#2. Any mail rejected MUST be rejected at SMTP time and include the phone number of the email admin of the rejecting server.
That's how I do it. If my machines are rejecting your messages, your server is getting my phone number along with the 5xx error message. Exim4 rocks.
If your server does not deliver that rejection notice to you, that's the fault of your email admin.
I've pretty much cut spam out completely at the company I work for. The only problem is the rather large white list I have to maintain because of all the email "admins" out there who do not know anything about SMTP or how to configure their servers. And I'm working on improving the automation of that anyway.
This just tells us what many of us already knew. The spam problem will continue to get worse until we actually apply a economic solution to this economic problem.
Yes, in theory.
The reality is that a single sale of "herbal \/1agr4" can mean a profit for the spammer. The cost of spamming is that low for them.
In order to make it economically unsound for the spammers, you'd have to make it economically annoying for the rest of humanity. More annoying than simply putting up with the spam.
UNLESS we get rid of the stupid CAN-SPAM law and allow each state to institute its own anti-spam laws and allow citizens in those states to sue the spammers for violating those laws.
Yeah, this will hurt "legitimate" fucking "email marketing" companies... but in my experience those do not exist. Any legitimate company would view the 50 different legal requirements as a cost of doing business. The same as it is with insurance companies.
The point is to have different tactics to fight spam from different sources.
With Hotmail (and Gmail and such), I allow them to skip a lot of the checks that other domains go through. There's no need to waste processor cycles or net queries on those domains themselves.
Instead, they go straight to SpamAssassin where checks are run against ALL the addresses in the headers. And the content in the body. The mail admins at Hotmail and Gmail and such have a vested interest in reducing the spam in their systems. So simply rejecting the message at SMTP time should give them enough notice to shut down compromised accounts on their system.
As long as both groups where in the same local area.
The developers field the support calls... while the support guys watch over their shoulders and listen to the calls. Until the support guys are up to speed on it.
But yeah, over the weekend? Straight to the developers? That's totally passive-aggressive.
This conversation seems too dependent on me having knowledge of YOUR network, not networks in general.
Again, you are demonstrating your ignorance.
There are very few ways that two workstations can connect to each other over Ethernet. Seeing as how I am the network administrator, I have access to the physical media in almost every one of those scenarios.
Because I have access to the physical media, I can monitor the flow of packets.
Because I can monitor the flow of packets, I can see who is connecting to whom and on what port.
That is the same for ANY network. But then, anyone who knew as much as you claim to know about networking would know that you CANNOT hide a web server on a network. It's basic science.
But the point isn't that you can't come up with a way around anything I dream up. There's always a way. The gamble is that a)you don't have time to watch everything that closely, b)I'm more clever at disguising it than you are at detecting it, c)I won't generate enough noise to trip your alarm.
No. The point is that you do not UNDERSTAND networking.
a. I do NOT have to watch "everything" that closely. I just have to monitor for things that are not supposed to happen. That's simple.
b. There is no way you can "disguise" it because I control the physical media connecting the machines. It is basic science.
c. There is no "noise". Again, you're demonstrating your ignorance. The packets have a very clearly defined format with a source and a destination clearly identified. It is BASIC science.
Become too restrictive and I will leave.
*waves*
It's the company's loss, not mine; but you (as an IT admin) cannot perceive that loss from your perspective (and it isn't your job to, so why should you care).
There have been HOW MANY posts here where I've continued to demonstrate where you are wrong (and ignorant of basic science) and yet you still believe that you'd have some value to a company?
It's science, not magic. Believe whatever you want to believe.
How is that a contradiction? It's not unusual support to grab a handful of files off the local machine. It's just as likely that those files were lost due to hardware failure...Are you suggesting that we'd just ignore that?
Because you had previously said that you would not do so.
The original question being:
Well your caveat only works to a point. How long would your department let him spin his wheels while work is not getting done? Who then gets blamed for the downtime? The power user or IT?
