[Mimedefang] Greylist-busting ratware?
nathan r. hruby
nhruby at uga.edu
Thu Apr 20 19:34:59 EDT 2006
Sorry for the delayed reply...
On Tue, 18 Apr 2006, David F. Skoll wrote:
> Hi,
>
> I think greylisting is nearing the end of its useful life. I'm
> noticing a new kind of ratware that retries every 5 minutes
> like clockwork, mutating message bodies. Our CanIt software tempfails
> mail until it's approved by a human, and this mechanism has the side-effect
> of illuminating ratware behaviour.
>
> For example:
>
> http://www.roaringpenguin.com/canit/showtrap.php?o=71.0.177.139&status=spam
>
> (Login/password = demo/demo)
>
> Anyone else seeing this? We see it quite a lot, and always from cable modem
> or DSL machines (probably cracked Windoze boxes.)
>
*sigh* We don't greylist (yet) but I can confirm that in the past 6-8
months we've seen a rise of certain modes of operation:
- ratware infected boxen on campus use campus relays which relay by IP.
They spew, we queue. Badness for everyone.
- Inbound ratware using SMTP AUTH to authenticate as a real user (using
stolen credentials) and thus use us as MSA for their spam. (These have
been exclusively phishes)
I strongly feel that the rise of these incidents is a direct response to
greylisting and rate throttling.
-n
--
-------------------------------------------
nathan hruby <nhruby at uga.edu>
uga enterprise information technology services
core services support
-------------------------------------------
"In 1972 a crack commando unit was sent to
prison by a military court for a crime they
didn't commit...."
More information about the MIMEDefang
mailing list