RE: in case nobody else noticed it, there was a mail worm released today
Please pardon my ignorance, but I am *mightily* confused. In a message from Michel Py is the following: snip and ISTR one patch for Outlook 2000 that blocked your ability to save executables was released) It default in Outlook XP and Outlook 2003, which has prompted large numbers of persons to download Winzip, which as not stopped worms to be propagated as you pointed out. Michel. The bit I don't get is how a zip file is created such that launching it invokes winzip and then executes the malware. When I open a normal .zip file, winzip opens a pane that shows me the contents. After that I can extract a file or I can doubleclick on a file to open it - which if it is executable will cause it to execute. I haven't seen a case where simply opening a zip archive causes execution of something in its contents unless it is a self extracting archive in which case it unzips and executes, but doesn't have the .zip suffix. Would anyone explain to me how this occurs (and if RTFM with a pointer to the M is the best way, then so be it!) Thanks in advance Chris
TippingPoint
Does any one in this group have a comment/view of the TippingPoint product line? Replies off list are encouraged. I can make a digest of the replies and post the consolidated replies so as to save clutter if anyone would like. Thanks in advance and Happy New Year Chris
RE: Block all servers?
NAT at the end of OC12 sounds hideous indeed. That's why I would prefer to see it as part of the modem in the house/business. I am sure (by guesswork and not by statistics) that a very large number of users would need relatively simple and secure systems. I guess this because of the way I see a lot of equipment being used in the groups I talk to. Does that mean that one size fits all? No of course not. Just in the same way that one car type fits all. If it did, wouldn't Skodas be looking great right about now?! Of course from an ISP or other provider's point of view, uniformity/standardization allows costs to be driven downwards. So in order to keep costs handled, a non-customizable service is the order of the day. By making the NAT router a part of the cable modem at least there is a lesser chance that a large number of people who want a simple network connection will have any trouble at all. Perhaps posting a security bond would be an interesting way of overcoming some behaviors. General society appears to have strong financial motivations (look what I can get for free (theft) by downloading music, etc.) Well make the standard service cheap, and add the premium features by control of the NAT router inside the modem from the support center. Remember that access is a privilege not a right. Of course as soon as you attempt to control a box from outside, that is throwing down the gauntlet to the malcommunity. So the NATRouter/Modem combo would have to be a bit clever. That of course may drive cost up.. As people who inhabit the network space, I think we do have some responsibilities to encourage the directions that service provider choose. If this isn't a good idea, what is? If we assume the following then we are forced to think broadly: Most PCs that people buy are configured too broadly with too many services open and are thus vulnerable. Most people do not want to mess with keeping their systems safe (for a variety of reasons). Most people have become accustomed to relatively inexpensive access Most people have brothers-in-law who know a bit about computers and can royally screw things up! Most people know a really bright 12 year old who can do very clever things with the computer that I can't understand Many people assume facility with some terminology and fast typing to be indicators of knowledge and responsibility. Many people do the computing equivalent of throwing trash out of the car window - i.e. not taking any responsibility for polluting the environment. These sociological phenomena demand that those who provide the services provide them responsibly or face the consequences. Sadly the consequences are societal in impact and don't just affect the providers. How much benefit would we get if we were to reduce the number of computers that could possibly be infected with something by 50%, 75%? How much benefit could we get by knowing which networks were potentially vulnerable - because they chose to open things up. I realize that we have a long way to go to get security. It is a bit like when cars first came out - we could/would drive anywhere. Eventually we agreed that we, in a given country, would drive on a particular side of the road. There is no obviously good reason why it should be one side or the other (as successful drivers in the UK and the US would agree!), but pick one. Once that happened, then some of the chaos disappeared. There is a (possibly true) story that when telephone adoption rates were analyzed in the 1930s, predictions were that every person in the US would have to be a telephone operator to keep up with the manual connecting of calls through plug-switchboards. The expected cross-over was sometime in the 1950s. Well, with the advent of Subscriber Trunk Dialing we are all telephone operators today! I see the same things happening in the computing world, we are all going to have to be network operators and sesames at some point! Sadly those interfaces are not as easy and standard as the familiar phone keypad! Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Petri Helenius Sent: Saturday, October 11, 2003 1:47 AM To: [EMAIL PROTECTED] Subject: Re: Block all servers? Adam Selene wrote: IMHO, all consumer network access should be behind NAT. First of all, this would block way too many uses that currently actually sell the consumer network connections. I recommend my competition to do this Secondly, it´s very hard, if impossible to come up with a NAT device which could translate a significant amount of bandwidth. Coming up with one to put just a single large DSLAM behind is tricky. (OC-12 level of bandwidth) NAT devices which do OC12 or near don´t come cheap either. This is (fortunately) not a cost you can sink to the customer as added value. Because we lack clue and technology, we just block you for anything and make you pay for it. However, the real solutions
RE: Block all servers?
