The Spam Diaries

News and musings about the fight against spam.
 by Edward Falk

Wednesday, May 30, 2007

Spam bots now relaying through ISP mail servers

Correspondents inform me that a new bot network has begun spamming. An army of spambots woke up within one ISP starting at 6 pm yesterday, and attempted to send millions of spams through the ISP's mail server.

This represents a new step in the evolution of spambots. Previously, these bots all tried to transmit directly from port 25, but with the advent of port 25 blocking by ISPs, this has become an obstacle. It was only a matter of time before spambots began trying to relay through mail servers.

The question to be asked — and hopefully someone will analyze the bot responsible — is were the bots specifically crafted for the ISP which was attacked, with knowledge of the correct mail server to use, or were the bots able to extract mail server information from the customers' machines.

This new spambot capability was inevitable as port 25 blocking came into widespread use. The next generation of spambots will most likely search user files for email account information, including passwords, in order to transmit their spam.

For this reason, I believe that best practices dictate that users never check the "remember this password" box on their mail programs, but instead enter the password each time they fire up their mailers. Note that MacOS is probably immune to this problem thanks to its key manager system.

Labels: ,

2 Comments:

Anonymous Anonymous said...

> were the bots specifically
> crafted for the ISP which was
> attacked [...] or were the bots
> able to extract mail server
> information from the customers'
> machines.

Why does it matter? Both kinds of bots have been active for years. Maybe they were minor players but surely both have the potential of becoming major players. So why does it even matter which kind was used in this attack?

5:44 PM  
Blogger Exchange-101 said...

Edward,

Nice article. I'm wondering is this a new trend? Is port blocking by ISPs is followed by all the ISPs?

I'm asking this question, because the spam volumes is as high as 80% from botnets, utilising port 25.

Regards,
Ravi

10:29 AM  

Post a Comment

<< Home