[Dshield] Users don't pay attention
abuse at what4now.com
Sat Aug 20 23:25:30 GMT 2005
** Reply to message from Craig Webster <craig at xeriom.net> on Sat, 20 Aug 2005
> On 20 Aug 2005, at 03:49, Abuse wrote:
> > You can still use another email server. You just need to send your
> > email out
> > from your ISPs email server. I do this all the time, the FROM:,
> > and REPLY-TO:
> > show my email address of the other email system but if you look at
> > the headers
> > you can see it did not originate there. I have been doing this for
> > years even
> > though I have not been blocked, it was just convenient.
> You don't have a problem with spam filters that go "wait a minute,
> the claimed from and mail origin don't match up... in fact, the from
> domain isn't mentioned at all in the received from chain... that
> looks faked?"
No, I have not had any problems.
> If I receive an email like this I'm unlikely to trust it no matter
> who the claimed sender is; it looks like it's been forged.
I do not think it likely that anyone checks that the email server domain name
is the same as the senders domain. My guess is that if they did that 25% to
30% (if not more) of the email would be blocked.
> >> These ISPs will block the useful ports and lock you into their
> >> services no problem under the guise of being the superhero of the
> >> story but as you say, it's unlikely that they'll ever monitor or
> >> block the vast majority of their traffic. It's simply easier to say
> >> "It's the bad guys fault. Now buy our services."
> > I DISAGREE loudly.
> > I think blocking port 25 is a very good strategy as this blocks
> > most of the
> > compromised computers (which is the main source of spam). If you
> > want to run
> > your own email server then set it up to relay all of your out bound
> > email
> > through your ISPs email server. You can still receive email
> > directly into your
> > email server without any problems.
> > Please explain to me why this does not work?
> You're talking about using a personal local mail server within the
> ISPs network; I'm talking about using a mail server that is outside
> your ISPs network (as is common with a lot of hosting packages and
> commercial email packages). Your traffic is blocked before it gets to
> the desired server so there's no chance of relaying it back to the
> funnel server. You're stuck setting the From: and Reply-To: headers
> and as I pointed out above, some spam filters don't like that.
Yes, here I was talking about a personal email server. But up above that I was
talking about using my email client to send email, through my ISPs email
server, and having the FROM: being for a different domain. Most people do not
look at the headers and will never know that the email was not sent from the
domain referred to in the FROM:.
> Blocking the port except for a filter server is a reasonable idea -
> as you say, it'll reduce exposure to the compromised nodes - but the
> end user doesn't care about that They just want to send email
> through the external email account that they've payed for. They want
> to stop spam coming into their inbox and are unconcerned about the
> garbage that flows out. They're looking for an ISP that allows them
> to use the external mail server and suddenly blocking outgoing port
> 25 isn't profitable for the ISP.
The normal user will never send email except through their own ISP because they
do not know it can be done any other way.
> As the number of ISPs that do block this port get larger it's just a
> matter of time before some list is drawn up of ISP X uses mail funnel
> aa.bb.cc.dd so send all mail through there. Sure, the victim will
> get their line shutdown, but only after a day or so of sending spam
> and by that time the worm has already infected several other
> computers. You could say that this is what the end user deserves for
> not keeping their computer clean but they'll just stare at you
> blankly and get an account at another ISP; one which doesn't block/
> funnel the port.
>  In this case I'm considering an end user to be Joe Sixpack, not a
> member of this list.
Joe Sixpack is not going to know anything has changed because he is only going
to send through his ISP.
>  There's a list of md5 collisions being compiled - why not this?
> It's a little more dynamic and a lot more profitable.
I do not know. It may not be too long before MD5 (or SHA1) is not used because
of its problems.
More information about the list