And your reply was:
Well, they broke the machine didn't they? With privilege comes responsibility. The same would apply to me, if I hosed my development equipment...I've done it before, and it's just a cost of doing business.
And now you're changing that.
I didn't really believe that any company would let you operate in that fashion. You're paid to support the company's IT infrastructure which is supposed to be making the PROFIT earning employees more productive/faster/safer.
OK, "dead-man-switch"... I don't know what to call it instead. Booby trap?
Say you start scanning ports, I could easily detect and shut the web server off (or anything else I didn't want you to find). Trivial.
And also trivial to detect. I can see the traffic going to the box on a port that should NOT be open.
Maybe what you do resembles science. What I do resembles magic.
Only to you.
Or just drop TCP/IP traffic if from a certain range. Or hell, just explicitly allow traffic only certain IPs. Get around THAT, Mr. Smarty Pants.
I'm monitoring the network. If there is traffic, I will SEE the traffic. It does not matter if you firewall that machine so I can not connect to it.
I will SEE the traffic on the network.
You do NOT understand that.
OK, but say even doing that slipped my mind... 8080 isn't supposed to be open. What about port 110? 25? Some other service that you were normally running -- but not on THIS box?
Then I would suspect a cracker had gotten past me. I know what ports are open on what boxes and WHY they're open (what service is using them). And what machines on my network connect to those boxes on those ports. If that box is not a mail server, then why would it have port 25 open?
There are lots of things that actually run a small web server on a different port. Network printers often have a web-based admin for config. You really think I couldn't impersonate one of those?
I know you could not. But you believe that you could. I would not be suspicious when a brand new "printer" shows up on the network? That doesn't seem to be taking any print jobs? That registered itself as a workstation earlier? Instead of in the range I've assigned for printers?
No, I think I got it right... what you show is arrogance.
Of course you do. Because you believe that you know what you're talking about.
Meanwhile, I can trace the traffic from any point on my network.
It's called "Intrusion Detection". You might want to look it up.
If you think I would ever deploy something without first scouting your competence, you're crazy. That means I'm going to make sure what I do flies beneath whatever radar you might dream up because I'll find out about your radar before you even know what I am possibly capable of.
Yes, because it is so easy for you to find what I do WITHOUT tripping anything designed to catch just that kind of activity.
At least... you believe that doing so would be within your abilities. Despite you not understanding anything about networking or systems. But then, if you did understand networking, you'd know that what you've been claiming is impossible. And then you would not have claimed that it was possible.
Even so, it is naive for you to think that I am incapable of hiding something from you. Maybe not a web server, but maybe!
Anyone with any knowledge of networking and systems would know that it would be impossible to hide a web server on a network.
I'm already looking for anything the crackers might have gotten past me.
Depending on your competency and mine, who could say here. But it sure assumes a lot though!
No, it does not assume anything. That you would even suggest so demonstrates how little you understand networking and systems.
It's called "computer science" for a reason. It is not magic.
Like, that I would not consider YOUR intelligence and technical competence, and my lack of understanding/use of port-shifting, encryption, obfuscation, and dead-man-switches.
If you really understood what you think you understand, you'd know that those terms are meaningless out of context. Let me provide you some context.
So your run your web server on 8080 instead of 80. Big deal. That box is not SUPPOSED to have port 8080 open. I'd find it.
So you run your web server with encryption. I'd find the port.
So you rename the web server file. I'd find the port.
WTF do "dead-man-switches" have to do with this? Those are for when something does NOT happen. Yeah, you might set it to wipe your web server if you don't log in for a week (you've been fired), but that does not stop me from finding the web server in the first place.
You seem to exhibit the same arrogant attitude as most IT people I've dealt with. Which actually works in my favor.
You are confusing "competence" and "knowledge" with "arrogance".
No, "turning it into a reasonable standard" is stupid regardless, because we already have a reasonable standard -- namely, ODF -- and don't need a different one.
Why wasn't it a "reasonable standard" when it was SUBMITTED?
