Slashdot Mirror
How Hackers Identify Their Targets
narramissic writes "In a recent article, security guru Brent Huston writes about research he did to get inside the minds of spammers and expose some of the processes they use to identify potential targets. Huston says that among the four common ways that spam is spread, the most common method that spammers use is via open relays. Huston's research also revealed that 'they were doing much more server analysis' than he had expected and that they take a multi-step approach: 'They scan the server for proper RFC compliance, and then they send a test message to a disposable address. Only after these are complete did they adopt the tool to dump their spam.'"
1) Look for SSID "Linksys"
2) Connect
3) ????
4)> Profit!
The title to the story says how hackers identify there targets but the story is about spammer. They are different.
...for getting into the minds of spammers is a couple rounds of semi-jacketed .357 hollow-points.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
This is the type of negative image that hackers need to stop. I had a long conversation with someone on the differences between hackers and crackers and I can understand the confusion, but spammers and hackers, this is taking it a bit to far.
Utinam me logica falsa tuam philosophiam totam suffodiant.
I'm a hacker. I choose my target by seeing some new device or system that does something at least kinda cool. Then I say "I bet I can make it do something else cool." Then I do it.
They're talking about "crackers", "phishers", scammers and criminals. They're not trying to make a system do anything cool, except when it damages or robs a person. Just making a system do something unexpectedly cool is irrelevant unless it takes something from a person, not the system.
--
make install -not war
Like sendmail is the only mail server to ever have a security problem. iMail and Netscape/iPlanet/Sun One/Java Enterprise mail server comes to mind. Even the holy grail of mail servers (to some) has had issues in the past.
o stfix-2.3.3.HISTORY and search for Security.
:)
See http://postfix.it-austria.net/releases/official/p
I really get sick of this sendmail bashing. There are problems with sendmail and they are trying to rewrite sendmail to solve them. There is no such thing as perfectly secure software. Even OpenBSD has had a remote security hole in 8 years
MidnightBSD: The BSD for Everyone
It doesn't take a security vulnerability to make sendmail vulnerable... all it takes is a rookie Linux administrator configuring it and setting it up incorrectly.
Many times I imagine that rookie administrators are trying to get sendmail just to work right so they enable something they shouldn't. It works... and they never bother to address their issue correctly, or even know that they addressed it incorrectly.
Zonk dude/chick, not sure. About 2 out of every 3 of your stories are misinformed, not important, or just fud. I admire the 1 of 3 stories you post but damn, lay off the POST button till you get your stuff straight. Spammer = hacker... sometimes yes, but in this community hacker > spammer. That's like calling PeeWee Herman and stud for what he did back in the day.
Thanks but no thanks for this one.
While I don't doubt the writer's observation that "continuous scans for open mail systems are ongoing in most IP blocks," his claim that this is the method that generates the bulk of spam is wrong. As someone who gets about 200 spams a day over three domains, and successfully blocks over 99% of it without using any techniques that can create false positives, I can tell you that well over 90% of spam comes from "servers" on IP addresses allocated for dial-up, dsl, cable or the like. In other words, either spammers running their own server software on an ISP account, or, more likely, botnets.
Dude, give it up! "Hackers" now means someone doing something malicious to computers. You can say it means whatever you'd like, but that's not what the word means in common usage. That's how language works. I can tell people that I drove my banana to work today, but "banana" doesn't mean "car" just because I say so, any more than "hacker" means benign computer geek because you and a handful of "hackers" says so. I suggest you move on with your life, and pick a new word for the good guys.
Postfix 1.x:
Affected By 1 Secunia advisories
Unpatched 0% (0 of 1 Secunia advisories)
Postfix 2.x:
Affected By 0 Secunia advisories
in contrast, look at Sendmail 8:
Affected By 10 Secunia advisories
Unpatched 10% (1 of 10 Secunia advisories)
So, given that there are unpatched vulnerabilities in Sendmail, why should you wait for the team to finish re-writing the code? Now, it is possible that Sendmail has some advantages in very high volume situations (although there are some older benchmarks that show Postfix was faster), but why would you want to use an MTA that is more difficult to configure and has known vulnerabilities?