I agree that Michael is right on. The social, psychological and financial issues are in many ways more tricky than the technical issus. However, I think there are ways to help. But first some history When I signed up for Cable broadband access several years ago, I was told, And of course you must not put a router on the network. The of course was a surprise to me. That immediately meant (at least to me) that I was going to be exposed to anything that came wandering past my (dynamically assigned) IP address. Of course I put a router in place. Was it something really good? No, it was what I could afford. A Linksys broadband router. Was it misconfigured? Probably - I am after all an applications guy not a solid network engineer. Did I get it checked out by the network guys at work? You betcha. Have I eliminated all risk? No. Have I eliminated affordable risk? yes. Since then I have created a DMZ at home (again not necessarily the most solid in the world), but at least it has the following effects: My VOIP telephone line is directly in to the DMZ - that just saves a hop. My in home wireless network is just that - in home. The NAT router that protects it has everything I can think of disabled. I have access to a couple of servers when I am traveling (both in the DMZ) so that I can access important files and test development web sites. There is in theory no public access. In practive, of course it is wide open - that's why we have DMZs I also have personal firewalls on all computers whether they travel or not. Why? Because I want to block outbound activities. I rarely see anything inbound that is blocked, but I do like the ability of my PFWs to detect outbound activities and make me confirm/deny access. That is just good hygeine. Oh btw that firewall monitors inbound email too, so it becomes a first level virus protector. Real virus protection kicks in behind that. Now what could the broadband providers do: First off, they could incorporate NAT into the DOCSIS or other compliant cable modems/DSL Modems. Make sure that the NAT router is configured so that incoming ports are all blocked. Yes that makes it hard for gaming, so there needs to be an extra capability so that gamers have to explicitly (at a fee?) get the features opened. That is only a start of course, because as soon as you do that then there are going to be vulnerabilities. However, the likelihood of infection/spewing of packets is reduced somewhat. Second, in the acceptable use policy for high speed connections, require a licence of some kind. We have licenses/permits for our cars, our dogs, our burglar alarms, for going fishing,. Why not for broadband. Actually I can see many reasons both to do it and not to do it, so this is clearly an area where debate is reasonable. Third monitor the bandwidth used (ratios on inbound/outbound) for example. Actual numbers might be better. For example, at my DMZ router, it reports the following this morning: Up time 23:50 (just less than 1 day) Bytes TX 40,612,318 Bytes RX 370,212,922 These numbers are surprisingly large. However I do run Groove at home and a lot of data is shared with people all over the world, so the TX isn't terribly surprising. The RX is monstrous though. Next stat since power on, the DMZ router has recognized 513 alerts - mostly ping requests from other Comcast users. Now that would be an interesting set of cluse if Comcast itself were able to do anything about it. Lots of Pings (against home machines) are usually indicative of some kind of problem (yeah, preaching to the choir, I know), so in this combined modem/router, I could envisage some stats gathering and reporting on usage - especially things that are somewhat suspicious. Of course the line is fine between privacy, acceptable use, and risk. The whole approach does need to be thought through pretty carefully. I now spend time talking with friends, local groups (Church, city or whatever) describing the risks. Some people even act on them. Some people ask for help cleaning up their home systems - especially to remove pop-ups, improve spam handling and keep porn away from the kids. What they often don't realize is that the actions they have taken (downloading gator or hotbar) have caused precisely the effects that they are trying to guard against. So much of my time spent delousing is running the cleanup tools (ad-aware, pest patrol, taskinfo to see what's running), enabling firewalls, recommending that people buy firewalls, instilling a use the grc tools discipline and generally doing what I can to keep the computers relatively clean. At approximately 3 hours per computer, I am not making as much headway as I would like! We therefoe have got to encourage the industry (especially the responsible leading players) to have things configured by default to make life safe. Then unsafe behavior becomes a choice rather than a default. Sorry for the length of this rant, but I wanted to point out that there are responsible
RE: Block all servers?