WTF is ISO playing at when they take something that CANNOT be said to be a "reasonable standard" and still APPROVE it as an ISO Standard?
Fuck that! ISO is supposed to approve STANDARDS. Not approve crap and then try to turn it into a "reasonable standard".
ISO sold out and is now trying to play the victim in this.
You think that if I can't justify a piece of hardware or software that makes my job easier and how it translates into instant dollars, then it isn't worth your time fooling with.
Pretty much. We're in business to make money. You're being paid to make money for the company.
If you do not understand the situation sufficiently that you can express the benefit of X in terms of dollars and cents, then why should the company pay you to play with it?
What about the cost of a turnover?
What about it?
Are you threatening to leave just because you didn't get to play with X?
No, change that, are you threatening to leave just because you could not make a business case for you getting to play with X?
That pretty much answers how much you are worth as an employee.
So I'm willing to risk installing something that goes around your puny and ill-thought restriction vs. you finding out and getting pissed off at me.
It's nice how you know so much more than I do about this field.
And if you do find out, then I'm not a real "superuser" am I? A real superuser never gets caught.
If you put something on my network, it WILL be found. If you really knew as much as you thought you did, you'd know how I'd find it and why it is impossible to hide it from me.
But right now I have my perfect dream job. And I also get a lot of leeway to be creative with my own machine. And I work for the military, no less!
Sure you do. Sure you do. And, sure you do.
But I have dealt with so many companies in the past that had this Nazi-istic IT department that made it impossible to have a new idea or a creative thought.
And yet you claim you get MORE "leeway" when you're working "for the military".
Are you seriously saying that the company you work for would support you NOT helping an employee recover his system just because he broke it himself?
But I'm not responsible for rebuilding a machine that has been rendered non-functional by a user who insisted that he knew what he was doing.
No, seriously, the company supports that position for you?
I always make this stuff clear when a manager requests these sorts of permissions for one of their people.
Again, and the company supports that position?
We support the standard configuration, once you deviate from that, all bets are off.
That's a LOT different from what you've been saying.
We only support our standard configuration. Yet if a machine breaks, whether from an employee's actions or not, we still repair/recover as much as we can.
I'm fascinated that you seem to be claiming to work for a company that values your self-esteem over actual customer contracts.
The biggest problem I see is that the employees who are trying this do NOT understand the full spectrum of the job assigned to IT.
Yeah, you CAN find a way around X... but what happens when the lawyers come in and want full records of X?
It isn't just about keeping your computer safe from viruses. Most employees understand the single-user model of computing.
What they do NOT understand is having multiple users hitting a shared resource such as a server.
Or backups for recovering deleted files from yesterday _vs_ backups for recovering information from 3 years ago _vs_ keeping current files at a "disaster recovery" site for when the office building burns down.
I've had to go back and recover email from years ago because of a lawsuit when our people did NOT print out important documents... and deleted them when they quit along with the rest of their email. Yeah, it sounds good when you're only thinking of yourself. But that kind of logic does not work when it involves a company.
Just because someone can plug a device into a data jack does NOT mean they're a "SuperUser".
Yeah, that might work at HOME. But in the OFFICE someone (me) has to be responsible for security of our data. That includes YOUR social security number in HR's database.
If you do not like the "restrictions" you are working under, then explain to YOUR boss how much more money you'll make for the company if you get X. And your boss will talk to my boss and I will explain how much it will take to implement X (money, time, security changes, etc).
If the net is an increase in profits, we'll probably do it.
If it will open us up to a new risk WITHOUT an increase in profits, I don't care how much you love your idea. It's not going to happen.
In downtown Seattle, the pedestrian crosswalks have a digital countdown now. So the pedestrians can SEE that they only have 2 seconds remaining to cross the street.
Now, do you want to guess how many times my light goes green and there are still pedestrians in the middle of the street?
Systems such as this only keep the honest people honest. If you were the type to just go and depend upon everyone else to over-compensate for you, then you'd do it no matter what.
