TechTalkz.com Technology & Computer Troubleshooting Forums - View Single Post

07-11-2007, 11:44 PM

kurt wismer wrote:

> >>> How many mass-market PC's (Dell, Gateway, etc) come with
> >>> Acrobat installed? (just wondering)

> >> acrobat is a program that *A LOT* of people install after
> >> getting their computers

> > No shit sherlock. That's not the answer to my question.

> because the question illustrates what emerson ....

The question stands on it's own and is separate from the implications
of it's answer.

> foolish consistency...

Which you exhibit constantly.

> and the point i'm making is that acrobat is virtually standard
> *in spite* of not necessarily coming pre-installed...

PDF's are still an ergonomically poor way to convey spam payload given
the lack of automatic rendering. They may be in use now because the
PDF format is somewhat proprietary. Commercial server and client-side
filter software may not have permission or the license from Adobe to
impliment PDF decoding routines that are necessary for content
inspection (but you would think it would be in Adobe's best interest
to provide it to them gratis).

> spammers have always had a poor penetration rate with their
> advertisements... if the new obfuscation reduces it they'll
> just do what they've always done - make it up on volume...

Volume is not necessarily something they can increase when-ever they
want. Presumably they are always operating at 100% of their volume
capability anyways.

> > DNSRBL's do exactly that. They blacklist IP addresses.
> > Individual IP addresses.
>
> yeah, that's real useful in the dynamic ip world of home
> users where most zombies are found...

If you want to run an RBL that people will use and trust not to give
them false positives, you have no choice but to track spam sources at
the individual IP level. I believe that there are RBL's that will
return the status of an IP (whether it lies in a static or dynamic
range assignment, or whether it belongs to a residential ISP) which a
mail server can use as the basis to block mail from said IP.

> >> isp's try to stomp out the zombies on their networks
> >
> > These days, few if any ISP's do that.
>
> in my part of the world they do...

Then why don't they block port-25 on their outbound? Why are the big
US cable and telco providers of residential internet service still the
biggest sources of trojanized spam bots? If they don't block port-25,
why can't they at least detect spam runs as they happen, and put rate
limits on them? Why can't they detect a spam run in progress by
looking for inordinate amounts of MX lookups being made by an infected
customer?

What exactly does a given ISP do when they learn about spam being
emitted by one of their several-million customers? Do they call the
customer? Send them an e-mail? Perform an on-site service call?
Please explain what happens in your part of the world.

07-11-2007, 11:44 PM	#3
Virus Guy Guest Posts: n/a	Re: New .PDF malware (?) kurt wismer wrote: > >>> How many mass-market PC's (Dell, Gateway, etc) come with > >>> Acrobat installed? (just wondering) > >> acrobat is a program that A LOT of people install after > >> getting their computers > > No shit sherlock. That's not the answer to my question. > because the question illustrates what emerson .... The question stands on it's own and is separate from the implications of it's answer. > foolish consistency... Which you exhibit constantly. > and the point i'm making is that acrobat is virtually standard > in spite of not necessarily coming pre-installed... PDF's are still an ergonomically poor way to convey spam payload given the lack of automatic rendering. They may be in use now because the PDF format is somewhat proprietary. Commercial server and client-side filter software may not have permission or the license from Adobe to impliment PDF decoding routines that are necessary for content inspection (but you would think it would be in Adobe's best interest to provide it to them gratis). > spammers have always had a poor penetration rate with their > advertisements... if the new obfuscation reduces it they'll > just do what they've always done - make it up on volume... Volume is not necessarily something they can increase when-ever they want. Presumably they are always operating at 100% of their volume capability anyways. > > DNSRBL's do exactly that. They blacklist IP addresses. > > Individual IP addresses. > > yeah, that's real useful in the dynamic ip world of home > users where most zombies are found... If you want to run an RBL that people will use and trust not to give them false positives, you have no choice but to track spam sources at the individual IP level. I believe that there are RBL's that will return the status of an IP (whether it lies in a static or dynamic range assignment, or whether it belongs to a residential ISP) which a mail server can use as the basis to block mail from said IP. > >> isp's try to stomp out the zombies on their networks > > > > These days, few if any ISP's do that. > > in my part of the world they do... Then why don't they block port-25 on their outbound? Why are the big US cable and telco providers of residential internet service still the biggest sources of trojanized spam bots? If they don't block port-25, why can't they at least detect spam runs as they happen, and put rate limits on them? Why can't they detect a spam run in progress by looking for inordinate amounts of MX lookups being made by an infected customer? What exactly does a given ISP do when they learn about spam being emitted by one of their several-million customers? Do they call the customer? Send them an e-mail? Perform an on-site service call? Please explain what happens in your part of the world.