[Dshield] Users don't pay attention

Abuse abuse at what4now.com
Sat Aug 20 23:25:30 GMT 2005


** Reply to message from Craig Webster <craig at xeriom.net> on Sat, 20 Aug 2005
13:56:14 +0100

> On 20 Aug 2005, at 03:49, Abuse wrote:
> > You can still use another email server.  You just need to send your  
> > email out
> > from your ISPs email server.  I do this all the time, the FROM:,  
> > and REPLY-TO:
> > show my email address of the other email system but if you look at  
> > the headers
> > you can see it did not originate there.  I have been doing this for  
> > years even
> > though I have not been blocked, it was just convenient.
> 
> You don't have a problem with spam filters that go "wait a minute,  
> the claimed from and mail origin don't match up... in fact, the from  
> domain isn't mentioned at all in the received from chain... that  
> looks faked?"

No, I have not had any problems.


> If I receive an email like this I'm unlikely to trust it no matter  
> who the claimed sender is; it looks like it's been forged.

I do not think it likely that anyone checks that the email server domain name
is the same as the senders domain.  My guess is that if they did that 25% to
30% (if not more) of the email would be blocked.


> >> These ISPs will block the useful ports and lock you into their
> >> services no problem under the guise of being the superhero of the
> >> story but as you say, it's unlikely that they'll ever monitor or
> >> block the vast majority of their traffic. It's simply easier to say
> >> "It's the bad guys fault. Now buy our services."
> > I DISAGREE loudly.
> >
> > I think blocking port 25 is a very good strategy as this blocks  
> > most of the
> > compromised computers (which is the main source of spam).  If you  
> > want to run
> > your own email server then set it up to relay all of your out bound  
> > email
> > through your ISPs email server.  You can still receive email  
> > directly into your
> > email server without any problems.
> >
> > Please explain to me why this does not work?
> 
> You're talking about using a personal local mail server within the  
> ISPs network; I'm talking about using a mail server that is outside  
> your ISPs network (as is common with a lot of hosting packages and  
> commercial email packages). Your traffic is blocked before it gets to  
> the desired server so there's no chance of relaying it back to the  
> funnel server. You're stuck setting the From: and Reply-To: headers  
> and as I pointed out above, some spam filters don't like that.

Yes, here I was talking about a personal email server.  But up above that I was
talking about using my email client to send email, through my ISPs email
server, and having the FROM: being for a different domain.  Most people do not
look at the headers and will never know that the email was  not sent from the
domain referred to in the FROM:.


> Blocking the port except for a filter server is a reasonable idea -  
> as you say, it'll reduce exposure to the compromised nodes - but the  
> end user[1] doesn't care about that They just want to send email  
> through the external email account that they've payed for. They want  
> to stop spam coming into their inbox and are unconcerned about the  
> garbage that flows out. They're looking for an ISP that allows them  
> to use the external mail server and suddenly blocking outgoing port  
> 25 isn't profitable for the ISP.

The normal user will never send email except through their own ISP because they
do not know it can be done any other way.


> As the number of ISPs that do block this port get larger it's just a  
> matter of time before some list is drawn up of ISP X uses mail funnel  
> aa.bb.cc.dd so send all mail through there[2]. Sure, the victim will  
> get their line shutdown, but only after a day or so of sending spam  
> and by that time the worm has already infected several other  
> computers. You could say that this is what the end user deserves for  
> not keeping their computer clean but they'll just stare at you  
> blankly and get an account at another ISP; one which doesn't block/ 
> funnel the port.
> 
> [1] In this case I'm considering an end user to be Joe Sixpack, not a  
> member of this list.

Joe Sixpack is not going to know anything has changed because he is only going
to send through his ISP.


> [2] There's a list of md5 collisions being compiled - why not this?  
> It's a little more dynamic and a lot more profitable.

I do not know.  It may not be too long before MD5 (or SHA1) is not used because
of its problems.


More information about the list mailing list