Which is what the cameras were ORIGINALLY pitched for (and revenue from those people). Now it seems that the accidents (rear-end collisions) have removed a portion of that population and the revenues are dropping. I can live with fewer jerks on the road.
They've added the OEM services to THE DEVICE ITSELF. (evolution)
They've made those OEM services on the device AUTOMATICALLY kick in. (evolution step 2)
They've sealed the units. (evolution)
Which, in effect, means that most of the SAN expertise that FORMERLY required an experienced tech is now incorporated and these SAN's can be installed and "maintained" by less technically skilled personnel.
Which will make these devices VERY easy to sell. You pay ONCE for the tech and save on the cost of the technician's salary.
I will be watching for these in the future. IF they are as good as they claim, I will be buying three of them.
What they need to do is have a process for detecting when an account is spamming.
Now, you and I would just say "when an account is sending 10,000 messages a day" and that would be correct for about 99.9% of the cases.
I'd also recommend Google "seeding" the spammers databases with "spamtraps" (not tied to Gmail or Google in any way). If an account sends email to a spamtrap, that account is frozen.
Although it could spam another zombie, the idea it the bot net would know which zombies could and could not forward SMTP directly, and would forward messages to those bots for retransmit upstream.
You really do not know how a zombie works, do you?
1. Machine gets infected and becomes a zombie. 2. Spammer tells that zombie what spam to send and to what email addresses. 3. Zombie sends spam to those addresses.
But that simple understanding eludes you. In your mind it work like this: 1. Machine gets infected and becomes a zombie. Zombie Alice. Inside a corporate network. 2. Spammer tells that zombie what spam to send, to what email addresses AND WHAT OTHER ZOMBIE TO BOUNCE IT THROUGH. 3. Zombie Alice sends 10,000 spam messages to Zombie Bob. Using odd ports and from INSIDE a corporate network. 4. Zombie Bob sends 10,000 spam messages from Zombie Alice to the addresses that Zombie Alice provided to Zombie Bob.
Yeah. You might want to brush up on your understanding of email and relays and spam.
In my world (the real world), the spammer would skip the stupid steps and just send the spam control info to Zombie Bob for direct dispersal. While Zombie Alice attempts to bounce through the corporate email server to send spam (after it is determined that Zombie Alice cannot directly connect to outside machines on the 3 ports I have identified for you).
just powered up my linix box, which is outside my firewall in a DMZ, did a port redirect from port 80 to 25 internally for sendmail to listen on port 80 for communication, edited the settings in outlook to use SMTP port 80 instead of port 25, turned my firewall to only allow port 80 outgoing and no incoming traffic, and I just sent an e-mail to myself through what copuld essentially simulate a receive and forward bot on someone elses PC, and my client used port 80 to do it, which would not be blocked...
That's good... for you.
It is meaningless in this situation. But I'm sure you enjoyed it.
Zombies send the email themselves. Why would they need to bound a message through a different zombie? All they would end up doing is spamming their own zombies.
Almost every bot in the cloud does exactly this.
Only in your mind. Again, all that would accomplish is that the zombies would end up spamming their own zombies.
The ones that don't already use your local mail server to forward mail (the cheap easy to spot bots) use their own SMTP engine on custom ports.
No, they do not. Because if they used a port other than the three I have identified, the email would not be received by any legitimate email server. Again, all they would end up doing would be to spam their own zombies.
Some of them even encapsulate that further into HTML traffic to further mask the activity, and have the information filtered through other bots via IRC or other known infected servers in the network.
You are confusing "command and control" of the zombies with the act of a zombie sending out spam.
They are not the same. Yet you have confused them.
They can have firewalls, but if they don't monitor them they're not very effective.
The same with intrusion detection systems.
Being a network administrator requires some effort, every day. Not much effort. Particularly if you have some scripting skill. But it still requires some effort.
Slashdot Mirror
The vendor CANNOT depend upon the users/admins patching their systems all the time.
