Re: Tarpit SPAM trap
At 11:08 AM 3/2/00 +0200, I. Forbes wrote: >To give you an idea of the scope of the problem we have received >about eleven thousand bounces with the same forged address over >the last month. All of the Spam was launced from AOL, and relayed >using a whole list of open relays - many in Eastern Europe and the >Far East. That is egregious enough that I think you should file criminal charges. I think you need to get in touch with the FBI. They have a computer crimes task force now. You don't have to be in the US to do this. They are far more attuned to the problem now after the recent spate of DOS attacks on US websites. The idea that there's nothing AOL can do to stop this doesn't hold water. A simple block of port 25 on the AOL network I think would wipe out 99% of the SPAM coming through their network. That would mean that all AOL customers would be forced to send their mail through AOL's MX's where it could effectively be monitored for SPAM. >All of those bounce messages come from open relays, while they >are actively sending spam. If I could run an effective DOS on them, >then the spammer who is sending the spam would find his >productivity gets hit quite hard. Maybe he will notice and then It would be more effective to DOS the originating IP. If the ip is still up, it's easy to crash a dial up connection. Some of my favorites are netcat, Ping of Death, Octopus. I'm sure you can find a ton more. Another cute one is a reverse SPAM DOS attack. Send out a few thousand bad emails (using bulkmail or something) using the spammer's ip for the return address. Oh the irony... :) >Has anybody tried this before. What resources do I have to have >available on my end to sink the other server without sinking my own? You can setup a new machine on your network to act as a "suicide attacker". A kamikaze box. It's sole purpose would be to max out the sockets on the offending ip. This will of course also max out the kamikaze box. That's why you don't want to do it with one of your production machines. If one box isn't enough set up more kamikazes. Any hunk of junk 486 should do the trick. If the offender is a Win box, opening a ton of sockets should sink it. If a unix box, then recursively open connections on every port. The offender will soon have 150 Apache's running, a few thousand telnet's, SMTP's ftp's, etc. Depending on what it's running. +---+ |-=I T ' S P R I N C I P L E T H A T C O U N T S=- | |=- -=ALAN KEYES FOR PRESIDENT=- -=| | Balanced Budgets Personal Freedoms Morality Lower Tax | |=-- http://www.Keyes2000.com. --=| ++
Re: Mudslicking to counter SPAM (was TARPIT)
At 01:44 PM 3/2/00 +0100, Michael Koehne wrote: > The most drastic method is "mudslicking" providers of foreign countries. > IMHO mudslicking is the most effective method to counter SPAM. This something you do NOT want to be on the wrong side of. IMHO spam is not a serious enough offense to warrant it. When people get the idea that they can control ISP's by starting a smear campaign with their other customers there will be a *lot* of bloodshed on both sides. I have been the victim such a campaign. One of my customers had a website that was anti-abortion; needless to say it was contraversial. When cries to me to take down the website didn't work, they turned to *my* upstream provider and started contacting *their* customers. End result was that they threatened to pull my T1 unless I canned the customer. This is ***NOT*** something that we want the Internet community getting accustomed to. +---+ |-=I T ' S P R I N C I P L E T H A T C O U N T S=- | |=- -=ALAN KEYES FOR PRESIDENT=- -=| | Balanced Budgets Personal Freedoms Morality Lower Tax | |=-- http://www.Keyes2000.com. --=| ++
intrusion detection
Which particular hack regularly creates a user called r and another called re on a system? Where can I get the scripts, and I'll figure out whats needed to make them stop. thanks.
Re: europeonline...
Ciao, Thu, Mar 02, 2000 at 03:39:52PM -0600, Andrius Kasparavicius wrote: > www.europeonline.com for 15$ per month gives 0,5MBPS via sattelite. I > think 15$ is really low cost for the 0.5 online. Maybe here is who tryed > this provider. Please give his opinion about this service. well...we subscribed it as ISP, but...it seems that they not allow any connection different from port 8080..what does it mean ? It means that you cannot direct you squid to ask pages to it because it cannot check availability of the proxy using pinger or ICP. Of course you can use never_direct options, but sometimes it happens that their proxy goes down, and your one with him. Maybe I wasn't able to well configure my proxy, but I tried many years, and a friend of mine phoned directly to europeonline and they confirmed that only port 8080 is open. We could ask to them to open thei port for ICP..this would be a great thing... -- Bye ++ Maybe you are searching for freedom | Enrico |Maybe you can't find it anywhere ++ I found it in linux... -- The ultimate result is that some innovations that would truly benefit consumers never occur for the sole reason that they do not coincide with Microsoft's self-interest. -- Judge Thomas Penfield Jackson, U.S. District Judge
Re: europeonline...
> So you need a policy based router/firewall to deceide, wether one of > your packets should have an IP number for your leased line, or an IP > number from the Europeonline pool. I think there is little problem that Europeonline gives PRIVATE IP, and I cant configure it only via router. I need that my proxy used europeonline proxy if I need fast speed. Usualy this is done via link cost. Is difficulties with this sattelite card under Linux? Where get drivers for linux? other soft for this card? Kasparavicius Andrius +370 88 53909
Re: europeonline...
Moin Andrius Kasparavicius, > www.europeonline.com for 15$ per month gives 0,5MBPS via sattelite. I > think 15$ is really low cost for the 0.5 online. Maybe here is who tryed > this provider. Please give his opinion about this service. We have sold it, and well $15 for private customers is low cost, but you should ask to bundle a normal 0800 flatrate tarif for the uplink provider. The service only offers fast download. Upload has to be done by a normal dialup or leased line. So as long as you dont have a connection with a flatrate tarif or a leased line, you'll have to pay additional online cost. Also because of sattalite technic, the ping turnaround is quite slow. So Europeonline is useless, if ssh or online action shooter are one of your most important service. HTTP and FTP are quite fast in download, and ok in connect time. So you need a policy based router/firewall to deceide, wether one of your packets should have an IP number for your leased line, or an IP number from the Europeonline pool. IMHO Europeonline is great, if you have a 64k leased line that is accounted by traffic, and if you want to drop your monthly invoice claiming gigabytes of traffic. You would send any HTTP/FTP request packets with the IP number from the Europeonline pool, and any other with an IP number of your leased line. This will cause your ISP invoice to count less bytes, as the ACK upload is the only traffic. Europeonline is also great for ISPs who offer Europeonline together with a 0800 flatrate bundle. They could connect many customers with a service comparable to a leased line without having reserve bandwidth for them, as the Europeonline customers are only doing uplink traffic, and uplink bandwidth is seldom a problem for an ISP. IMHO Europeonline is useless if you have a dialup line (you still have to pay it if you are online) and if services like ssh,quake,doom,... are your most important use of the InterNet. Bye Michael -- mailto:[EMAIL PROTECTED] UNA:+.? 'CED+2+:::Linux:2.2:14'UNZ+1' http://www.xml-edifact.org/ CETERUM CENSEO MSDOS ESSE DELENDAM
europeonline...
hello again, www.europeonline.com for 15$ per month gives 0,5MBPS via sattelite. I think 15$ is really low cost for the 0.5 online. Maybe here is who tryed this provider. Please give his opinion about this service. Kasparavicius Andrius +370 88 53909
Re: How make that proxy use proxy?
> # #proxy icp > # # hostname type port port options > # # - - --- > # cache_peer parent.foo.net parent3128 3130 [proxy-only] Nice. my problem is - how can I make my squid use only parent, no direct connections. I thought i configured it to do so, but using calamaris showed that almost 70% of traffic goes via direct connections (parent-miss)
Re: Mudslicking to counter SPAM (was TARPIT)
[EMAIL PROTECTED] said: > Relays are !NOT! innocent, they are so bad administrated, that they > relay SPAM. Those sites deserve to become reinstalled. They need to be sorted. DOSing them is probably not a reasonable answer, although we may disagree on this. Continuing that specific point is likely to be a religious war so I will respond no more on it. Additionally some of the bounces will be coming from end systems not involved in the relaying and completely innocent other than being targetted as spam recipients. The numbers argument below applies to them in orders of magnitude. The *specific* example that was presented was one system that holds the domain which is being used as the (forged) sender address for spam runs through multiple relays. There are multiple relays sending out spam. There is one of your machine. Your box is receiving bounces for non-existant spam recipient addresses from those relays. Attempting teergrubing is going to mean that each of those relay boxes has a bunch of connections open to your box. Now tell me who dies first in this scenario. Even if you manage to take out one of the relays (and these are of course a set of moving targets), they will be back at you in far too short a time. You will do better to just RBL those hosts out completely - however whether you can do this is a political issue on what level of anti-spam regime you can take. Your mudslicking approach is an example of a social/legal/political answer to the problem - which you may recall is exactly what I suggested needed to be done in my original message. I would be very wary about transgressing libel laws in these cases - many ISPs have more lawyers than clues. Nigel. -- [ - Opinions expressed are personal and may not be shared by VData - ] [ Nigel Metheringham [EMAIL PROTECTED] ] [ Phone: +44 1423 85 Fax +44 1423 858866 ]
Re: Mudslicking to counter SPAM (was TARPIT)
Moin Nigel Metheringham, > The Teergrube solution is *not* in any way a solution to your problem - > don't even consider it. Remember that the machines sending you these > bounces and complaints are probably innocently of any proper > involvement in this spam run. There are also likely to be thousands of > them, so when you say... Relays are !NOT! innocent, they are so bad administrated, that they relay SPAM. Those sites deserve to become reinstalled. > > This will cause the spaming host to go down, as any operating > > system has a limit on open sockets. > > the system it will take down is *your* system. no because, the tarpit has a limit on its open connections, and the used bandwidth is minimal. Currently there are to few tarpits to cause any system going down. But the main thing about a tarpit, that it effectivly stops SPAMs from online accounts. As the tarpit holds the SMTP connection open, you can eMail the SPAM provider the exact IP nummber/port combination, and be sure, that this IP still exists. > Also DOSing the relays is likely to bring you into problems of legality. Well its effectivly impossible to sue some american from germany and vice versa. So problems of legality, are not my concern. The most drastic method is "mudslicking" providers of foreign countries. I've done that with a medium size US provider. One of his customers (Lifepicture.Com) send SPAM. I've eMailed this provider to disconnect his customer, but the provider did'nt react. As the customer who send the SPAM, also had a virtual website, I started a mudslicking campain. I've grepped DNS and RIPE information to gather serious customers of the provider and the address of a local newspaper in Atlanta to start the mudslicking campain. Means I informed his customers and the newspaper, that the provider is not only hosting dirty pictures, but also supporting SPAM to advertise this pictures. Pressure from his customers, and an article in the newspaper, caused that the provider reacted. They now have an abuse@ which is carefully read and react quick, when they encounter SPAM and dirty pictures. Of course this provider impend to sue me, as they had lost a dozen customers during this mudslicking campain. They had to realise, that it does'nt make any sense to sue some german. Especialy as I would never enter US because of "Project Equaliser". IMHO mudslicking is the most effective method to counter SPAM. Providers with badly adminstrated relays, will lose customers, and this will cause them to start to think about SPAM, in fear of subsquent mudslicking campains. The bad thing to tell about mudslicking is that its very time intensive, so perhaps "just ignore the SPAM" is still the most convenient method. Bye Michael -- mailto:[EMAIL PROTECTED] UNA:+.? 'CED+2+:::Linux:2.2:14'UNZ+1' http://www.xml-edifact.org/ CETERUM CENSEO MSDOS ESSE DELENDAM
RE: [Exim] Tarpit SPAM trap
> We send copies of this spam to [EMAIL PROTECTED] on a daily basis. > The only response I have ever had from AOL is from an > autoresponder. hmm... >From my experience AOL has always been quite cooperative in such cases, though we always called them directly when there was a major spam problem... -philipp
Re: Tarpit SPAM trap
On Thu, 2 Mar 2000 11:08:20 +0200, I. Forbes wrote: >Hello All > >A professional spammer is using a forged "From:" header line >which quotes a non existant address at one of our domains. Every >spam he sends to a bad address gets bounced to us. We are >running qmail, which by default, accepts these bounces then >handles them as "double bounces". [...] >The problem is an irritation to me and obviously to all of the people >who are getting the spam. My plan is to convert the qmail to exim >(this is part of a larger project, which is why I have not done anything >yet) then let exim refuse the bounce messages with a 500 error >before they are accepted. There should be a patch for qmail, which does this (IIRC).
Re: [Exim] Tarpit SPAM trap
[I am somewhat concerned about the size of the cc list - in that it covers several lists - but for now have let it stand since this is more than just an exim issue] [EMAIL PROTECTED] said: > We send copies of this spam to [EMAIL PROTECTED] on a daily basis. The > only response I have ever had from AOL is from an autoresponder. > Sometimes we send copies to the relay machine admins, usually > "abuse@" bounces and sometimes "postmaster@" bounces > too. I have never had a reponse from any of them. This is culpable idiocy. Just because AOL are bit does not mean they can trample on everyone else in the world. However I guess the problem of launching legal action against a US entity from ZA would make legal a difficult option. Are these messages coming direct from AOL modem space, or through their mail systems - if the latter I would think there is sufficient evidence to get their mail mail systems on the Vixie RBL which tends to make even giants think twice. There needs to be social/legal action taken here since it is not a technical problem. However technical workrounds are:- - refuse at SMTP level all messages to the forged spam sender address this can be done within a vanilla exim, or I guess you would need to hack qmail's receiver [I don't really know qmail well enough to comment] However you will still get piles of messages to abuse@/postmaster@ that domain from the slightly more clued - and there isn't a good way of handling that other than maybe an autoreply (make sure it works right or you will live to regret it). The Teergrube solution is *not* in any way a solution to your problem - don't even consider it. Remember that the machines sending you these bounces and complaints are probably innocently of any proper involvement in this spam run. There are also likely to be thousands of them, so when you say... > This will cause the spaming host to go down, as any operating > system has a limit on open sockets. the system it will take down is *your* system. Also DOSing the relays is likely to bring you into problems of legality. Remember if you have another machine (or even just an IP) on your external internet AS then you could put up exim on that box as an emergency measure and point the domain being hit at that system - at least then you can refuse a pile of the stuff quicker than you can reconfigure your complete mail system. This specialist handler would reject the crud and pass the rest on to your standard MTA config. Nigel. -- [ - Opinions expressed are personal and may not be shared by VData - ] [ Nigel Metheringham [EMAIL PROTECTED] ] [ Phone: +44 1423 85 Fax +44 1423 858866 ]
Tarpit SPAM trap
Hello All
A professional spammer is using a forged "From:" header line
which quotes a non existant address at one of our domains. Every
spam he sends to a bad address gets bounced to us. We are
running qmail, which by default, accepts these bounces then
handles them as "double bounces".
To give you an idea of the scope of the problem we have received
about eleven thousand bounces with the same forged address over
the last month. All of the Spam was launced from AOL, and relayed
using a whole list of open relays - many in Eastern Europe and the
Far East.
We send copies of this spam to [EMAIL PROTECTED] on a daily basis.
The only response I have ever had from AOL is from an
autoresponder. Sometimes we send copies to the relay machine
admins, usually "abuse@" bounces and sometimes
"postmaster@" bounces too. I have never had a reponse
from any of them.
The problem is an irritation to me and obviously to all of the people
who are getting the spam. My plan is to convert the qmail to exim
(this is part of a larger project, which is why I have not done anything
yet) then let exim refuse the bounce messages with a 500 error
before they are accepted.
Then this was posted on debian-isp@lists.debian.org
On 1 Mar 00, at 20:38, Michael Koehne wrote:
> Last (if you're realy desperate) install a "Teergrube". The so called
> tar pit is abusing the dash ("-") feature SMTP uses to keep alive, to
> hold an IP connection open for ever, if it comes from a host on the
> rbl list. This will cause the spaming host to go down, as any operating
> system has a limit on open sockets.
>
> Try to surf around with the keywords "Teergrube" or "Tarpit" and "SMTP"
> to get some patches for sendmail.
Ouch! This sounds pretty drastic and it is not normally my style.
However it may be appropriate in this case.
All of those bounce messages come from open relays, while they
are actively sending spam. If I could run an effective DOS on them,
then the spammer who is sending the spam would find his
productivity gets hit quite hard. Maybe he will notice and then
choose to forge somebody elses address... which will make my
problem go away. The DOS should only be invoked on servers
sending bounce messages to the non existant address.
Does anybody know of "Teergrube" patches for qmail, or exim.
Has anybody tried this before. What resources do I have to have
available on my end to sink the other server without sinking my own?
Can anybody help I got another 35 bounces in the time it took to
write this!
Thanks
Ian
-
Ian Forbes ZSD
http://www.zsd.co.za
Office: +27 +21 683-1388 Fax: +27 +21 64-1106
Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa
-
Re: BIND and .nu
From: Nathan Ridge <[EMAIL PROTECTED]> > when trying to setup a name record for a .nu domain, i am getting this > error: You most certainly have a syntactic error in your named.conf. How does the entry for your domain look like?
BIND and .nu
when trying to setup a name record for a .nu domain, i am getting this error: Mar 2 12:30:06 webserver named[19164]: no type specified for zone 'wmtc.nu' Mar 2 12:30:06 webserver named[19164]: zone 'wmtc.nu' did not validate, skippin g im assuming that it does know recognize the .nu domain. Any help appreciated. Thanks Ridgey
