Slashdot Mirror

← Back to Stories (view on slashdot.org)

Darkmail Attacks - The Next Network Threat?

Posted by Cliff on from the as-if-spam-wasn't-bad-enough dept.

An anonymous reader wonders: "SC Magazine are running an article on the growth of so called Dark Mail Attacks. Whitedust Security appear to have identified this as a potential problem way back in December 2004. Since that time, a marked increase in attacks of this nature, including the recent attacks on the UK Government infrastructure, have been recorded. Are these types of attack a new large scale threat or just a passing fad?"

10 of 58 comments (clear)

  1. Spearphishing? Darkmail? Honeypot? by telstar · · Score: 3, Funny

    I feel like I went to sleep and woke up in a Mad Max sequel.

  2. Spammers abandoning spam? by TFGeditor · · Score: 2, Insightful

    FTFA: "Earlier this month SC reported some spammers are turning their back on the spam business. Self-d spam king Scott Richter has now been spam-free for over six months."

    Seems incongruous to declare "spammers are turning their back on the spam business" in an article about a malicious new "brute force" spamming scheme that has grown "400 percent in the last twelve months according to a report from email filtering company Email Systems."

    And and what does the writer of TFA base this notion, anyway? That one spammer (Richter) has been spam-free for six months?

    Where's the beef?

    --
    Ignorance is curable, stupid is forever.
  3. Egress Filtering by QuantumRiff · · Score: 2, Interesting
    Is it really so hard to setup egress filtering on your networks? Seriously, if people started allowing their email servers, and only their email servers to send email, then we could eliminate zombies. This is a 2 line entry into an access list on your border router. (heck, be a good net neighbor if your at it. If you're a corporation, do you really need port 135 leaving your network?) This would force Spammers to stop using zombified company machines, and home users on broadband to send hundreds of thousands of emails a minute. (not to mention checking your logs quickly tells you wich machines might be infected and need a visit from a tech)

    Honestly, the thing that gets me is that most firewalls block incoming, but allow all outgoing traffic. Why? Do you want the next virus to hit and email out as an attachment your word documents? They might have trade secrets, or your budget numbers, etc. Do they want an inside machine setting up a "hole" in the firewall to a IRC server? once they establish the connection from the inside, most firewalls will then ignore the stream. Force spammers to use real mail servers so that they can be appropriately blocked.

    I have never had someone give me an intelligent reason on why outgoing port 25 should not be blocked. I've heard the argument about people running email on their broadband connections. (I do, and route outgoing through my ISP's SMTP relay server)

    --

    What are we going to do tonight Brain?
  4. No surprise by metamatic · · Score: 2, Interesting

    I wrote a series of articles in which I mentioned this problem, caused by many approaches to spam filtering. http://www.xciv.org/~meta/Technology/2005-02-14-di smal.html

    Basically, spam is an economic problem. Attempts at a technological solution usually involve filtering spam. Since a filter can never be 100% accurate, as filters are deployed the volume of spam increases. So basically, filters "work" as long as most people aren't using them; once they become widespread, the spam volume goes up and up until the network collapses under the bandwidth load (or we try a different approach).

    As I conclude in my article, attempting to analyze logically from first principles, the only type of solution which will work is an economic one. Unfortunately, most people dismiss economic solutions out of hand. They're too attached to the fundamentally broken economic model of today's e-mail.

    Ironically, the same people often express surprise that the RIAA can't see how broken their economic model is...

    --
    GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
    1. Re:No surprise by Trepalium · · Score: 2, Insightful
      The idea of making people pay for their e-mail comes up frequently, but those who propose it rarely mention the problems with it.

      First, it doesn't really solve the zombie spambot problems. Spammers don't seem to care if they break the law or not, provided they don't get caught. A large amount of spam already comes from zombie PCs, and your proposal wouldn't change that. The only thing that would change is some poor slob would end up with a $500 internet bill every now and then. Since it's unlikely the customer in these instances will end up having to pay, that means general internet prices will shoot through the roof so the ISP can cover it.

      Second, who will be the clearinghouse for these payments? Do you think everyone will agree to any choices anyone picks out? We can't even agree world-wide on television standards.

      If and when we manage to get a grip on the zombie situation, then maybe we can revisit the pay-for-email idea, but I don't see that happening any time soon. Sadly, the only technology that seems even remotely capable of solving this problem is a technology that is even more repugnant to most of us than pay per mail schemes -- "trusted" computing. Even that will have it's problems dealing with this.

      --
      I used up all my sick days, so I'm calling in dead.
  5. Re:Spearphishing? Darkmail? Honeypot? by aftk2 · · Score: 3, Funny

    No kidding. Darkmail. It sounds like something I'd take along with my vorpal sword, and +10 boots of speed.

    --
    concrete5: a cms made for marketing, but strong enough for geeks.
  6. Defeat "darkmail" through "greytrapping" by Nonesuch · · Score: 3, Informative
    The latest version of pf, spamd, and spamdb offered with OpenBSD 3.7 work well to address the problem of high-volume dictionary attacks, through a combination of bandwidth shaping, tarpitting, greylisting, and spamtrap addresses.

    Basically, you configure spamdb to greylist unknown senders, and provide it with a huge list of "spamtrap" addresses, which are invalid email addresses not actually used in your domain.

    GREYTRAPPING
    Any source which tries to email to a spamtrap address is temporarily blacklisted, just like how SpamCop's SCBL reacts to a message to a spamtrap.

    Recent enhancements to 'pf' provide for rate-limiting connections based on the source IP, in addition to the regular bandwidth shaping features. With minimal effort you can configure an OpenBSD mail gateway or router to ensure that you waste as much of the spammers time as possible, while expending the least amount of your own effort and bandwidth.

    --

    I do not deploy Linux. Ever.
  7. Re:I don't so don't "make an ASS of U and ME" by ArghBlarg · · Score: 2, Insightful

    Why should consumer broadband be a crippled network connection? The internet was designed to support peer-communications, not be like TV.

    --
    ERROR 144 - REBOOT ?
  8. My Client Emails by TexTex · · Score: 2, Insightful

    Why allow port 25 outgoing? My clients. They come in to my business and want to send their email. Guess what? Their corporate, locked-down laptop is set up to point to only their smtp server. VPNs are around 20-30% of the time, and so they end up needing to connect to their mail servers to send out.

    Having port 25 open on an outgoing connection isn't that big of a deal if you monitor and control it. Virus scan both ways, rate limit max connections, etc.

    --
    -Barkeep, a draft of your most hazardous brew, for the world is slowly stepping into focus, and I don't like what I see.
    1. Re:My Client Emails by fingal · · Score: 2, Insightful

      There is one school of thought which says that permitting open access to your internal network to machines that are not under your control is a potential recipe for disaster and might well compromise all your nice firewalling work that you have done (it's not called a trusted network for nothing)

      The solution to this is to have a DMZ zone which untrusted clients are allowed to connect on which may have outgoing SMTP enabled, and keep your trusted network as exactly that. No more spam bots, no more email-less clients.

      --

      The only Good System is a Sound System