have thought a few years ago that the weakness of CAPTCHAs
would cause a major shift in the generation of spam? There may be
reason to hope that the problem won't last forever, but there's little
that we know we can do right now to stop it.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.
| | Reader Comments: Spammers Sidestep SMTP | | >>> Post your comment now!
| | | | | | | | | | | | | | Messaging Hygenist>>The presumption in the system was that legitimate domains are responsible for policing their users.
Policing users runs counter to the business... Posted At: 12-09-08
By: Showme | | | | | | A user comment on this articleIt's not just that. Now they are capturing hosted account data (GMAIL and other independent ISPs) and art spamming people with their own email... Posted At: 12-09-08
By: Anonymous | | | | | | A user comment on this articleI realized that the from address was not working and DID have to resort to IP listings, BUT I also found out that the IP was not the final authority... Posted At: 12-09-08
By: Bob Madore | | | | | | whitelistingYour whitelists are naive. You should be looking at the IP of the sending computer, not the from: address Posted At: 12-09-08
By: Larry Seltzer | | | | | | self addressed emailsWithin the last few months I have noticed a dramatic increase in emails 'from' myself.
I have a 'simple minded' solution, sequester all emails... Posted At: 12-09-08
By: Anonymous | | | | | | >>> Post your comment now! | | | | | |
|
 |
|
|
�������x}r㶲s\@♵M"b{lc-/K3^:U*$�ER(9
7]hɗxjl��Fwh4#�I"nZΘ\̦dwꚃ�>}K$wB}��N�UQV C7_/(�bP�<�HwO7n[c^0�R�a���᳙*,�Q � tjGt0]2x�ֵ;k:&oweki cߨ_�[�``1Z�|R!�j
�9iݑ ۴^�$�)qH�ˑh]
](
Ѽ/$pm<"Q}# Q�T�BQ5w0NK
<[��@Sա*v�25v�6^:���ȅC�z$fRvnWo\ 205A2�Z [
�XdTZ��ӡk��u8r���08Jej-nfO-�n@w�(\'p}j� F1 9�,!\�ZNa^:Xy�
yN
�tq�(r~7P7nǾ;sC270 T6'�>6�L(�|HI
Cu"ħz�r(˺Y4�hm�Ea�ij|�Tݯ�(�G}`[싅S�
wQo|wTTMSe@B��mݹ��жF^v�Cq9}r>?'��7��;A:��@o&1W`j�LTV+Rhf���Rc@G,{B��oVq+ᖃhGZIAv��ina�[�E�4bEU�dNߒ-~k~>E,�3SAV5
̠tW?#;ˠjqsںy\7=rڽ&IٝN4p3
