How Hackers Identify Their Targets 95
narramissic writes "In a recent article, security guru Brent Huston writes about research he did to get inside the minds of spammers and expose some of the processes they use to identify potential targets. Huston says that among the four common ways that spam is spread, the most common method that spammers use is via open relays. Huston's research also revealed that 'they were doing much more server analysis' than he had expected and that they take a multi-step approach: 'They scan the server for proper RFC compliance, and then they send a test message to a disposable address. Only after these are complete did they adopt the tool to dump their spam.'"
Re:Duh... It's so obvious... (Score:4, Informative)
See http://postfix.it-austria.net/releases/official/p
I really get sick of this sendmail bashing. There are problems with sendmail and they are trying to rewrite sendmail to solve them. There is no such thing as perfectly secure software. Even OpenBSD has had a remote security hole in 8 years
The Article is WRONG (Score:4, Informative)
Re:Duh... It's so obvious... (Score:5, Informative)
Postfix 1.x:
Affected By 1 Secunia advisories
Unpatched 0% (0 of 1 Secunia advisories)
Postfix 2.x:
Affected By 0 Secunia advisories
in contrast, look at Sendmail 8:
Affected By 10 Secunia advisories
Unpatched 10% (1 of 10 Secunia advisories)
So, given that there are unpatched vulnerabilities in Sendmail, why should you wait for the team to finish re-writing the code? Now, it is possible that Sendmail has some advantages in very high volume situations (although there are some older benchmarks that show Postfix was faster), but why would you want to use an MTA that is more difficult to configure and has known vulnerabilities?
I believe the main reason that people use Sendmail is that, having gone to the trouble to learn how to configure it, they don't want to waste that effort (as well as it being the default MTA in many distributions).
Re:Possible Solution (Score:2, Informative)
#1 - alot of the time the ip address listed on the whois info is for the networking technical contact, in teeny weenie organizations this might be the same as the sysadmin, but often it's not. And in the end you'll end up wasting a bunch
of people's time trying to figure out what the hell you're talking about and who to route your message to.
#2 - most oranizations small enough to be an exception to #1 probably don't have sysadmins and will be doubly confused.
If you really want to report spam (which... well don't get me started) then I'd suggest using the abuse contact of the
originating domain. They're much more likely to know what the hell you're talking about and much more likely to get it
fixed.
--mernisse
(abuse@ for a major nationwide ISP)
Re:Duh... It's so obvious... (Score:4, Informative)
Oooooh! Unpatched vulnerability!! Eek!
Sendmail fails to log all relevant data [secunia.com]
Critical: Not critical
Description:
Sendmail fails to log all details about connections if supplied with an IDENT of more then 95 characters.
It is possible to hide your identity from the sendmail log, if you supply an IDENT that is more than 95 characters, information about your identity however will still be written in any email you may sent. The problem is that someone may try to footprint your system, but when you check your log files, you will not be able to find the IP address and hostname of the attacker (or spammer).
Solution:
The easiest way to log these data is by enabling logging on the firewall and making sure that the time is synchronised on the firewall and mail server.
Test your own mail server (Score:3, Informative)