Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Backdoor not recognized by Kaspersky
From: "orangganjil" <orangganjil () myway com>
Date: Thu, 4 Mar 2004 13:27:24 -0500 (EST)


One thing that I have not seen discussed in this thread is tarpitting spammers. This has been discussed before on 
BugTraq: 
http://www.securityfocus.com/archive/119/292053/2004-03-01/2004-03-07/1

In addition, there is a neat tool for doing this in conjunction with an MTA, called Spam Cannibal:
http://www.spamcannibal.org

I run a spam tarpit using an e-mail address that should never receive legitimate communications. The MX record for that 
e-mail address points to a tarpited IP with 25/TCP open. When remote mail servers (or zombied DSL/Cable users) connect 
to that tarpit their connection is held and their IP is logged. I have a Perl script that parses the logs and e-mails 
me a diff of the top 50 offenders. Those folks end up being blocked by my firewall from accessing SMTP on my mail 
server. If they are a home user, they can still access my web pages, etc. This goes a long way to decreasing the spam I 
receive, and in addition, my tarpit holds or slows their connection - making it less likely they will move on to the 
next spam recipient.

Test have been done verifying that, in most cases, spam software freezes, hangs, or crashes when tarpitted - forcing 
manual intervention. There are potential ways around this without breaking TCP (if you ignore window size changes you 
are breaking TCP), but all of the work-arounds require manual intervention or slow down the rate of spam and consume 
bandwidth. All of these, even if the software doesn't crash or hang, increase the cost of spamming. Making spam 
unprofitable is the only way to combat it, IMHO.

Thanks.

_______________________________________________
No banners. No pop-ups. No kidding.
Introducing My Way - http://www.myway.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault