Re: [sa] Re: New Spam Mails plz suggest

[Charles Gregory <cg...@hwcn.org>]

On 08.06.09 12:21, Karsten Bräckelmann wrote:
>>>> By authenticated users? So that's no bot spam, and the user spams
>>>> deliberately and consciously...
On Mon, 2009-06-08 at 14:01 +0200, Matus UHLAR - fantomas wrote:
>>> says who? Afaik spamware often uses outlook's SMTP engine, so it's
>>> quite common for those to be distributed with authentication info.
On 08.06.09 16:52, Karsten Bräckelmann wrote:
>> Got any stats about a non-negligible amount of bot spam authenticating
>> with the real user's SMTP, instead of direkt-to-MX submission?
On Mon, 8 Jun 2009, Matus UHLAR - fantomas wrote:
> Why should I have any? Any spamming client can get us to blacklist, so 
> it's important that they would not spread spam...

I believe his request for stats is a polite way of disagreeing with your 
statement that bots 'often' use Outlook SMTP Auth. Personally, I have 
always thought that bots avoided ISP mail servers in order to minimize 
detection and maximize the amount of time they can spew before being
blocked/deleted. This is actually the premise that makes RBl checks for 
'direct to MX' so successful. So your statement was quite surprising.

Rather than just challenge its accuracy, we politely ask for more info. :)

- Charles

Re: [sa] Re: New Spam Mails plz suggest

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

> On Tue, 9 Jun 2009, Matus UHLAR - fantomas wrote:
>>> I believe his request for stats is a polite way of disagreeing with your
>>> statement that bots 'often' use Outlook SMTP Auth.
>>
>> OK, to be more accurate: times change, and maybe currently it's not that
>> common to use outlook's (or whatever's) engine to send spam/viruses/etc

On 09.06.09 10:10, Charles Gregory wrote:
> Please stay in context.

That was just what I have tried.

> We're talking about how to weigh SMTP auth in  
> *spamassassin*, which implies it is only the spam and not 'viruses/etc'  
> that are being discussed. Perhaps botnets spread their viral component  
> via a sender's MX to try and gain 'trust' for that all-important  
> infection process, but that is low volume and does not look like spam.

There was also recommendation not to scan outgoing, authentized e-mail by
SA, which I objected against.

>> However since there are always cases a malware sends through outgoing  
>> relays (Should I search out ticketing systm for those?) I think it's  
>> still not good to skip scanning of authenticated/outgoing e-mail.
>
> If you're talking anti-virus scanning, you are quite correct.
> If you are talking anti-spam scanning, and in particular about
> spam sent from botnets, then at *best* the arguments are highly
> specific to a given system. At worst, as a generality, I would say  
> 'infrequently', not 'often'. You know, YMMV stuff. :)

I'm sure once that was "often"  and I guess there's still some malware
spreading spam this way. Well, just today I have found customer spamming
through our SMTP servers...

>> And, since there are reputation services on the net, and outgoing  
>> mailservers are expected to have better reputation than customers' end  
>> IPs, the situation may change once again...
>
> Blah. Don't get me going on the whole 'reputation' thing. Still annoys me 
> that Yahell 4xx's mail from our lists because of 'too many recipients'.
> Well, duh, it's a list. (shake head). I suppose it's better than 5xx... :)

does not matter if we agree with the reputation system, there are still
people and blacklist who refuse mail from an IP if they receive more than X
spams and less than Y hams within Z seconds etc.sending spam via gmail
servers is more effective than from e.g. malaysian dialup, since people
usually object against blacklisting google/gmail, while they don't against
.my dialups...

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest. 

Re: [sa] Re: New Spam Mails plz suggest

[Charles Gregory <cg...@hwcn.org>]

On Tue, 9 Jun 2009, Matus UHLAR - fantomas wrote:
>> I believe his request for stats is a polite way of disagreeing with your
>> statement that bots 'often' use Outlook SMTP Auth.
>
> OK, to be more accurate: times change, and maybe currently it's not that
> common to use outlook's (or whatever's) engine to send spam/viruses/etc

Please stay in context. We're talking about how to weigh SMTP auth in 
*spamassassin*, which implies it is only the spam and not 'viruses/etc' 
that are being discussed. Perhaps botnets spread their viral component 
via a sender's MX to try and gain 'trust' for that all-important 
infection process, but that is low volume and does not look like spam.

> However since there are always cases a malware sends through outgoing 
> relays (Should I search out ticketing systm for those?) I think it's 
> still not good to skip scanning of authenticated/outgoing e-mail.

If you're talking anti-virus scanning, you are quite correct.
If you are talking anti-spam scanning, and in particular about
spam sent from botnets, then at *best* the arguments are highly
specific to a given system. At worst, as a generality, I would say 
'infrequently', not 'often'. You know, YMMV stuff. :)

> And, since there are reputation services on the net, and outgoing 
> mailservers are expected to have better reputation than customers' end 
> IPs, the situation may change once again...

Blah. Don't get me going on the whole 'reputation' thing. Still annoys me 
that Yahell 4xx's mail from our lists because of 'too many recipients'.
Well, duh, it's a list. (shake head). I suppose it's better than 5xx... :)

-Charles

Re: [sa] Re: New Spam Mails plz suggest

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

> On 08.06.09 12:21, Karsten Bräckelmann wrote:
>>>>> By authenticated users? So that's no bot spam, and the user spams
>>>>> deliberately and consciously...

> On Mon, 2009-06-08 at 14:01 +0200, Matus UHLAR - fantomas wrote:
>>>> says who? Afaik spamware often uses outlook's SMTP engine, so it's
>>>> quite common for those to be distributed with authentication info.

> On 08.06.09 16:52, Karsten Bräckelmann wrote:
>>> Got any stats about a non-negligible amount of bot spam authenticating
>>> with the real user's SMTP, instead of direkt-to-MX submission?

> On Mon, 8 Jun 2009, Matus UHLAR - fantomas wrote:
>> Why should I have any? Any spamming client can get us to blacklist, so  
>> it's important that they would not spread spam...

On 08.06.09 12:12, Charles Gregory wrote:
> I believe his request for stats is a polite way of disagreeing with your  
> statement that bots 'often' use Outlook SMTP Auth. Personally, I have  
> always thought that bots avoided ISP mail servers in order to minimize  
> detection and maximize the amount of time they can spew before being
> blocked/deleted. This is actually the premise that makes RBl checks for  
> 'direct to MX' so successful. So your statement was quite surprising.
>
> Rather than just challenge its accuracy, we politely ask for more info. :)

OK, to be more accurate: times change, and maybe currently it's not that
common to use outlook's (or whatever's) engine to send spam/viruses/etc
comparing to direct delivery (not even to MX, but also NS etc, remember?)

However since there are always cases a malware sends through outgoing relays
(Should I search out ticketing systm for those?) I think it's still not good
to skip scanning of authenticated/outgoing e-mail. Since each one can cause
blacklisting, it's worth blocking, although it should be taken carefully
(I've seen a report where outgoing mail was refused because it hit score of
7...)

And, since there are reputation services on the net, and outgoing
mailservers are expected to have better reputation than customers' end IPs,
the situation may change once again...

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
99 percent of lawyers give the rest a bad name.