Re: OT: More Spam
On 22 Jan 2003, at 1:26am, [EMAIL PROTECTED] wrote: Some, I haven't even told anyone about, so there's no way anyone can know that I can (or expect to) receive email at them. They have an MX record, which is all the spam robots need. The source ip also varies ... By how much? Are they all within the same netblock? ... I'm not sure how to determine if it's spoofed or not. You can't really spoof the source IP address of a TCP connection. (Well, you can, but the TCP handshake will never complete, making it rather useless.) You can hijack someone else's IP address or machine, which has much the same effect, as far as you're concerned. It leaves more evidence at the other end, but that likely doesn't help you much. It's highly likely that the domain name is spoofed. Almost certainly. Looks like I found an email address harvester. What I'm wondering, now, is how do you defend against this crap? It depends. Organizations who never (or rarely) communicate with anyone overseas often just block any mail exchanger with an IP address in Asia. There are systems out there that use heuristics to auto-detect harvesters and auto-block IP addresses or netblocks. Sounds like overkill for your situation. If you suspect you might want to communicate with anyone you blacklist, you could setup an auto-responder opt-in whitelist robot (just use caution with combining such with mailing list subscriptions and other robots -- mail loops and PO'd postmasters can result). (And from a legal or ethical perspective, would it be better to just remove the mx record altogether?) That is what I would do. However, be aware that if a domain does not have an MX record, but does have an A record, the RFCs say that a mail exchanger should try to connect to the IP address of the A record. Anyhow, I'm hoping someone on this list can offer some help in tracking this low-life down. All you can do to prosecute an attacker is to track the netblocks using WHOIS and attempt to contact the operator of the systems/networks from which the attacks originate. Anybody out there have experience tracking spammers? news:net.admin.net-abuse.email (NANAE) http://www.nanae.org http://www.spamfaq.net http://www.abuse.net (Network Abuse Clearinghouse) http://www.cauce.org (The Coalition Against Unsolicited Commercial Email) http://www.spamcop.net http://www.spamhaus.org -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: OT: More Spam
On Wed, Jan 22, 2003 at 09:05:19AM -0500, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: You can't really spoof the source IP address of a TCP connection. (Well, you can, but the TCP handshake will never complete, making it rather useless.) Sure you can, if you can guess the initial sequence number for the TCP connection. That's why there's that one site with all those plots illustrating how predictable the sequence number is (somebody else probably has the URL more readily available than I). -- Bob Bell [EMAIL PROTECTED] - We have to make a management decision. -- Jerry Mason, Morton Thiokol Inc., before launching the Challenger ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: OT: More Spam
On Wed, 22 Jan 2003, at 9:15am, [EMAIL PROTECTED] wrote: You can't really spoof the source IP address of a TCP connection. (Well, you can, but the TCP handshake will never complete, making it rather useless.) Sure you can, if you can guess the initial sequence number for the TCP connection. Oh, yes, right. I keep assuming that broken software get fixed. You'd think I'd learn. :-( -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: OT: More Spam
[EMAIL PROTECTED] writes: You can't really spoof the source IP address of a TCP connection. (Well, you can, but the TCP handshake will never complete, making it rather useless.) Well, I wouldn't call this useless, since you can accomplish certain (nefarious) tasks this way. --kevin -- Kevin D. Clark / Cetacean Networks / Portsmouth, N.H. (USA) cetaceannetworks.com!kclark (GnuPG ID: B280F24E) alumni.unh.edu!kdc ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: OT: More Spam
If this happens much longer, I'm going to have to get out the baseball bat. Prediction: before January 2005 somebody will lose their life as a direct consequence of their involvement with SPAM. ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: OT: More Spam
Bob Bell [EMAIL PROTECTED] writes: (somebody else probably has the URL more readily available than I). http://razor.bindview.com/publish/papers/tcpseq.html http://lcamtuf.coredump.cx/newtcp/ Regards, --kevin -- Kevin D. Clark / Cetacean Networks / Portsmouth, N.H. (USA) cetaceannetworks.com!kclark (GnuPG ID: B280F24E) alumni.unh.edu!kdc ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: OT: More Spam
On Wed, 22 Jan 2003, at 10:12am, [EMAIL PROTECTED] wrote: They have an MX record, which is all the spam robots need. Pardon my butting in, but what is an MX record? MX = Mail Exchanger. An MX record is a record in the DNS that designates the mail exchanger for a given domain name. Other mail exchangers then use the designated mail exchanger to send mail to the domain. -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: OT: More Spam
