Darkmail Attacks - The Next Network Threat?

An anonymous reader wonders: "SC Magazine are running an article on the growth of so called Dark Mail Attacks. Whitedust Security appear to have identified this as a potential problem way back in December 2004. Since that time, a marked increase in attacks of this nature, including the recent attacks on the UK Government infrastructure, have been recorded. Are these types of attack a new large scale threat or just a passing fad?"

Spammers abandoning spam?

[TFGeditor]

FTFA: "Earlier this month SC reported some spammers are turning their back on the spam business. Self-d spam king Scott Richter has now been spam-free for over six months."

Seems incongruous to declare "spammers are turning their back on the spam business" in an article about a malicious new "brute force" spamming scheme that has grown "400 percent in the last twelve months according to a report from email filtering company Email Systems."

And and what does the writer of TFA base this notion, anyway? That one spammer (Richter) has been spam-free for six months?

Where's the beef?

Re:No surprise

[Trepalium]

The idea of making people pay for their e-mail comes up frequently, but those who propose it rarely mention the problems with it.

First, it doesn't really solve the zombie spambot problems. Spammers don't seem to care if they break the law or not, provided they don't get caught. A large amount of spam already comes from zombie PCs, and your proposal wouldn't change that. The only thing that would change is some poor slob would end up with a $500 internet bill every now and then. Since it's unlikely the customer in these instances will end up having to pay, that means general internet prices will shoot through the roof so the ISP can cover it.

Second, who will be the clearinghouse for these payments? Do you think everyone will agree to any choices anyone picks out? We can't even agree world-wide on television standards.

If and when we manage to get a grip on the zombie situation, then maybe we can revisit the pay-for-email idea, but I don't see that happening any time soon. Sadly, the only technology that seems even remotely capable of solving this problem is a technology that is even more repugnant to most of us than pay per mail schemes -- "trusted" computing. Even that will have it's problems dealing with this.

Re:I don't so don't "make an ASS of U and ME"

[ArghBlarg]

Why should consumer broadband be a crippled network connection? The internet was designed to support peer-communications, not be like TV.

My Client Emails

[TexTex]

Why allow port 25 outgoing? My clients. They come in to my business and want to send their email. Guess what? Their corporate, locked-down laptop is set up to point to only their smtp server. VPNs are around 20-30% of the time, and so they end up needing to connect to their mail servers to send out.

Having port 25 open on an outgoing connection isn't that big of a deal if you monitor and control it. Virus scan both ways, rate limit max connections, etc.

Re:My Client Emails

[fingal]

There is one school of thought which says that permitting open access to your internal network to machines that are not under your control is a potential recipe for disaster and might well compromise all your nice firewalling work that you have done (it's not called a trusted network for nothing)

The solution to this is to have a DMZ zone which untrusted clients are allowed to connect on which may have outgoing SMTP enabled, and keep your trusted network as exactly that. No more spam bots, no more email-less clients.