In article <b4d143-k5j.ln1@msgid.astrum.ch> (in
news.admin.net-abuse.blocklisting), Matthias Leisi wrote:
> Hi all,
>
> I already asked the same question in german in de.admin.net-abuse.mail,
> but I would like to get a more international feedback here in nanabl:
>
> In a corporate mail environment, I notice a decline in the effectiveness
> of DNSBLs, especially Spamhaus SBL+XBL (which I use to reject), but also
> others (which I for scoring in SpamAssassin and is thus a bit harder to
> measure).

It would be a big, expensive job to answer that question
scientifically.  My spam stream is a lot different than others
I know about, perhaps because most of my domains end in org or us.
The stream seen by corporate coms will be quite different, and the
one seen by big consumer domains different still.

Anecdotally, I'm seeing a shift.  Activity in the cable TV zombie
farms seems to have leveled off, and the growth is in servers at
colo places with minimal management.  My guess is the pharmacy
and "enlargement" spammers aren't getting the delivery rates they
used to from cable TV, because those farms have been mapped out
and widely blocked.  And the next wave is just plain server break-ins.
This corresponds with a jump in cracking attempts seen here.
DNSBLs have a hard time keeping up with the incessant breakins at
places like Theplanet.com and Ev1servers.net.  And they can't stop
all that fraud spam pouring out of Hotmail/MSN.

Let this be a warning to Linux-Apache-MySQL-PHP ("LAMP") operators.

If you let your users "just drop in" any CMS whose Web site catches
their eye, on any popular distro's default install (i.e. everything
in one partition), you're gonna get cracked and send spam.

They don't need root.  They don't even have to smash the stack.
The most popular BBS/Blog/CMS stuff has
holes that let them create executables in /tmp or /var/tmp and run them.
They're not cracking Linux or Apache, they're exploiting Mambo
and php Nuke and phpBB.

Make a separate partition, or a file system in a file you can mount
loopback, and mount it noexec.  Make sure every directory your
Web server uid can write in is noexec.  If that BBS/Blog/CMS
monster can't install its modules or gallery files any more, then
it's hopelessly broken.  Remove it before it gets you block listed.
If it uses a database, it should put everything in there.
I'm seeing a lot of spam from badly written CMSes these days.

(Mounting /tmp noexec breaks Debian's apt-get install/upgrade.
Write a wrapper to remount it during the apt-get.  Use apt-get -d
to download the upgrades ahead of time and shorten the window.
The download doesn't need exec in /tmp.)


--
Cameron

--
Comments posted to news.admin.net-abuse.blocklisting
are solely the responsibility of their author.  Please
read the news.admin.net-abuse.blocklisting FAQ at
http://www.blocklisting.com/faq.html before posting.

[ Post a follow-up to this message ]