[Mimedefang] Greylist-busting ratware?

nathan r. hruby nhruby at uga.edu
Thu Apr 20 19:34:59 EDT 2006


Sorry for the delayed reply...

On Tue, 18 Apr 2006, David F. Skoll wrote:

> Hi,
>
> I think greylisting is nearing the end of its useful life.  I'm
> noticing a new kind of ratware that retries every 5 minutes
> like clockwork, mutating message bodies.  Our CanIt software tempfails
> mail until it's approved by a human, and this mechanism has the side-effect
> of illuminating ratware behaviour.
>
> For example:
>
> http://www.roaringpenguin.com/canit/showtrap.php?o=71.0.177.139&status=spam
>
> (Login/password = demo/demo)
>
> Anyone else seeing this?  We see it quite a lot, and always from cable modem
> or DSL machines (probably cracked Windoze boxes.)
>

*sigh*  We don't greylist (yet) but I can confirm that in the past 6-8
months we've seen a rise of certain modes of operation:
- ratware infected boxen on campus use campus relays which relay by IP.
   They spew, we queue.  Badness for everyone.
- Inbound ratware using SMTP AUTH to authenticate as a real user (using
   stolen credentials) and thus use us as MSA for their spam.  (These have
   been exclusively phishes)

I strongly feel that the rise of these incidents is a direct response to
greylisting and rate throttling.

-n
-- 
-------------------------------------------
nathan hruby <nhruby at uga.edu>
uga enterprise information technology services
core services  support
-------------------------------------------
"In 1972 a crack commando unit was sent to
  prison by a military court for a crime they
  didn't commit...."



More information about the MIMEDefang mailing list