[LINK] RFI: Spambot Architecture
Craig Sanders
cas at taz.net.au
Fri Aug 24 12:39:10 AEST 2007
On Thu, Aug 23, 2007 at 04:00:48PM +0930, Glen Turner wrote:
> The spam-bot designer has a Hobson's Choice.
>
> 1) Use its own SMTP implementation
> 2) Use the user's mail client or its API
>
> (1) is attractive for the reasons you notice, but most corporate
> mail clients can't mail to the outside world directly -- they go
> via a corporate mail server and direct use of SMTP with the
> outside world is blocked by the firewall.
>
> Generally, the spambot doesn't know enough to work out where the
> corporate mail relay is, what type it is (MAPI v SMTP v Submission)
> or have enough info to authenticate. Users themselves have enough
> trouble working all this out.
>
> So (2) starts to look attractive.
from a spammer's POV, the big downside to (2) is that it then makes
their spam subject to any and all filtering done on both the client
machine AND the client's mail relay server.
things may be changing now, but this was one of the big reasons why
spamware always used its own SMTP implementation (it's a very simple
protocol and very easy to implement), rather than either misusing a
local mail client or trying to discover the local machine's outbound
mail relay.
as you say, many firewalls block outbound port 25, and many recipient
mail servers use a DUL blacklist to reject incoming mail direct from
dynamic/dialup IP addresses - this may be influencing a change towards
abusing the local mail service.
if so, it's a good thing because it forces the spam to go through the
local mail server where it can be detected and trashed before it gets
sent (which is precisely why spammers didn't do this in the past).
craig
--
craig sanders <cas at taz.net.au>
><DARWIN>
L L
More information about the Link
mailing list