|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Bankshot backscatter: a philosophical question
From: Leeman Strout (l.strout
agilixcorp.com)
Date: Mon Feb 07 2005 - 12:22:42 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sheldon T. Hall wrote:
> As a preliminary defense against viruses and other malware, I have some body
> and header checks that reject messages with various content types, HTML
> elements, etc. In all cases they REJECT the message. This works fine, in
> that the message containing the crap is immediately rejected and I'm not
> generating any backscatter.
>
> However, I've begun to see a change in the way these messages are presented.
> They used to come directly from an infected PC, but they are now coming from
> real mailservers. Should I continue to reject them, knowing that the
> putative "sender" is probably a forgery, and the mailserver is thus likely
> to "return" the message to some innocent third party?
>
> Here's a log example, with comments...
>
> [Original message presented by a real mailserver, so it gets greylisted...]
>
> Feb 6 12:00:54 6C:tandem postfix_greyd: 8D47BC2D24: adding
> 62.173.164/someuserrodax.net/aquamantandem.artell.net in 4 minutes for 1
> day
>
> [SAV confirms that the sender address is legit...]
>
> Feb 6 12:00:56 6C:tandem postfix/smtp[26367]: DE16CC2D25:
> to=<someuserrodax.net>, relay=mail.rodax.net[62.173.164.27], delay=2,
> status=deliverable (250 Ok)
>
> [The greylister sends a 450 ...]
>
> Feb 6 12:01:06 6C:tandem postfix/smtpd[26361]: 8D47BC2D24: reject: DATA
> from mail.rodax.it[62.173.164.27]: 450 <DATA>: Data command rejected:
> Temporarily busy, try again in 4 minutes; from=<someuserrodax.net>
> to=<aquamantandem.artell.net> proto=ESMTP helo=<mail.rodax.it>
>
> [The sender's mailserver calls back, and passes the greylister ...]
>
> Feb 6 12:05:43 6C:tandem postfix_greyd: BB0B0C2D24: found
> 62.173.164/someuserrodax.net/aquamantandem.artell.net DUNNO
>
> [But he's sent me crap, so I reject it... < changed to [ in HTML tag]
>
> Feb 6 12:05:44 6C:tandem postfix/cleanup[26452]: BB0B0C2D24: reject: body
> [iframe src=3D"cid:surqcqlrrnoxq" height=3D0 width=3D0> from
> mail.rodax.it[62.173.164.27]; from=<someuserrodax.net>
> to=<aquamantandem.artell.net> proto=ESMTP helo=<mail.rodax.it>: Unsupported
> HTML (rule 5)
>
> [He tries again ...]
>
> Feb 6 12:20:26 6C:tandem postfix_greyd: 855C7C2D24: found
> 62.173.164/someuserrodax.net/aquamantandem.artell.net DUNNO
>
> [Different crap this time, but it gets rejected, too...]
>
> Feb 6 12:20:28 6C:tandem postfix/cleanup[26589]: 855C7C2D24: reject: header
> Content-Type: application/x-msdownload; name="install2.exe" from
> mail.rodax.it[62.173.164.27]; from=<someuserrodax.net>
> to=<aquamantandem.artell.net> proto=ESMTP helo=<mail.rodax.it>: Disallowed
> attachment type. File "install2.exe" has the unacceptable extension "exe" -
> Zip it!
>
> Now, I haven't generated any backscatter, but I'm betting mail.rodax.it is
> going to send those two rejected messages "back" to someuserrodax.net. I'm
> also betting those two messages came from someone else, so
> someuserrodax.net is going to be mystified or annoyed, at best. I suppose
> he might get _his_ PC infected by the returned messages, depending on what
> mail.rodax.net does with them and how someuserrodax.net has his machine set
> up.
>
> So ... as a matter of good citizenship, should I be doing something else
> with this sort of crap rather than REJECTing it?
>
> Thanks.
>
> -Shel
>
>
Infected PCs are now using ISP mail servers as relays in an attempt to
get around ISP network filters. This also has the effect of rendering
GreyListing less effective... probably some other things in there too.
This is why it's coming through proper mail servers now. :(
Leeman
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]