Z_Zz�`CK'^C/SQ?�&�:aZ+j�I-C{|&�x|9!�IoJ'ȿ��;Be}Y З?��,Y`M����Ip6M2T��c��]N�joNP_ ZPĿ�"G/â�x_~A��AӧIzG|JMk6�uI=D�C#ɠ�:ڴ{\�gV���4!>�&MЀ`�^i1[W <ۋJ!pI�x�ZS�xv�&zt@۠h&r�kI�7.[A0?�� ;
O`p]�&;�xk
=�`Dy+wCP�b�L{��TM`�@#@X�]7$>�(�@�+�9=P_)�nвc@|j�J�:�;r%Ea1�CD�ȧ�$D�!��-i]�R@A�z8��-��,rr<���� #!be6ODs@PGҹ;v�jvn2�3,BV-KїPf%i2kh�ƪń(VFN�1|�(0��Vf)�xf&i��&蝐t0O�iH\U�ɲE0s��}�sY�Mh?wܰHz}G�����VV̚3=P�.Ƈ5L;nlQr`8 0�:|Ch�2�i�{MYguϳ-j�{�r�Ǹ%�q�9an5�ډIVB!7O)wz@aex*�#w�T4
+�t�j~�#J�ݼ~h���;h{q#%MAw
�=�e河�xOuXKnuo?Hյpz1(KúJ�j'/��oh��m_Eڠ�ueLGyK-#��
IHf�(XK+e�zlxy���D62�C�i�n
Py�\�{8`O��7l{`(`R55 )KJ0$V+kVM&fMڹeK �l� �J;4
Ho�p�:7bbˡB2
OaN��}6tAz{fl2n� �8yOm �V!҇�F�D3�0`�,��F�=_GM�R^-#z0k�aT5`
Tikhƽ� b/^��ilLabDh
"�~�i�-��&c2�R*?�|l�;+1gP[W[?g0MϦ6ѯ�k0ͮ
2
\E+�z�7uau<ֿ,�YE8&WO!SB�9��2�GfqH)��Yf�:al<6;`rO18��МN�%Z*`��ҖM�PVGl䄇%�b�
"�K,8.h#2"�!+.��6@a9Ho�R�r
r=ct��e�>ugcՏ'�8,*�z)Oc��ʌ�QP@hrGX�\ km{]fRvQLٔ+_&2|1S�g)+VYف%�~Z/\v8C+`SRjj�*�'0k�(r/��?F~�n<ȵWڽv?a�IG{eY� Z7MF~TUJJЛ'Q�!VI#Ǹ.ɢ6A)M`ɒ8�khs)�sp:'S6PFz�*�%R�!wi#�yF(#!��w�'�OPlB�=2tbiw�:Λk��y1~�vg=D*ҮIG:��b�/T)��T 4&iZIRkOCsGl_z̢ te2q{4(۾b0-/$xE�D
<w,n�0N
l(U5m��b[-W+w�B!�i�!`�dRS��/t�2JE�`?��ɠ��<� �j�;!9 |�S
n&1%w�X�L\��tK�O�Wƒ"'!�*7�3,��`މjRU\1�ݽ]�=J
_BQ`�о(&Ѧ pmO�Ot@��M��Ew%]w7V쐔4�{ڽK͋C~lI6?�
�F�&{f�B�,
8oH�Ť}vl�{{l:k�6zv>GQ
7�2lO#�r��E}R|{͎y-{w[�j��tKCȃ��!yN�FS�̠�o2X$Czz��0<㹑a3�"A�PKվ̂�4�"Z�M3bn
*q�m�9ºU�XȬE`&|]L($��S�0�r$�`�$X�)��XAU:]7?ǎ:Ky�r6P���^S�(+RJ�"4FYO |�Zu3�s^f�3Rt4zQr:p~�}##Q�ᛷG
6n�2'|2J�$hבּ�~QO��tGov/zF]Y�F=foݷvcW};Ǎ>--8t�Ǡ^Cz�ҀI1&�ZQVP�**sᔤ˞�vW��&X�d1�0d&'a=K�f}#uoo=إ��֛%۴�
r�UCaC�:Z/0q0pHa�S�o��1֢�(g�|o(o&xk5�)
KN+�g7�_Cc��JK�h3�[Q@(��wC_ƥ�E/.q�Ĩ&pb�ow�x7�9�3�fd�eS̺Z:V~
`.zşn:�8?z9+ֻ,]|rjdÀxw��W�O�
r`j[w�Q2�Rʁ�ctqW�=dݳ�~TJ�!b�`ǽc@i/�p">:}Em[)+ijEY��n`��
��Ox8ƛ,Ka�vc�ƘSw611/�5���=že\�\μuGd gxGY^D�F�B<ŴVA)Z��3I*�Phl�vvRN���ꢰnhue"XV'l<�"P,P�P� ]Y#�grZ��a80Qm%5b.5 \tI��]]���6|K}w�kB{�L@%-�r{$6|p,uYD*d>���GN%?;ۊ�-&@>Nbb [.U;=jϸ_+S%W�ޮ844�W�ĪR50#ƙrʵZN�͞%iКDa�}V7LxECW�T��N/�e�eXVb@5�x;9ːbB%d�
dݦ~83Nr+S-�e�Ѫ��=Lj�}j<8>�n��[4�ބÏgg}6#&�>��ۇ�?a�}u�*>Kj%
[�ćm5"EŴ�R0%�q^sJv@3FYL�#kyٻj^B�@7`JMP&>a ԗ}(�7�Mɕ�)Bg
ϗﮊmcI6}�-g8g��lsc7�)@C�M�*<}*UT���C �"#��^ovٺ!