I know they CAN, but the issue is do they have the mechanisms and operational capabilities of actually doing so? I would like to see my cable provider making it hard to do some of the things I do. Not because I should not be doing them, but those same holes that I exploit (hopefully in a benign fashion) can be used with malicious intent. By saying, If you want to use our service then you must deply this kind of modem/router at least makes their insistence explicit. Currently there is more arm waving than actual adherence to security policy. Thus we have many poorly configured Windows boxes accessing the internet (and the WWW) in manners which are to the detriment of everyone else. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Kuhnke Sent: Friday, October 10, 2003 7:06 PM To: [EMAIL PROTECTED] Subject: RE: Block all servers? The TOS/AUP for most residential broadband connections already allows the ISP to shut off service or do anything they want to the customer without prior notice. It has been this way for at least 3 or 4 years, since the advent of @Home. Take a look at the TOS/AUP for Comcast, Shaw Cable, MSN DSL or similar... Second, in the acceptable use policy for high speed connections, require a licence of some kind. We have licenses/permits for our cars, our dogs, our burglar alarms, for going fishing,. Why not for broadband. Actually I can see many reasons both to do it and not to do it, so this is clearly an area where debate is reasonable.
RE: Some very strange network behaviors - follow-up
For those still interested, here is the status of this issue. I suspect that my NIC is in promiscuous mode - I run winpcap for traffic monitoring on my home network. Of course in the world of Microsoft it isn't always straightforward to determine these things! So it isn't a great surprise that some packets were detected by me. What is still a surprise is that the packets were allowed in through the border gateways. I am having a conference call today with the network security people from the hotel chain to see if we can come up with a better approach! And then of course there is still the problem that from my room, I can use network neighborhood (using MS terminology) and see the computers of many of the guests. I just hope that none of them had file sharing on! Of course since the press releases from the company suggest that users will have the same level of security when in the hotel than when in their own offices, the likelihood of anyone remembering to turn file sharing off is nil. If anything interesting comes out of this, I will repost. Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ray Wong Sent: Thursday, September 11, 2003 5:16 PM To: [EMAIL PROTECTED] Subject: Re: Some very strange network behaviors Even if a switch floods all ports, it does not change the fact the packet will not have the correct MAC address and his NIC should never pass it up the stack. Switches do not rewrite the Ethernet addresses on packets. Correct, ethernet switches do not. The question is, what were the systems in question connecting to? Many hotels bought into proprietary broadband systems, some of which are still in service. Just because there's an ethernet port in the room says nothing about the hotel's internal net. Some of them did(do) a very poor job of encapsulating or translating the ethernet (or even layer 3, some of them were IP-only) at the room, converting to some other p-t-p method (i.e. atm pvc logic, similar to dsl), and again converting (badly) back downstairs. It's entirely possible the next IP speaking box in line does not, in fact, know what the MAC of the client PC on the end of the line actually is. Room 2037A gets the traffic for room 2037A, regardless of what the router's arp cache or the switch's mac map actually says. The MAC seen may very well be generated by the concentrating equipment and not the peecee. Even if the IP is negotiated with the node, a la pppoe, there's no certainty that the traffic isn't modified in between. Without speaking to someone in the know about the hotel, there's no telling what actually happened. All of which misses the issue he suggested, that traffic in any public arena must be viewed as suspect. Yes, Corporations who rely on an edge firewall solution and do not standardize on some form of node protection and audit process are likely exposing themselves to this sort of thing all the time. Should they fix it? Probably, but few of them are employing me/us, so there's nothing I or most here can do about it. That's not a technical problem. :-\ -- Ray Wong [EMAIL PROTECTED]
Digest from questions about IPTelephony
Many thanks to all who responded. I have been asked by a few people to post a digest, so here it is. I have chosen not to attribute the quotes because some of the people who responded directly to me. If they had wanted their statements made public and attributable, then they would have posted publicly. Please remember that I am a conduit here. These are opinions of others that I have assembled. So if you feel like flaming me, go ahead, you won't get much back from me though! I hope that I have represented the views of the responders accurately. If not, please publish corrections. The general consensus seemed to break down into the following areas: Call Quality There were several comments related to call jitter and how different equipment has different jitter/quality characteristics. Reference was made to the following report http://www.iwl.com/Products/maxwell/VoIPReport.html The report speaks for itself, but I don't know when it was created and whether the products have been updated since. Yes, there are issues. Packet jitter is the biggest annoyance, but the H.323 VoIP protocol is reasonably robust about such things by providing some degree of jitter correction at both ends. The clincher is usually finding network providers that do a reasonably good job of keeping the network in a stable state. With reliable connectivity, H.323 can keep nearly circuit-quality calls in at least 95% of cases, and still audible but sometimes cell phone quality calls every once in a while. If you're connecting primarily to a nearby (in Net terms) landline gateway for most of your IP-to-PSTN calls, you'll probably never notice the difference. General conclusion is that most of the time call quality in IPT solutions is at worst adequate (cell phone quality) and at best as good as PSTN/PBX Robustness/Reliability -- 2 users report 100% availability using private corporate networks. But the caution is that the network design is critical. There is a considerable amount of configuration activity. One user reported that the most common source of problems was keying errors. Many configuration activities were templated using perl scripts to reduce configuration errors. One question posed is When was the last time you had to update the firmware on your phone? A reference to the need for software/firmware in the phone giving another possible point of failure when an update fails. Observation that a PBX approach is highly centralized, so can present single point of failure behaviors, whereas the IPT approach leads to a more distributed and potentially better self healing approach. At a time of national crisis (9/11 in NYC), the phone system wasn't any more reliable than the data systems. Now, *faxing* is a big problem in the VoIP world. If your landline gateway provider doesn't give you a decent method to do fax calls, you may have an issue. V.22 and V.23 fax calls (not to mention modem calls) do not work well over a VoIP-modulated line, but some landline gateway services overcome this by placing a POTS-emulating device at the fax machine, translating back to a digital data stream, then back to POTS fax on the other side. There's also net-fax gateway services out there. We have been running approximately 3.5 MILLION minutes per month across our xxx VoIP solution for approximately 12-14 months: Do we have problems, yeah occasionally, but they are actually in line with the frequency of problems when running on a real pbx.. (Vendor name removed by me) Reliability-wise, 100% uptime requires redundant IP PBXes, backbones, switches and backup UPSes for all. This is no different to what a telco does in their Central Office for their class 5 switches, but any reasonable sized corporate network already has the UPS and backbone infrastructure in place. Why - because they have learned the hard way that people can live without phones for a while, but go ballistic if they don't get their email on time. Things like intelligent routing and a good telecom engineer should help alleviate concerns with network outages. i.e. you're still gonna have a tie trunk to the local telco to offload non-corporate phone calls anyway...in the event of network outages, you can just seamlessly re-route the traffic over the PSTN. I wouldn't buy any of that ip-phones-on-the-desktop-crap that xxx keeps pushing. Yes, there may be some applications for the ip handsets, but the last thing you wanna hear is that someone can't get their vmail because the dhcp server barfed. Note product name removed by Chris Corporate usage vs. usage over the internet vs. POTS -- There were many cautions expressed about using VOIP over the internet. QOS control must be implemented for consistent quality, but of course that isn't possible if you don't know how calls are routed. One user reported how nice it is to have extension portability take the phone all over
RE: Another DNS blacklist is taken down
I realize that this is seriously off the wall. There is a pretty secure P2P system (Groove) that was developed by Ray Ozzie. Focus is on security on the wire, on the box, everywhere with serious authentication - Diffie-Hellman exchanges and all the right security toys. Admittedly when I run it at home the lights in the neighborhood dim. I am wondering, though if there might be a way to use its kind of services for some behind the scenes secure discovery - removing the hackability of most of the P2P systems. No I don't know how it scales, what it's throughput and licensing limitations are.. I just heard P2P and immediately went outside the box. Chris My vcard is attached. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vadim Antonov Sent: Wednesday, September 24, 2003 3:05 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Another DNS blacklist is taken down RBLs Sounds like a great application for P2P. Perhaps, but it also seems like moving an RBL onto a P2P network would making poisoning the RBL far too easy... Andrew USENET, PGP-signed files, 20 lines in perl. --vadim BEGIN:VCARD VERSION:2.1 N:Bird;Christopher FN:Christopher Bird ([EMAIL PROTECTED]) ORG:The Network Effect TITLE:Independent Consultant TEL;WORK;VOICE:(214) 764-6305 TEL;CELL;VOICE:(214) 236-8373 TEL;WORK;FAX:(972) 764-6301 ADR;WORK:;;4020 N. Macarthur # 122-322;Irving;TX;75038;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:4020 N. Macarthur # 122-322=0D=0AIrving, TX 75038=0D=0AUnited States of Amer= ica EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20030902T123447Z END:VCARD
RE: IP telephony - Thank you all for insights and answers - no new content in message, but I wanted to acknowledge all who took the time!
