In message <a0621022ebe672e0bd9cb@???>, Giuliano Gavazzi
<eximlists@???> writes
>a spammer, and in particular a
>spambot, will have a hard time (although it's possible to do it)
>finding the correct value for the HELO when using a compromised
>Windows box,
It's entirely trivial: you just have your malware build a tcp/443
connection to
www.evilspammer.com (doesn't need to be https, just use
that port), send an HTTP GET and take note of the text returned by the
remote server [which will be able to see the IP address that connects
and do appropriate lookups in the DNS or other databases] ...
Note that port 443 traffic is chosen because it is unlikely to be
transparently redirected via a proxy after it has acquired its
"external" IP address (because an ISP's proxy could not do very much
with it). You can test for the presence of proxies fairly simply -- but
if there was one in a corporate firewall AND also one at the ISP then it
would be tricky to ascertain the first firewall's external address :(
So, in this edge case, you'd need to try some other ports until you
found one that was not redirected -- or not try and get this machine's
HELO correct.
Yes of course there are some email server configurations "out there"
where knowing the Internet facing address isn't relevant (you'd need an
internal value) -- but they're rare enough that a spammer "playing the
percentages" won't care if they get the wrong answer.
Spammers haven't included this trick as standard today because there
isn't any significant pressure on them to do so. One of the reasons for
this is that large sites (millions of emails a day, hundreds of
thousands of customers) would drop too much legitimate email by being
overly pedantic about HELO strings. Sure it's a valid heuristic for
smaller sites, especially those handling just their own
personal/corporate email (or those like Universities where there's
limited control by the email recipients of what is done in their name)
The rosy picture -- of spammers being able to trivially fix things, but
not getting around to it -- may change because the spammers' current
"work out the name of the smarthost by looking up the MX record" scheme
is going so badly. Hence expect them to start being far more interested
(RSN) in knowing how to properly configure the systems they 0wn. As
someone else said, email is their speciality ! I expect them to be quite
good at it when it starts mattering to them.
- --
richard @ highwayman . com "Nothing seems the same
Still you never see the change from day to day
And no-one notices the customs slip away"