Re: [Asrg] Some data on the validity of MAIL FROM addresses

jm@jmason.org (Justin Mason) Wed, 21 May 2003 18:39 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA01028 for <asrg-archive@odin.ietf.org>; Wed, 21 May 2003 14:39:55 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h4LI6o904345 for asrg-archive@odin.ietf.org; Wed, 21 May 2003 14:06:50 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4LI6nB04342 for <asrg-web-archive@optimus.ietf.org>; Wed, 21 May 2003 14:06:49 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA01022; Wed, 21 May 2003 14:39:25 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19IYTT-0001En-00; Wed, 21 May 2003 14:38:03 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19IYTT-0001Ek-00; Wed, 21 May 2003 14:38:03 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4LI04B04018; Wed, 21 May 2003 14:00:04 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4LHxuB03966 for <asrg@optimus.ietf.org>; Wed, 21 May 2003 13:59:56 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA00903 for <asrg@ietf.org>; Wed, 21 May 2003 14:32:32 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19IYMo-0001Cy-00 for asrg@ietf.org; Wed, 21 May 2003 14:31:10 -0400
Received: from dogma.slashnull.org ([212.17.35.15]) by ietf-mx with esmtp (Exim 4.12) id 19IYMn-0001Cp-00 for asrg@ietf.org; Wed, 21 May 2003 14:31:10 -0400
Received: from jmason.org (ga183055.reshsg.uci.edu [128.195.183.55]) by dogma.slashnull.org (8.11.6/8.11.6) with ESMTP id h4LIW2d23603; Wed, 21 May 2003 19:32:02 +0100
Received: by jmason.org (Postfix, from userid 500) id 49BD016FC6; Wed, 21 May 2003 19:32:14 +0100 (IST)
Received: from jmason.org (localhost [127.0.0.1]) by jmason.org (Postfix) with ESMTP id 3F127F826; Wed, 21 May 2003 11:32:14 -0700 (PDT)
To: Yakov Shafranovich <research@solidmatrix.com>
Cc: asrg@ietf.org
Subject: Re: [Asrg] Some data on the validity of MAIL FROM addresses
In-Reply-To: Message from Yakov Shafranovich <research@solidmatrix.com> of "Wed, 21 May 2003 14:03:36 EDT." <5.2.0.9.2.20030521140334.00ba68e8@solidmatrix.com>
From: jm@jmason.org
X-GPG-Key-Fingerprint: 0A48 2D8B 0B52 A87D 0E8A 6ADD 4137 1B50 6E58 EF0A
X-Habeas-Swe-1: winter into spring
X-Habeas-Swe-2: brightly anticipated
X-Habeas-Swe-3: like Habeas SWE (tm)
X-Habeas-Swe-4: Copyright 2002 Habeas (tm)
X-Habeas-Swe-5: Sender Warranted Email (SWE) (tm). The sender of this
X-Habeas-Swe-6: email in exchange for a license for this Habeas
X-Habeas-Swe-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-Swe-8: Message (HCM) and not spam. Please report use of this
X-Habeas-Swe-9: mark in spam to <http://www.habeas.com/report/>.
Message-Id: <20030521183214.49BD016FC6@jmason.org>
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Wed, 21 May 2003 11:32:09 -0700

Yakov Shafranovich said:
> At 11:02 PM 5/20/2003 -0400, Eric D. Williams wrote:
> >Has anyone done a forensic examination of 'spamware' and/or developed a
> >taxonomy of its internals?  Will knowing the 'weapons' - to co-opt an
> >analogy being proposed by some - aid in defeating the 'enemy'?  Are
> >there any other 'artifacts' not directly related to the 'spam' problem,
> >that can aid in determining methods to defeat 'it'?
> 
> If you remember that article from the Oregonian about a spammer talking
> about his business, he mentioned that spammers operate all kinds of
> clubs and chatrooms where such software is discussed and developed. The
> only way to obtain this software, is for someone to find a cooperating
> spammer (like that's going to happen!) or "infiltrate" these clubs
> acting as a spammer.  That requires time and effort, and all of us are
> working people with not much of that going around. The spammer discussed
> in the article was unemployed I believe, and had plenty of free time.
> 
> Nevertheless, if anyone possesses or has any type of spam software,
> please come forward.

I have heard from "white hat" people with some in their possession --
usually obtained from cracked or trojaned boxes, where the spamware is
running (and relaying spam!) when discovered.

In addition, I hear that some of the tools can be downloaded quite simply
from the web!  Search google for "bulk mail stealth download" and there
should be a few hits.

Unfortunately I do not have access to any code myself.

BTW, it would be instructive if someone who has access to one, and the
know-how to decompile it, could examine its sending code and indicate
whether it uses randomly-generated addresses, or a static list of existing
ones loaded from a config file, for the addresses used in the MAIL FROM
SMTP command and From: header.  

--j.
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg