Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Hackers Identify Their Targets

Posted by ryuzaki0 on from the drawing-a-bead dept.

narramissic writes "In a recent article, security guru Brent Huston writes about research he did to get inside the minds of spammers and expose some of the processes they use to identify potential targets. Huston says that among the four common ways that spam is spread, the most common method that spammers use is via open relays. Huston's research also revealed that 'they were doing much more server analysis' than he had expected and that they take a multi-step approach: 'They scan the server for proper RFC compliance, and then they send a test message to a disposable address. Only after these are complete did they adopt the tool to dump their spam.'"

6 of 95 comments (clear)

  1. Re:Duh... It's so obvious... by laffer1 · · Score: 3, Informative

    Like sendmail is the only mail server to ever have a security problem. iMail and Netscape/iPlanet/Sun One/Java Enterprise mail server comes to mind. Even the holy grail of mail servers (to some) has had issues in the past.

    See http://postfix.it-austria.net/releases/official/po stfix-2.3.3.HISTORY and search for Security.

    I really get sick of this sendmail bashing. There are problems with sendmail and they are trying to rewrite sendmail to solve them. There is no such thing as perfectly secure software. Even OpenBSD has had a remote security hole in 8 years :)

    --
    MidnightBSD: The BSD for Everyone
  2. The Article is WRONG by E++99 · · Score: 3, Informative

    While I don't doubt the writer's observation that "continuous scans for open mail systems are ongoing in most IP blocks," his claim that this is the method that generates the bulk of spam is wrong. As someone who gets about 200 spams a day over three domains, and successfully blocks over 99% of it without using any techniques that can create false positives, I can tell you that well over 90% of spam comes from "servers" on IP addresses allocated for dial-up, dsl, cable or the like. In other words, either spammers running their own server software on an ISP account, or, more likely, botnets.

  3. Re:Duh... It's so obvious... by whoever57 · · Score: 4, Informative
    I really get sick of this sendmail bashing. There are problems with sendmail and they are trying to rewrite sendmail to solve them. There is no such thing as perfectly secure software.
    Perfectly secure: no. But look at Secunia's reports:

    Postfix 1.x:

    Affected By 1 Secunia advisories

    Unpatched 0% (0 of 1 Secunia advisories)

    Postfix 2.x:

    Affected By 0 Secunia advisories

    in contrast, look at Sendmail 8:

    Affected By 10 Secunia advisories

    Unpatched 10% (1 of 10 Secunia advisories)

    So, given that there are unpatched vulnerabilities in Sendmail, why should you wait for the team to finish re-writing the code? Now, it is possible that Sendmail has some advantages in very high volume situations (although there are some older benchmarks that show Postfix was faster), but why would you want to use an MTA that is more difficult to configure and has known vulnerabilities?

    I believe the main reason that people use Sendmail is that, having gone to the trouble to learn how to configure it, they don't want to waste that effort (as well as it being the default MTA in many distributions).

    --
    The real "Libtards" are the Libertarians!
  4. Re:Possible Solution by mernisse · · Score: 2, Informative

    while this sounds like a "good idea" it's probably not.

    #1 - alot of the time the ip address listed on the whois info is for the networking technical contact, in teeny weenie organizations this might be the same as the sysadmin, but often it's not. And in the end you'll end up wasting a bunch
    of people's time trying to figure out what the hell you're talking about and who to route your message to.

    #2 - most oranizations small enough to be an exception to #1 probably don't have sysadmins and will be doubly confused.

    If you really want to report spam (which... well don't get me started) then I'd suggest using the abuse contact of the
    originating domain. They're much more likely to know what the hell you're talking about and much more likely to get it
    fixed.

    --mernisse
    (abuse@ for a major nationwide ISP)

    --
    Rushing toward Entropy one iteration at a time.
  5. Re:Duh... It's so obvious... by strabo · · Score: 3, Informative
    Unpatched 10% (1 of 10 Secunia advisories)

    Oooooh! Unpatched vulnerability!! Eek!

    Sendmail fails to log all relevant data

    Critical: Not critical

    Description:

    Sendmail fails to log all details about connections if supplied with an IDENT of more then 95 characters.

    It is possible to hide your identity from the sendmail log, if you supply an IDENT that is more than 95 characters, information about your identity however will still be written in any email you may sent. The problem is that someone may try to footprint your system, but when you check your log files, you will not be able to find the IP address and hostname of the attacker (or spammer).

    Solution:

    The easiest way to log these data is by enabling logging on the firewall and making sure that the time is synchronised on the firewall and mail server.

  6. Test your own mail server by perp · · Score: 2, Informative

    abuse.net will test your mail server for you. It tries many ways of relaying and displays a report that you can print out and show your boss how secure your server is :-)

    --
    There are two kinds of sysadmins: paranoids and losers. I'm both kinds.