More SPAM?

Jeff A. Earickson jaearick at COLBY.EDU
Fri Nov 7 14:43:01 GMT 2003

I too have noticed a that a lot more spam is getting thru in the
past month or two (my setup: RBL+, spamcop, spamhaus, local lists
for sendmail RBL; SA 2.60 and razor within MS 4.24-5; more procmail
rules downstream via junkfilter).

One trend that I find alarming is spam trojans that get installed on
Windoze desktop clients when people click on these "free" downloads
from porn sites.  We have had a half-dozen machines on campus this
semester that have had trojans that spew spam to the world.  The remote
spammers connect to their trojans via irc or http, and then dump the
stuff either directly back out or via our mail server.  They can move a
lot of email this way real quick, from lots of machines, and it is hard
to stop.  When we get a report from spamcop or other victims, we have to kill
the port connection and block the MAC address in DHCP when we can
find the machine.  Laptops drive us nuts with this problem.

Our Windoze guru carefully examined one student machine that we
kept having problems with (XP, fully patched, NO password set, doh!).
Two randomly named dlls kept appearing in the process list after bootup.
These guys could not be shut down, unloaded, permissions changed, nothing;
not even when booted in safe mode.  We couldn't even ftp them off
the box to examine them elsewhere (always "text busy").  If their
registry keys were removed, they came right back.

If we put this box on a network with a sniffer running, we would see
a short (encrypted) http connection coming from someplace in Eastern
Europe a few minutes later, followed shortly thereafter by connections
from all over the planet, and then the thing would start spewing spam

This hack was a real professional piece of work.  We wanted to poke
more, but the student wanted his machine back.  He had to reformat the
hard drive and reinstall the OS before we let him back on the network.

I think this is the direction spam is going -- lots of hijacked
PC's, very distributed spam output.  True criminal activity by pros. Ugh.

--- Jeff Earickson
    Colby College

On Fri, 7 Nov 2003, Devon Harding - GTHLA wrote:

> Date: Fri, 7 Nov 2003 09:09:59 -0500
> From: Devon Harding - GTHLA <DHarding at GILATLA.COM>
> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> Subject: Re: More SPAM?
> I thought I was the only one.  The SPAM has increased drastically in
> these last two months.
> Currently running MS 4.23-5 and SA 2.60
> What can be done to reduce incoming spam?
> -Devon
> -----Original Message-----
> From: Errol Neal [mailto:sysadmins at ENHTECH.COM]
> Sent: Thursday, November 06, 2003 10:13 AM
> Subject: More SPAM?
> Is it just me, or has anyone else been having more spam make it through
> the
> MailScanners recently?
> Errol Neal

More information about the MailScanner mailing list