The vendor MUST ship with the minimum number of services running BY DEFAULT and with the minimum rights for those services.
My problem with Microsoft on that is that they did NOT minimize the number of services. They put a software firewall in front of them.
Meanwhile, I can put a vanilla Ubunut workstation on the 'Web without a firewall.
#1. Any mail accepted MUST be delivered.
#2. Any mail rejected MUST be rejected at SMTP time and include the phone number of the email admin of the rejecting server.
That's how I do it. If my machines are rejecting your messages, your server is getting my phone number along with the 5xx error message. Exim4 rocks.
If your server does not deliver that rejection notice to you, that's the fault of your email admin.
I've pretty much cut spam out completely at the company I work for. The only problem is the rather large white list I have to maintain because of all the email "admins" out there who do not know anything about SMTP or how to configure their servers. And I'm working on improving the automation of that anyway.
The reality is that a single sale of "herbal \/1agr4" can mean a profit for the spammer. The cost of spamming is that low for them.
In order to make it economically unsound for the spammers, you'd have to make it economically annoying for the rest of humanity. More annoying than simply putting up with the spam.
UNLESS we get rid of the stupid CAN-SPAM law and allow each state to institute its own anti-spam laws and allow citizens in those states to sue the spammers for violating those laws.
Yeah, this will hurt "legitimate" fucking "email marketing" companies
The point is to have different tactics to fight spam from different sources.
With Hotmail (and Gmail and such), I allow them to skip a lot of the checks that other domains go through. There's no need to waste processor cycles or net queries on those domains themselves.
Instead, they go straight to SpamAssassin where checks are run against ALL the addresses in the headers. And the content in the body. The mail admins at Hotmail and Gmail and such have a vested interest in reducing the spam in their systems. So simply rejecting the message at SMTP time should give them enough notice to shut down compromised accounts on their system.
Domain age checking has already been implemented in SpamAssassin. Search on "Day Old Bread".
As long as both groups where in the same local area.
... while the support guys watch over their shoulders and listen to the calls. Until the support guys are up to speed on it.
The developers field the support calls
But yeah, over the weekend? Straight to the developers? That's totally passive-aggressive.
I mean, isn't that just ASKING for problems?
I'd have preferred early Monday morning so EVERYONE would be awake and on-the-job if/when problems arose.
There are very few ways that two workstations can connect to each other over Ethernet. Seeing as how I am the network administrator, I have access to the physical media in almost every one of those scenarios.
Because I have access to the physical media, I can monitor the flow of packets.
Because I can monitor the flow of packets, I can see who is connecting to whom and on what port.
That is the same for ANY network. But then, anyone who knew as much as you claim to know about networking would know that you CANNOT hide a web server on a network. It's basic science.No. The point is that you do not UNDERSTAND networking.
a. I do NOT have to watch "everything" that closely. I just have to monitor for things that are not supposed to happen. That's simple.
b. There is no way you can "disguise" it because I control the physical media connecting the machines. It is basic science.
c. There is no "noise". Again, you're demonstrating your ignorance. The packets have a very clearly defined format with a source and a destination clearly identified. It is BASIC science.*waves*There have been HOW MANY posts here where I've continued to demonstrate where you are wrong (and ignorant of basic science) and yet you still believe that you'd have some value to a company?
It's science, not magic. Believe whatever you want to believe.
The original question being:And your reply was:And now you're changing that.
I didn't really believe that any company would let you operate in that fashion. You're paid to support the company's IT infrastructure which is supposed to be making the PROFIT earning employees more productive/faster/safer.
I will SEE the traffic on the network.
You do NOT understand that.Then I would suspect a cracker had gotten past me. I know what ports are open on what boxes and WHY they're open (what service is using them). And what machines on my network connect to those boxes on those ports. If that box is not a mail server, then why would it have port 25 open?I know you could not. But you believe that you could. I would not be suspicious when a brand new "printer" shows up on the network? That doesn't seem to be taking any print jobs? That registered itself as a workstation earlier? Instead of in the range I've assigned for printers?Of course you do. Because you believe that you know what you're talking about.