Thank you Henry, Peter, Mehdi, Todd, Bob, Irwin, Tracy, John, Karsten, Karl, Shawn. Howard, Darren, Mike and Paul for taking the time to answer. This has helped greatly. Regards Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Bird Sent: Tuesday, September 16, 2003 4:39 PM To: [EMAIL PROTECTED] Subject: IP telephony There has been much buzz of late about using IP telephony solutions in place of the more common analog based solutions. Traditional telephony has very high reliability (many years without loss of dial tone for some companies). From what I have seen in this group about networking, router behaviors, etc. it seems to me that the IP networks that exist aren't yet ready for the prime time of IP telephony. As we move buildings, my company is looking at installing an IP telephony based solution (packet switched) instead of a traditional analog based solution (circuit switched). I am worried that the reliability will likely be lower than I am used to. However the cost savings look quite compelling, so I am torn. The more I read in here about threats and attacks against IP networks and the amount of maintenance we need to have in place to keep our IP networks hanging together, the more I am concerned about the viability of an IP telephony solution. Does anyone here have any thoughts, experiences, etc. about the use of IP telephony in corporate environments? Thanks in advance Chris
IP telephony
There has been much buzz of late about using IP telephony solutions in place of the more common analog based solutions. Traditional telephony has very high reliability (many years without loss of dial tone for some companies). From what I have seen in this group about networking, router behaviors, etc. it seems to me that the IP networks that exist aren't yet ready for the prime time of IP telephony. As we move buildings, my company is looking at installing an IP telephony based solution (packet switched) instead of a traditional analog based solution (circuit switched). I am worried that the reliability will likely be lower than I am used to. However the cost savings look quite compelling, so I am torn. The more I read in here about threats and attacks against IP networks and the amount of maintenance we need to have in place to keep our IP networks hanging together, the more I am concerned about the viability of an IP telephony solution. Does anyone here have any thoughts, experiences, etc. about the use of IP telephony in corporate environments? Thanks in advance Chris
Some very strange network behaviors
I am not sure if this post belongs here, so I apologize if it does not. I have been experiencing some weirdness while traveling and wondered if the group has any insight into what seems to be a pretty ugly situation. I am traveling and have my lap top with me. I am staying in a hotel that offers broadband support. There are 2 of us (with 2 lap tops) sharing a room. I acquire an internet connection and sign up for the service, so get an IP address. In my case that IP address is 12.44.189.24. I disconnect my cable and pass it to my roommate. He plugs in and acquires IP address 12.44.189.47. He does the email thing for a while and then passes the cable back to me. Imagine my surprise when the network routes packets destined for his IP address (from his email server no less) to my computer. My firewall (Zone alarm) detects these incoming packets and blocks them since they are unsolicited. In further analysis of the logs, I see that there are a large number of IP addresses that are packet destinations and routed to my computer Zone Alarm detects them and blocks them. According to Zone Alarm I am getting packets for destination IP addresses as follows:12.44.189.244. 12.44.189.178 12.44.189.181 12.189.44.244 and some others too. They are all port 80 requests, identified by Zone Alarm as TCP (flags:S). This seems strange to me since they are arriving at an IP address that is different from mine. How can this happen? Is there the potential for a problem (I am thinking particularly about future guests who may not have the degree of protection (limited though it is) that Zone Alarm is affording me.)? This then got me thinking about corporate security. If I have taken my laptop and put it on an external network (e.g. the hotel network) what protections can I realistically expect, and what should my corporate IT department do to make sure my compute hasn't contracted something nasty while it was away from home. I could see that the kind of network behavior that I observed could infect a less well protected computer and thus cause me to bring an infection back to my office where it can attack from behind the corporate shields and firewalls. Any comments would be very welcome. Regards Chris Bird
Welchia Virus - it is real and hard to detect.......
