Virus Guy <Virus@Guy.com> wrote in news:46C5A627.95A23F@Guy.com:
> kurt wismer wrote:
>
>> >>> How many mass-market PC's (Dell, Gateway, etc) come with
>> >>> Acrobat installed? (just wondering)
>
>> >> acrobat is a program that *A LOT* of people install after
>> >> getting their computers
>
>> > No shit sherlock. That's not the answer to my question.
>
>> because the question illustrates what emerson ....
>
> The question stands on it's own and is separate from the implications
> of it's answer.
>
>> foolish consistency...
>
> Which you exhibit constantly.
>
>> and the point i'm making is that acrobat is virtually standard
>> *in spite* of not necessarily coming pre-installed...
>
> PDF's are still an ergonomically poor way to convey spam payload given
> the lack of automatic rendering. They may be in use now because the
> PDF format is somewhat proprietary. Commercial server and client-side
> filter software may not have permission or the license from Adobe to
> impliment PDF decoding routines that are necessary for content
> inspection (but you would think it would be in Adobe's best interest
> to provide it to them gratis).
Actually, there are various open source pdf readers and writers. Adobe
has no licensing issues with this as far as I know. They wanted pdf to be
adopted, and so it has.
>> spammers have always had a poor penetration rate with their
>> advertisements... if the new obfuscation reduces it they'll
>> just do what they've always done - make it up on volume...
>
> Volume is not necessarily something they can increase when-ever they
> want. Presumably they are always operating at 100% of their volume
> capability anyways.
Bad assumption. Network congestion, etc may play a big role in it. I
don't know anybody who runs the server/bandwidth trunk at max fulltime.
>> > DNSRBL's do exactly that. They blacklist IP addresses.
>> > Individual IP addresses.
>>
>> yeah, that's real useful in the dynamic ip world of home
>> users where most zombies are found...
>
> If you want to run an RBL that people will use and trust not to give
> them false positives, you have no choice but to track spam sources at
> the individual IP level. I believe that there are RBL's that will
> return the status of an IP (whether it lies in a static or dynamic
> range assignment, or whether it belongs to a residential ISP) which a
> mail server can use as the basis to block mail from said IP.
However, the mail server can be given the wrong information. The IP isn't
set in stone. Case in point, A mail server I run here strips all
originating IP's when you send a message thru it. Various others may be
setup in a similiar fashion. If anything, you'd get the servers IP, not
that of it's users.
>> >> isp's try to stomp out the zombies on their networks
>> >
>> > These days, few if any ISP's do that.
>>
>> in my part of the world they do...
>
> Then why don't they block port-25 on their outbound? Why are the big
> US cable and telco providers of residential internet service still the
> biggest sources of trojanized spam bots? If they don't block port-25,
What gives them or you the right to block outbound ports? I'm paying for
unlimited access. If I want to run a server, I will. Various ISPs allow
this. The reason so many residential machines are the trojanized spam
bots is due to the sheer amount of ignorant users who for whatever
reason, won't heed the advice that's been offered for years. If I caught
my ISP blocking any of my incoming/outgoing connections, I'd drop them in
a heartbeat; and they know it.
If i was on dialup, I'd have no real need to run a server. But I'm on
broadband, and I don't need broadband just to surf the web or download
things. I use it for work as well. I like highspeed access to my network
at home from anywhere I might happen to be, and that requires outbound
communication.
If you let them start blocking port 25 to protect users, they might start
blocking other commonly used ports to "protect users". Ie, your yahoo
client no longer works, but your msn one does. This wouldn't be good for
anybody.
> why can't they at least detect spam runs as they happen, and put rate
> limits on them? Why can't they detect a spam run in progress by
> looking for inordinate amounts of MX lookups being made by an infected
> customer?
How can they tell the difference between a spam bot, or an email server
processing a large legitimate mailing list?
> What exactly does a given ISP do when they learn about spam being
> emitted by one of their several-million customers? Do they call the
> customer? Send them an e-mail? Perform an on-site service call?
> Please explain what happens in your part of the world.
The ISP here doesn't do very much. They will send you an email to your
isp email account; that hardly anyone actually sets up to use. If the
problem isn't resolved, your cable modem goes down and you wind up
calling them to see what the problem is. At that point, they tell you
your computer has a problem and it has to be checked out by a
technician/store and then you have to show them you had this done. Then
they turn your connection back on. They do not attempt to educate the
user so that this doesn't happen again.
As an experiment, 1 year ago, I had a computer here ping flood a machine
at another site for over 4 days before the cable co noticed this.
Luckily I had permission to do this, but thats just an example of how
concerned they are.
--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email:
bughunter.dustin@gmail.com.removethis
web..:
http://bughunter.it-mate.co.uk
Pad..:
http://bughunter.it-mate.co.uk/pad.xml