Meanwhile, I can trace the traffic from any point on my network.
It's called "Intrusion Detection". You might want to look it up.Yes, because it is so easy for you to find what I do WITHOUT tripping anything designed to catch just that kind of activity.
At least
I don't care about "should". I care about the realities.
If you allow users to install software that they want, unsupported, the data files WILL end up on their local drive.
And you WILL be responsible for trying to recover them when they're lost.
No matter what you said when you granted them those rights. The company will NOT support your self-esteem over the employee's data.
I'm already looking for anything the crackers might have gotten past me.No, it does not assume anything. That you would even suggest so demonstrates how little you understand networking and systems.
It's called "computer science" for a reason. It is not magic.If you really understood what you think you understand, you'd know that those terms are meaningless out of context. Let me provide you some context.
So your run your web server on 8080 instead of 80. Big deal. That box is not SUPPOSED to have port 8080 open. I'd find it.
So you run your web server with encryption. I'd find the port.
So you rename the web server file. I'd find the port.
WTF do "dead-man-switches" have to do with this? Those are for when something does NOT happen. Yeah, you might set it to wipe your web server if you don't log in for a week (you've been fired), but that does not stop me from finding the web server in the first place.You are confusing "competence" and "knowledge" with "arrogance".
Again, this is a science. It is not magic.
WTF is ISO playing at when they take something that CANNOT be said to be a "reasonable standard" and still APPROVE it as an ISO Standard?
Fuck that! ISO is supposed to approve STANDARDS. Not approve crap and then try to turn it into a "reasonable standard".
ISO sold out and is now trying to play the victim in this.
If you do not understand the situation sufficiently that you can express the benefit of X in terms of dollars and cents, then why should the company pay you to play with it?What about it?
Are you threatening to leave just because you didn't get to play with X?
No, change that, are you threatening to leave just because you could not make a business case for you getting to play with X?
That pretty much answers how much you are worth as an employee.It's nice how you know so much more than I do about this field.If you put something on my network, it WILL be found. If you really knew as much as you thought you did, you'd know how I'd find it and why it is impossible to hide it from me.Sure you do. Sure you do. And, sure you do.And yet you claim you get MORE "leeway" when you're working "for the military".
Fascinating.
Are you seriously saying that the company you work for would support you NOT helping an employee recover his system just because he broke it himself?No, seriously, the company supports that position for you?Again, and the company supports that position?That's a LOT different from what you've been saying.
We only support our standard configuration. Yet if a machine breaks, whether from an employee's actions or not, we still repair/recover as much as we can.
I'm fascinated that you seem to be claiming to work for a company that values your self-esteem over actual customer contracts.
The biggest problem I see is that the employees who are trying this do NOT understand the full spectrum of the job assigned to IT.
... but what happens when the lawyers come in and want full records of X?
... and deleted them when they quit along with the rest of their email. Yeah, it sounds good when you're only thinking of yourself. But that kind of logic does not work when it involves a company.
Yeah, you CAN find a way around X
It isn't just about keeping your computer safe from viruses. Most employees understand the single-user model of computing.
What they do NOT understand is having multiple users hitting a shared resource such as a server.
Or backups for recovering deleted files from yesterday _vs_ backups for recovering information from 3 years ago _vs_ keeping current files at a "disaster recovery" site for when the office building burns down.
I've had to go back and recover email from years ago because of a lawsuit when our people did NOT print out important documents
Just because someone can plug a device into a data jack does NOT mean they're a "SuperUser".
Yeah, that might work at HOME. But in the OFFICE someone (me) has to be responsible for security of our data. That includes YOUR social security number in HR's database.
If you do not like the "restrictions" you are working under, then explain to YOUR boss how much more money you'll make for the company if you get X. And your boss will talk to my boss and I will explain how much it will take to implement X (money, time, security changes, etc).
