[LINK] RFI: Spambot Architecture
Scott Howard
scott at doc.net.au
Thu Aug 23 20:36:14 AEST 2007
On Thu, Aug 23, 2007 at 03:55:10PM +1000, Stilgherrian wrote:
> > I've always assumed that malware designed to despatch spam from
> > zombie'd devices scattered around the world would generate the
> > messages itself, and would not rely in any way on the device's own
> > email-client.
>
> So any bot can therefore just issue MAPI calls to send email.
They can, but in general, they don't - with only very (very) few
expections.
Bot-net owners don't want to lose their networks, but sending via MAPI/
standard "smarthost" mail servers will very quickly cause this to occur -
the spam becomes much more visable than if it was sent directly from the
malware-infected PC. Would you notice if one of your PC's got onto one
of the popular RBLs? Probably not. What about if your mail server did?
Almost certainly you would.
There is a trade-off for that of course - some systems will not be able
to connect directly to the internet, so will be unable to send spam. In
general, on a global level, the percentage of systems in this category
is sufficiently small to make sending direct the best option.
For the most part Viruses are different - many of them do send via MAPI,
because generally virus writers aren't as concerned with the infected
systems being detected as botnet/malware writers are.
If you want to help partially fix the problem, may sure you're blocking
outbound port 25 requests to the Internet unless you've got a (very!)
good reason not to. Many ISPs do this now, and it's one of the reasons
that the percentage of spam originating in Australia is dropping, but
I'm still amazed how many corporates don't!
Scott.
More information about the Link
mailing list