« Corporate systems only as secure as their weakest link
Make your router guard your mail »

How did Microsoft avoid spamming?

As I wrote below, Microsoft purposely infected a machine, turning it into a zombie.

But they assured us they’d fixed it so it didn’t ACTUALLY send out any spam.

So, how did they do that? Any guesses?

I’ve got one guess, but I’m sure there are other methods.

Let’s say they use a router. Disable NAT (to make it easier for those controlling the zombies), but instruct the router to drop connections on port 25. Put a packet logger on either the same machine or another machine hooked up so it can log promiscuously. The packet logger gets all the data the machine tries to send.

Any other ideas?

Another idea may be to do some fancy dns or port manipulation. Any request to port 25 gets sent to a mail server that does all the handshakes necessary, but doesn’t actually send out any messages. Rigging a mail server to receive but not send messages is easy.

This entry was posted on Friday, October 28th, 2005 at 1:47 pm and is filed under Parasites. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “How did Microsoft avoid spamming?”

  1. John Says:
    October 28th, 2005 at 2:38 pm

    Transparent proxy? Lots of providers here do that now, to control spamming (limiting outbound mails to a certain number / timeframe, even if they don’t go through the “official” smtp server). It’s easy to set up and the zombie doesn’t care if the mail really makes it all the way through anyway, it just keeps on sending.

  2. Joe Says:
    October 28th, 2005 at 3:03 pm

    Probably not how MS did it, but SMTP Tarpits are an option:
    http://www.benzedrine.cx/relaydb.html

  3. Brian Says:
    October 28th, 2005 at 5:59 pm

    I’m not sure they did. The article linked from Slashdot didn’t say they stopped the spam from going through.

    Personally, I’d set the firewall to just ignore all outbound traffic trying to connect to port 25. (And I’d probably use a sniffer to capture the requests.)

    Or… if they needed to make the spammer think the emails werre sent, I’d forward all port 25 traffic to a machine that pretended to be a working SMTP server and just accepted the messages without forwarding them out. This could be scripted in a couple hours or less depending on how robust you wanted it.

  4. Search Engines Web Says:
    November 17th, 2005 at 4:50 pm

    Here is the latest release on their Anti Phishing Tool

    Today Microsoft announced agreements with three new data providers – Cyota Inc., Internet Identity and MarkMonitor – who will regularly supply information to us on thousands of confirmed phishing Web sites to help ensure the URL reputation service that helps power the Phishing Filter is running with the latest information on known attacks that the industry can provide. … In fact, the service is actually updated several times an hour to help ensure the protection is pushed to users as quickly as possible.

    http://blogs.msdn.com/ie/archive/2005/11/17/494040.aspx

Leave a Reply