+n%V7ҳs΅�Q$52T���Iػ-�Bb
0|�C5b�IQ%)�?;�`ק��X\j� �ey?9kJx
,$�t)Z@pka25�c��@hD-.Vy�="R<�#^z�mhcI�wfR˕0�L]0�a�֊���9�GvH��ɂy]<��[ئVSTU6VPc �þ~�2t�������H{�Bp[&|�Z �-�= �-�hᕲ�čO$R�m��mg0?ĂSuY(Pۖz3jTj_��;`��w6�^�/n}66-Ӕrw?b"у(\\----'%5<-Nƙ%�>0mЯ�jY�J�@➢F@Q��itZ�f4r}I��w>0;F�,̶|��̌{9b-a�7@:�m7��s-M1վ΄"s|6dgɶc,T"{bA�:��?�d�)/8<�'o�t! $ Y�t��Ax$i �v(i�Lh�}%銇`%~=\ �ixn�2`욂|C\/)^qH�Q+zVW^�N#p�i+߂�tjADuhZi�� k�Zt33R6Ks0j3�o>o>o>WӮKZuc/��hH ��a6JsBa0lˤ�s��6#7�m�~�"@_s���ؤ�G*ݾέ[*�@,RC���w^߀᷸2\Oc}\^l @Jz�%�^)Obޫ�
qũWH��ʔܑe�3~A+j��]~�1$�*p�D� �'�c�Ɔ�_gX�H�}с�x(v{¹t(�;$ы$yO���5�n�Pd)JŋZY ̇0F�A�H>�Ô!�ƺ8ʨ%b ^�x�wt)ۼRQr#5}e�lCW�؆_�߳��
ZRˬ�krJEI3�Ʊ)�H1b*Nh�V4+P2Q֑T�Ko�i_/Ip�x�t�$7�+Hē{Wʮ,~Gl���ňk('>?�Ɨu;U6ZG�^b+.9]��B,va�`D�='�ȡ-b+1�ʵm�<߉/+",t�Z4�
쎧�m�,oajb�dF�yAx!�Fv;�Kb+.86Q{$IHpj+jj5:��A�^L81ckZzD�,?��t�"R�VЮ(>�2�l?��Q�X2!��
��/)/+iyp0^B=Jr�sf4�1%!�]W�q>ƘKjtyVU�Ւ�R�R,w9[�dLox?B鞐ք1x*B 'Uٜ�AGug�*GZ!դ�FK��Zk>A5�R`s̴ܧ5̈��b�vӚ ]��lzZC*J[7�ޕ5S]<_q�=%o7ݝ�CgnVu���C[wnWcOnH Op�찌?17���%�l7�A&~��lkT�p*Bק6:F�̽O%CMD0�J
�i%V*#/CyQ�)�cWVkRj*>5BYQ7� �rs��|z`'BO�.�kXl;�̝�0/R4M��X*!E�L�IߚRF�,kG� ʥ�&��VDs�o�a>:�(�-^`̷UKphkY\#WK�k)qCK "A�п��{{i/ �~Hګk�HOtDE�vb"mkmnAz�T[��P]'hx1~$:����eh�~�/0̊�۲VSo4J�ۅ]�aYJ'��蜜X��@�`zt G
Ki�~RJHuT+sr`6ވ۳j
c#T\S=@%�K�.&ڰkW16�jvN[Ļeŧ UkL(3��p#�SM�C7R�yVmIz�.�kx�>a�R|jۣV7>@2<�xW��W|�Ym[!�(�17ѵڤ�`(8NQ;|xU{V~Kb?{rq�����̋X/HKt4*:wy�>m;A=~zLLRO����7�g\�NL�_��_�߰�,VI�m{d7�2[�$}^?Z,D1��3%��q}n@~hvew=
d#�k�`+Cߑ?M>'죇B9̇�/�g!a���r�`(LJw0�(��-Ō��CZUѓȤ)t!dW`ǪZN�Wv x2nV?%.4W
PR�x�����V #vFC�dQ#G��L،\�ݹ�1�A39^&9nIqst/q{�}�RGݪ;es�@)
�3d&SR�o4e�š_lꌹ6�Wc\qxYx>+ah,.6 tg(;�(%lFyї�5�1o&Ll���=ViJjm8��j8ٙ%/GN\3G�MPЦoJ�c~�4=V0.8���SL^}'v�n�<�)�)'MfNy�ʻ9-AS~�'O>9y��NqY_i��VN9?t.sʡ���z9埡s��fE\��9_�<@ߋ�^�}.rs�_�yß��92z'(S~�g9_@EN9e^\%euݜwAtsO�K7G\�\�5u��^�=�A֗�_S^9)�O@O9rߛ�orڿ�\'I9�7sy�S�89B8_��yWAa uyS~�9@y�J