On Wed, 2003-01-22 at 10:12, Erik Price wrote: [EMAIL PROTECTED] wrote: On 22 Jan 2003, at 1:26am, [EMAIL PROTECTED] wrote: Some, I haven't even told anyone about, so there's no way anyone can know that I can (or expect to) receive email at them. They have an MX record, which is all the spam robots need. Pardon my butting in, but what is an MX record? MX = Mail Exchange. It is an entry in a domains DNS that tells servers where to send mail for that domain. C-Ya, Kenny -- Tact is just *not* saying true stuff -- Cordelia Chase Kenneth E. Lussier Sr. Systems Administrator Zuken, USA PGP KeyID CB254DD0 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xCB254DD0 ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: OT: More Spam
On Wed, 22 Jan 2003, at 10:26am, [EMAIL PROTECTED] wrote: However it is still possible to spoof the source, IF the attacker has control of some machine (i.e. a router) which lives in the path ... Well, this has turned into a semantic distinction. I generally consider spoofing to be a passive attack, i.e., one that does not require intercept or redirect anything. Anything that requires that sort of active attack I consider hijacking. After all, if you've taken over a router, and told that router to route packets for a given address to you instead, you've effectively *become* that address. -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: OT: More Spam
Derek Martin [EMAIL PROTECTED] writes: However it is still possible to spoof the source, IF the attacker has control of some machine (i.e. a router) which lives in the path the target host would use to send packets to the host which actually has the IP being used for spoofing (man, I hope that made sense). The attacker can listen for the replies to his packets on such a host, and generate the correct packets in response. [This would likely need to be automated to be fast enough to be of any use -- the router would essentially NAT the packets to the spoofing host.] Actually, you don't even need to take over a router. You don't even need to listen for replies either, assuming you sufficiently grok the target's TCP stack. Obviously, this attack is extremely difficult, making it extraordinarily unlikely that anyone will successfully launch it against you. But it /is/ possible... And indeed, this attack has been successfully used in the Real World. --kevin -- It's colder than a ticket taker's smile at the Ivar theater on a Saturday night. -- Tom Waits ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: OT: More Spam
On Wed, Jan 22, 2003 at 09:05:19AM -0500, [EMAIL PROTECTED] wrote: The source ip also varies ... By how much? Are they all within the same netblock? Nope. Quite a bit of variation. All the way from 12.x.x.x to 218.x.x.x. So far, 107 attempts from 59 unique address. ... I'm not sure how to determine if it's spoofed or not. You can't really spoof the source IP address of a TCP connection. (Well, you can, but the TCP handshake will never complete, making it rather useless.) You can hijack someone else's IP address or machine, which has much the same effect, as far as you're concerned. It leaves more evidence at the other end, but that likely doesn't help you much. I followed the rest of the discussion on this and I don't think this are being spoofed or hijacked given that they're all over the IP space. There *are* however a few sendmail messages that indicate the address may be forged, thought not that may (only three unique). What does that mean, anyhow, if it's not IP spoofing or hijacking? Organizations who never (or rarely) communicate with anyone overseas often just block any mail exchanger with an IP address in Asia. Which I am considering, but it kinda goes against my grain. Some day I hope for a way to identify these kinds of attacks at a network level and cause client on the other end to explode ;-). There are systems out there that use heuristics to auto-detect harvesters and auto-block IP addresses or netblocks. Sounds like overkill for your situation. Well, if it detonates the spammer's desktop, then it sounds perfect! If you suspect you might want to communicate with anyone you blacklist, you could setup an auto-responder opt-in whitelist robot (just use caution with combining such with mailing list subscriptions and other robots -- mail loops and PO'd postmasters can result). Awe, but that requires...work. I love solving problems, and even doing a little computer forensics, but I absolutely hate expending so much effort for so little gain as just when you implement one defense, the spammers get around it with another. The lawyer who spoke at the spam conference is right: make no mistake about it, the spammers are engaged in organized crime. (And from a legal or ethical perspective, would it be better to just remove the mx record altogether?) That is what I would do. However, be aware that if a domain does not have an MX record, but does have an A record, the RFCs say that a mail exchanger should try to connect to the IP address of the A record. Which is why I figured setting it to 127.0.0.1 would work better. For now, at least. But I don't have an A record for the actual domain, only two hosts within it. All you can do to prosecute an attacker is to track the netblocks using WHOIS and attempt to contact the operator of the systems/networks from which the attacks originate. Thanks for the input. I'll keep this list updated if I do happen to nab the intruder. -- -Paul Iadonisi Senior System Administrator Red Hat Certified Engineer / Local Linux Lobbyist Ever see a penguin fly? -- Try Linux. GPL all the way: Sell services, don't lease secrets ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss