On Wed, Jan 22, 2003 at 09:05:19AM -0500, [EMAIL PROTECTED] wrote: > > The source ip also varies ... > > By how much? Are they all within the same netblock?
Nope. Quite a bit of variation. All the way from 12.x.x.x to 218.x.x.x. So far, 107 attempts from 59 unique address. > > > ... I'm not sure how to determine if it's spoofed or not. > > You can't really spoof the source IP address of a TCP connection. (Well, > you can, but the TCP handshake will never complete, making it rather > useless.) You can hijack someone else's IP address or machine, which has > much the same effect, as far as you're concerned. It leaves more evidence > at the other end, but that likely doesn't help you much. I followed the rest of the discussion on this and I don't think this are being spoofed or hijacked given that they're all over the IP space. There *are* however a few sendmail messages that indicate the address may be forged, thought not that may (only three unique). What does that mean, anyhow, if it's not IP spoofing or hijacking? > Organizations who never (or rarely) communicate with anyone overseas often > just block any mail exchanger with an IP address in Asia. Which I am considering, but it kinda goes against my grain. Some day I hope for a way to identify these kinds of attacks at a network level and cause client on the other end to explode ;-). > There are systems out there that use heuristics to auto-detect harvesters > and auto-block IP addresses or netblocks. Sounds like overkill for your > situation. Well, if it detonates the spammer's desktop, then it sounds perfect! > If you suspect you might want to communicate with anyone you blacklist, > you could setup an auto-responder opt-in whitelist robot (just use caution > with combining such with mailing list subscriptions and other robots -- > mail loops and PO'd postmasters can result). Awe, but that requires...work. I love solving problems, and even doing a little computer forensics, but I absolutely hate expending so much effort for so little gain as just when you implement one defense, the spammers get around it with another. The lawyer who spoke at the spam conference is right: make no mistake about it, the spammers are engaged in organized crime. > > (And from a legal or ethical perspective, would it be better to just > > remove the mx record altogether?) > > That is what I would do. > > However, be aware that if a domain does not have an MX record, but does > have an A record, the RFCs say that a mail exchanger should try to connect > to the IP address of the A record. Which is why I figured setting it to 127.0.0.1 would work better. For now, at least. But I don't have an A record for the actual domain, only two hosts within it. > All you can do to prosecute an attacker is to track the netblocks using > WHOIS and attempt to contact the operator of the systems/networks from which > the attacks originate. Thanks for the input. I'll keep this list updated if I do happen to nab the intruder. -- -Paul Iadonisi Senior System Administrator Red Hat Certified Engineer / Local Linux Lobbyist Ever see a penguin fly? -- Try Linux. GPL all the way: Sell services, don't lease secrets _______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