If the net is an increase in profits, we'll probably do it.
If it will open us up to a new risk WITHOUT an increase in profits, I don't care how much you love your idea. It's not going to happen.
You cannot force someone else to follow a particular coding practice when your coders do not do so themselves.
In downtown Seattle, the pedestrian crosswalks have a digital countdown now. So the pedestrians can SEE that they only have 2 seconds remaining to cross the street.
Now, do you want to guess how many times my light goes green and there are still pedestrians in the middle of the street?
Systems such as this only keep the honest people honest. If you were the type to just go and depend upon everyone else to over-compensate for you, then you'd do it no matter what.
Which is what the cameras were ORIGINALLY pitched for (and revenue from those people). Now it seems that the accidents (rear-end collisions) have removed a portion of that population and the revenues are dropping. I can live with fewer jerks on the road.
They've added the OEM services to THE DEVICE ITSELF. (evolution)
They've made those OEM services on the device AUTOMATICALLY kick in. (evolution step 2)
They've sealed the units. (evolution)
Which, in effect, means that most of the SAN expertise that FORMERLY required an experienced tech is now incorporated and these SAN's can be installed and "maintained" by less technically skilled personnel.
Which will make these devices VERY easy to sell. You pay ONCE for the tech and save on the cost of the technician's salary.
I will be watching for these in the future. IF they are as good as they claim, I will be buying three of them.
What they need to do is have a process for detecting when an account is spamming.
Now, you and I would just say "when an account is sending 10,000 messages a day" and that would be correct for about 99.9% of the cases.
I'd also recommend Google "seeding" the spammers databases with "spamtraps" (not tied to Gmail or Google in any way). If an account sends email to a spamtrap, that account is frozen.
And so forth.
1. Machine gets infected and becomes a zombie.
2. Spammer tells that zombie what spam to send and to what email addresses.
3. Zombie sends spam to those addresses.
But that simple understanding eludes you. In your mind it work like this:
1. Machine gets infected and becomes a zombie. Zombie Alice. Inside a corporate network.
2. Spammer tells that zombie what spam to send, to what email addresses AND WHAT OTHER ZOMBIE TO BOUNCE IT THROUGH.
3. Zombie Alice sends 10,000 spam messages to Zombie Bob. Using odd ports and from INSIDE a corporate network.
4. Zombie Bob sends 10,000 spam messages from Zombie Alice to the addresses that Zombie Alice provided to Zombie Bob.
Yeah. You might want to brush up on your understanding of email and relays and spam.
In my world (the real world), the spammer would skip the stupid steps and just send the spam control info to Zombie Bob for direct dispersal. While Zombie Alice attempts to bounce through the corporate email server to send spam (after it is determined that Zombie Alice cannot directly connect to outside machines on the 3 ports I have identified for you).
Class is dismissed now.
It is meaningless in this situation. But I'm sure you enjoyed it.
Zombies send the email themselves. Why would they need to bound a message through a different zombie? All they would end up doing is spamming their own zombies.Only in your mind. Again, all that would accomplish is that the zombies would end up spamming their own zombies.No, they do not. Because if they used a port other than the three I have identified, the email would not be received by any legitimate email server. Again, all they would end up doing would be to spam their own zombies.You are confusing "command and control" of the zombies with the act of a zombie sending out spam.
They are not the same. Yet you have confused them.
Each of your Internet connections should have a firewall.
Each of those firewalls should be set to deny ANY outbound connections to email ports EXCEPT from your email servers.
There's no need for packet inspection. Nothing else should be connecting to those ports.
And those ports are 25, 465 and 587.
Then just monitor your email server to watch for any unexplained spikes in outbound messages.
They can have firewalls, but if they don't monitor them they're not very effective.
The same with intrusion detection systems.
Being a network administrator requires some effort, every day. Not much effort. Particularly if you have some scripting skill. But it still requires some effort.