I believe the main reason that people use Sendmail is that, having gone to the trouble to learn how to configure it, they don't want to waste that effort (as well as it being the default MTA in many distributions).
The real "Libtards" are the Libertarians!
Er, ah, what's the difference again?
One is where the person installs a mail server and doesn't know how to configure it.
The other is where someone runs an operating system and doesn't know how to use it.
Of course the latter might be more because it it was made by developers who didn't know how to write it.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
while this sounds like a "good idea" it's probably not.
#1 - alot of the time the ip address listed on the whois info is for the networking technical contact, in teeny weenie organizations this might be the same as the sysadmin, but often it's not. And in the end you'll end up wasting a bunch
of people's time trying to figure out what the hell you're talking about and who to route your message to.
#2 - most oranizations small enough to be an exception to #1 probably don't have sysadmins and will be doubly confused.
If you really want to report spam (which... well don't get me started) then I'd suggest using the abuse contact of the
originating domain. They're much more likely to know what the hell you're talking about and much more likely to get it
fixed.
--mernisse
(abuse@ for a major nationwide ISP)
Rushing toward Entropy one iteration at a time.
Oooooh! Unpatched vulnerability!! Eek!
Sendmail fails to log all relevant data
Critical: Not critical
Description:
Sendmail fails to log all details about connections if supplied with an IDENT of more then 95 characters.
It is possible to hide your identity from the sendmail log, if you supply an IDENT that is more than 95 characters, information about your identity however will still be written in any email you may sent. The problem is that someone may try to footprint your system, but when you check your log files, you will not be able to find the IP address and hostname of the attacker (or spammer).
Solution:
The easiest way to log these data is by enabling logging on the firewall and making sure that the time is synchronised on the firewall and mail server.
abuse.net will test your mail server for you. It tries many ways of relaying and displays a report that you can print out and show your boss how secure your server is :-)
There are two kinds of sysadmins: paranoids and losers. I'm both kinds.
I'm doing anti-spam research, and although this sort of thing isn't my direct interest, I have dabbled enough to have implemented my own SMTP honeypot from scratch. My experience in doing so, and in tracking spam generally, is rather different from this article.
In the first instance, I'm surprised that botnets aren't listed as the #1 distribution vector for spam. Any computer criminal worth his salt uses a botnet these days. The really hard-core phishers not only distribute their spam that way, but reverse-proxy their websites through the botnet.
Open relays, on the other hand, seem to be relatively small beans in terms of actual spam distribution. Sure, I got a lot of hostile traffic on my SMTP honeypot, but it was a lot of sound and fury signifying nothing. Nearly all the relay-exploiting activity originated in Korea and sent non-English (presumably Korean) spam.
As for their testing of RFC-compliance -- what a joke! Most of the relay-testers I encountered couldn't even get SMTP syntax right: I had to adjust my parser to allow extra whitespace and other brain damage. What they test for is delivery. As far as I can tell, they don't give a damn about anything else but whether the mail passes through your system and into their test account (typically a free webmail account, like Yahoo!). I found that when I manually forwarded a test message out of my honeypot to the test address, I would get a flurry of mail representing an actual spam run (not just a relay test message). It gives one a certain smug satisfaction to know that you've just null-routed an entire spam run -- the first couple of times, at least. After that you realise that it's about as significant as taking a piss in the Pacific, and stop wasting your time.
The article says of the web-form distribution vector that "the spammer community maintains a database or list of vulnerable forms". I think their database is called "Google", or something like that. I get constant attempts at compromise on my phpBB forum, and I think that works the same way. Why maintain a database when you can just plug an identifying phrase into a search engine?
I should mention that the spam experience can vary distinctly from person to person, so my different experience doesn't necessarily indicate sloppy research on the part of this reporter. The article gives me the impression that this is his first foray into spam research, however.
proof, n. A demonstration that a conclusion is implied by certain premises and axioms.