,cr\)���{�9;[?�tNBX\jvr+g^Lk
Ǥjuv��^_B��KHe^ٛL:CGP�/<*Y}Mc�h��to$.�rd��&}:=WWvl+x._[nNJ>S\ȜH�WɴVی �x�FUs"X�5̽qo>eyb�AZ-c�#]q�N8���(GUtK�n
\��x����%>��
#r
�}zE��xvY^]Y��j�7�m!ϋ9y}2�o�فOh]��ߊč,Ox��%�h_10(\��χ>ގx��J'܌3:X�'�;i�i__6�WmЙM%a]e�GӰ�XS/Us
!QaWEjorx�s/�ŁS�
;wMm=S�HN_
MW镆�.`
D�́a[�@R'�o6*VZ;5����#�f&Q5YUdF.��j�堼_��,)g
�/(�@#غ7M{%}C7":fȳRLq�
�u+k�%���<��tlmЎY�U|��y3� aw8c+x;H�@0�~Y8P&`!��؞.F^͆$�8w�� `1ǤK�4l!�Klɜ]k'b�"'�m/$sÙx,O�~�f+g�M��
ĪG�9Шsc7L�|�O�?g��bΩ z�нt�Ldp!gB-ҋKl!Pe�D�˺U&K;��S�(
5t0@2nu1�*F'B;N$/�ɉ�ؼ!ٻ-0B\hdNX~(0�8�[]^N�ȇA6�q�O
,L0�G$eo�ӗ:�ig�F�`ŌM̸&�$ʗPf�]3&2zdn3E ��~:��m�:�o1I55~�ɱ�(�
V �k�DF(�l#byC�ܞ0۰܉Lv),<�T#�0��?���u+6�a`类nǝ�Z[^Tœj@@zĶ��c�Id���b2O|e'0Oq hVf�=^(ul70H-��t{z [��{!fIo��&�G�S ?Yr|��1u�V@U}�C�1*�{ԟ1PDY/�u����Y{N6� )4�˧MϫH�P��]�szlo()�y+J9*ن��0U7VAoL3SY,�> V_d�v�O~5�B+*O��=>�z�o�>K:S3U1ւ�_�/gз�/;K{KV9�(�(&�]�a1W%�$rfR/��9"%
oPm��BO���0K`{�
,��CR6�LN�>�N�c�? `�vwj9xպ'e.,s(ŬBSd�<�)O?5G[nI�\�k<>a�iЄ.^p멎T�U|��J��A1Y<�&[z>DmKu_!FnvG�T
'7>��5'ك|2p6g�!(ْ�0��?�Fu:h�/�A�Sl+
6-����`ꎈM��6iZDR�*,Dl'f
,���~sf㿴�稅K���OWv:�y@�t
�+AўY�m0o6`��/�Zn�v/-�Ǭ�yJ~�S.u�7tle��@�Jͽ�� �mE73B*{�X^c �0У,*0�9�5-E6<]܈x~{ݾŀ�
g�k�OUx.XURM)�X7lBT�FM¶":qpxm;}�k{&*l+k[ȅn�T�x�I;s�__�@�>���{z��w!G[�0rczz7Y=W
�ɴ{%̅2 !ɴZxyU~ҥ�N�.I,g`aQd+$*)�ؐ������k`4bV@P���1,sQf7}Oa�N*)As�a#�El���[ApN7Wm�s�S<"Y<.'7gyO�|9-�z��0�
�LMkÐpai�#fS�S/�f� �Ax��
=`#hxb
"���nh1)�d'k%I;c79=I�60���Ä
5"5roq=}e��יJ؍�pK��g8�g!(X^�ZLT��/>%hw2b5����g�_yfOȅ�^`\YG��+n:�'�wX;E�B(O}y9|C*'UEώ7z_Q}BeFBl4.�$7y:�?C[7nyq˖�UQ�- Q{jgA0��}U\OWzv`ol��3�g�~�oU��AYf]*Z5�N��j|ӷۊ�#iQg8&rYO�ZiKmw9n�~뉘h6JM?
۔̡9MR"�Zi/!zR<>էr09d֊��V&|&�Z2cˤ_�l�o(��
|
Network Security & Hardware 
