On Sat, 5 Feb 2005, Richard Clayton wrote:
>
> no it's just hype
I think it's more than that: Spamhaus have done another press release with
more technical information about this "new" (ish) attack. What it boils
down to is that widely-available spamming tools now have an option for
sending email via the zombie's MX instead of directly. Note that this is
the MX not the smarthost, which has two implications: they aren't yet
seriously trying to use the user's email settings to send email (which
would allow them to perform AUTH without social engineering); and it's
quite an easy attack to thwart.
http://www.spamhaus.org/news.lasso?article=158
We saw an instance of this in September. Fortunately last year I made
some effort to separate our MX from our smarthost, so it was relatively
easy for me to lock down the MX so that it could no longer be used as a
relay by anyone - it only accepts email to our domains. I thoroughly
recommend that everyone else make this change too.
(We also have a slightly obscure name for our smarthost, which with any
luck will also help keep us clean.)
Tony.
--
<fanf@???> <dot@???>
http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}