Author: Mark Date: To: Exim Users List Subject: Re: how does typical zombie work? (was Re: [exim] Rate Limiting? )
On Fri, 2005-06-17 at 01:44 -0600, Chad Leigh -- Shire.Net LLC wrote: > Let me ask what may be an ignorant question...
>
> When a typical PC is zombified and starts spewing spam, does it do it
> through the PC User's MUA like Outlook or do they have their own
> inbuilt "smtp" server? The ones I have read about have always seemed
> to be the latter and hence requiring authenticated smtp for users to
> send would block this. But if the spam-zombies are hijacking the
> user's Outlook or other client, then they would have access to the
> authentication capability that is usually stored in a pref. and
> requiring authenticated smtp would not block it.
Certainly the junk from one user yesterday just looked like any other
smtp stream apart from the higher than normal reject rate due to bogus
senders and hitting the rate limiting (120 rcpt_to / 60 second period).
As far as I understand most/all the zombies have their own smtp senders,
which are cut down and don't handle anything other than "yes I accept"
particularly gracefully (hence the reason why greylisting currently
works).