Re: [RBL] Current status?
- From: "John E. Malmberg" <wb8tyw@xxxxxxxxxxx>
- Date: Mon, 01 Sep 2008 16:40:25 GMT
David J Dachtera wrote:
Phillip Helbig---remove CLOTHES to reply wrote:In article <48b43770@xxxxxxxxxxxxxxxxxxx>, peter@xxxxxxxxxxxxxx (Peter
'EPLAN' LANGSTOeGER) writes:
What is the current status of RBLs?I've been using Spamhaus as my only RBL for a while now. Seems to work
Which one do you use?
fine. I get a few thousand SMTP connection attempts per day. Perhaps 5
spam emails per day get through. Although something like this is
difficult to detect, I don't think false positives are a problem.
Actually, false positives are a *BIG* problem! Fortunately, on the VMS
systems we just de-implemented, all of the important pages were sent by
HTTP using WGET (Thanx, SMS, for a very useful solution!)
*ALL* of the AIX pages are sent via SMTP, and our paging provider uses
spamhaus, also. SO, when we get a lone PC inside the firewall that gets
infected due to unsafe surfing and starts blasting spam all over he
known universe, our physician and other caregivers as well as our
technical people stop getting important message by pager.
So yes, false positives are all too common and immediately become a
*HUGE* problem!
I posted at least a year ago that some of the dsbl.org testers had discovered a virus - spambot infection that was not detectable by the commercial virus scanners at the time.
The only way to detect this infection is to monitor attempts to send e-mail directly through a firewall instead of through the designated SMTP gateway.
Of course in some areas of this country, having a system infected with a virus where an unknown bot-master was on in control, anyone who's personal data could have been accessed needs to be notified.
And these days, it must be assumed that if a PC was infected with a virus, the purpose was to inject a remote control program for various criminal activities.
http://www.spamhaus.org/news.lasso?article=636
A corporate firewall should be detecting and setting off security alarms when a non-mail server attempts to make a direct SMTP connection through it.
Another techique to use is a Samba Server configured to look like a vulnerable PC to see what systems attempt to infect it.
And Corporate/Educational network owners should consider being suspicious of any outgoing e-mail with reply-to addresses for any of the free/demo e-mailers:
hotmail.com, live.com, live.ca, live.co.uk, live.*
aol.com, games.com, aim.com, aol.*
voila.fr, myway.com, gazeta.pl
yahoo.com, rocketmail.com, ymail.com, yahoo.*
gmail.com, googlemail.com
The only e-mails that I have seen outside of mailing list traffic with explicit reply-to addresses of the above have been Nigerian 419 scam variants where it appears that the scammer has somehow aquired the e-mail credentials of a legitimate user on the network, and is using remote authenticated access.
-John
wb8tyw@xxxxxxxxxxx
Personal Opinion Only
.
- Prev by Date: Re: Loose Cannon-dian (was: Re: DEFCON 16 and Hacking OpenVMS)
- Next by Date: 1985-1999 Digital Systems & Options Catalogs
- Previous by thread: RE: Loose Cannon-dian (was: Re: DEFCON 16 and Hacking OpenVMS)
- Next by thread: Re: [RBL] Current status?
- Index(es):
