[Mimedefang] Greylist-busting ratware?

nathan r. hruby nhruby at uga.edu
Thu Apr 20 19:34:59 EDT 2006

Sorry for the delayed reply...

On Tue, 18 Apr 2006, David F. Skoll wrote:

> Hi,
> I think greylisting is nearing the end of its useful life.  I'm
> noticing a new kind of ratware that retries every 5 minutes
> like clockwork, mutating message bodies.  Our CanIt software tempfails
> mail until it's approved by a human, and this mechanism has the side-effect
> of illuminating ratware behaviour.
> For example:
> http://www.roaringpenguin.com/canit/showtrap.php?o=
> (Login/password = demo/demo)
> Anyone else seeing this?  We see it quite a lot, and always from cable modem
> or DSL machines (probably cracked Windoze boxes.)

*sigh*  We don't greylist (yet) but I can confirm that in the past 6-8
months we've seen a rise of certain modes of operation:
- ratware infected boxen on campus use campus relays which relay by IP.
   They spew, we queue.  Badness for everyone.
- Inbound ratware using SMTP AUTH to authenticate as a real user (using
   stolen credentials) and thus use us as MSA for their spam.  (These have
   been exclusively phishes)

I strongly feel that the rise of these incidents is a direct response to
greylisting and rate throttling.

nathan hruby <nhruby at uga.edu>
uga enterprise information technology services
core services  support
"In 1972 a crack commando unit was sent to
  prison by a military court for a crime they
  didn't commit...."

More information about the MIMEDefang mailing list