[Dshield] Users don't pay attention
craig at xeriom.net
Sat Aug 20 12:56:14 GMT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Forgive me if I'm not too coherent in this reply... I've read it over
a few times but I have a cold and can't even make a cup of tea very
effectively just now.
On 20 Aug 2005, at 03:49, Abuse wrote:
> You can still use another email server. You just need to send your
> email out
> from your ISPs email server. I do this all the time, the FROM:,
> and REPLY-TO:
> show my email address of the other email system but if you look at
> the headers
> you can see it did not originate there. I have been doing this for
> years even
> though I have not been blocked, it was just convenient.
You don't have a problem with spam filters that go "wait a minute,
the claimed from and mail origin don't match up... in fact, the from
domain isn't mentioned at all in the received from chain... that
If I receive an email like this I'm unlikely to trust it no matter
who the claimed sender is; it looks like it's been forged.
>> These ISPs will block the useful ports and lock you into their
>> services no problem under the guise of being the superhero of the
>> story but as you say, it's unlikely that they'll ever monitor or
>> block the vast majority of their traffic. It's simply easier to say
>> "It's the bad guys fault. Now buy our services."
> I DISAGREE loudly.
> I think blocking port 25 is a very good strategy as this blocks
> most of the
> compromised computers (which is the main source of spam). If you
> want to run
> your own email server then set it up to relay all of your out bound
> through your ISPs email server. You can still receive email
> directly into your
> email server without any problems.
> Please explain to me why this does not work?
You're talking about using a personal local mail server within the
ISPs network; I'm talking about using a mail server that is outside
your ISPs network (as is common with a lot of hosting packages and
commercial email packages). Your traffic is blocked before it gets to
the desired server so there's no chance of relaying it back to the
funnel server. You're stuck setting the From: and Reply-To: headers
and as I pointed out above, some spam filters don't like that.
Blocking the port except for a filter server is a reasonable idea -
as you say, it'll reduce exposure to the compromised nodes - but the
end user doesn't care about that They just want to send email
through the external email account that they've payed for. They want
to stop spam coming into their inbox and are unconcerned about the
garbage that flows out. They're looking for an ISP that allows them
to use the external mail server and suddenly blocking outgoing port
25 isn't profitable for the ISP.
As the number of ISPs that do block this port get larger it's just a
matter of time before some list is drawn up of ISP X uses mail funnel
aa.bb.cc.dd so send all mail through there. Sure, the victim will
get their line shutdown, but only after a day or so of sending spam
and by that time the worm has already infected several other
computers. You could say that this is what the end user deserves for
not keeping their computer clean but they'll just stare at you
blankly and get an account at another ISP; one which doesn't block/
funnel the port.
 In this case I'm considering an end user to be Joe Sixpack, not a
member of this list.
 There's a list of md5 collisions being compiled - why not this?
It's a little more dynamic and a lot more profitable.
Craig Webster | e:craig at xeriom.net | if($monkey && $beer)
Xeriom.NET | web: http://xeriom.net/ | $monkey->dance();
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
-----END PGP SIGNATURE-----
More information about the list