I hope the nanog mail list is an OK place to warn of this.. As part of my clean up for clients who have had Blaster, I came across a variant, sometimes called Blaster D. Its other name is welchia. It seems to do the following: Gets the Microsoft patch for regular blaster. Installs a file called dllhost.exe in the C:\Windows\System32\Wins directory. Btw there is a smaller dllhost.exe file in one of the other system directories. http://www.pchell.com/virus/welchia.shtml It also copies the tftp server from one of the other windows locations. They are both started by a startup service. When connection is made to the internet, dllhost and the tftp server start their dirty work. The tftp server appears to be the mechanism by which the virus propagates. The dllhost sends out a firestorm of requests (on various ports) to try to find other victims. This afternoon I patched a system and installed a personal firewall - in the space of about 20 minutes there were 207 attacks some using ICMP class 8, others simply using uDP against ports 135, 137 and 139. This was all on a computer that had the Microsoft patches for Blaster applied. I think it gets in prior to the blaster patch application and then is not detected by the blaster removal and Microsoft fix. Rather than go into all the gory details, I suggest that interested parties go hunting for it at their usual anti-v places. Chris Bird
RE: Cross-country shipping of large network/computer gear?
I have used Federal Express to great effect in the past. I have tended to stay away from Airborne because the local people here in Dallas didn't know not to turn printers full of toner on their sides. Since Airborne packed them, I felt they should not have been full of toner, but that is another story! Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Zito Sent: Wednesday, August 27, 2003 1:19 PM To: [EMAIL PROTECTED] Subject: Cross-country shipping of large network/computer gear? Hello, I was wondering if anyone could provide any advice or suggestions on shipping heavy/bulky equipment (~300 pounds, about a half-rack worth of gear) on short notice cross-country? We're obviously looking to minimize cost, but realistically it can't be in transit for more than two days. Are there any companies or methods people would recommend? Thanks in advance for the help. Thanks again, Matt -- Matthew Zito GridApp Systems Email: [EMAIL PROTECTED] Cell: 646-220-3551 Phone: 212-358-8211 x 359 http://www.gridapp.com
RE: Spam and following the money
Joe makes some excellent points. I have started to use the Spamcop service to help get abuse reported through the right channels. I suspect that it doesn't actually shut many people down, but it does help increase awareness of open proxies and other misbehaviors. When medical spam comes in (offering a service that I may or may not need - I leave those to your imaginations), I will often forward to the State Attorney General under the following argument. If I need the item being offered then the mechanism by which they have notified me is not one that I have specifically opted in to as required by HIPAA. If I don't need it then it is purely SPAM and contravenes those laws. I have only just started this approach, but I quite like it. My early morning session with SpamCop provides quite cathartic! Chris snip Subject: Spam and following the money Hi, Whenever the topic of spam comes up, the suggest always arises that people follow the money to track the spammers. Sometimes, it is true, that will be useful, but it takes a rather naive approach to the spammer's business model. In many cases, spammers don't actually need to *deliver a product or service* to the person they are spamvertising to make money from sending spam. Some spammers make their money via banner advertising revenues: if they can get you to visit one of their pages (even an unsubscribe page), they can get hits for some advertising program and make money from you. Or consider pump-and-dump stock tout spam... no direct product or service needs to be delivered to a spammee for the spammer to make money, assuming he can use spam to run the stock price up and the SEC doesn't jump on traders with unusual purchase and sale patterns. In some cases, the spammer's scheme is outright fraud: one of the reasons that penis enlargement spam (or spam for Viagra or other embarassing-to- purchase products) is so common is that spammers are counting on people being too embarassed to admit that they (a) fell for a scam, and (b) that they were dumb enough to send cash to some PO Box in Romania, and (c) that they needed the particular product that was being spamvertised in the first place. Likewise spam for pay-per-view cable descramblers/theft of service devices and other illegal/semi-illegal products: if your pay-per-view theft of service cable descrambler provider fails to deliver a functioning theft-of-service device for your use, who are you going to complain to, the police? It is also worth noting that in many cases people are providing their name, credit credit number, and expiration date to some random server hosted somewhere in China, hmm, whaddya think, any possibility of fraud taking place? I could make fifty bucks selling some fake human growth hormone, or thousands charging stuff on a steady stream of live credit card numbers. If I had to point at the most common way to make money from spam these days, I'd bet on credit card fishing... But even routine credit card fraud pails in comparison to the costs associated with trying to regain your financial identity after it has been completely co-opted following provision of complete financial details to some mortgage referral specialist... And then there are the pr0n dialer dudes, who offer free access to their pr0n site, you just need to use their special software (which calls a 900 number somewhere in the Caribean for $15.00/minute, and/or sends more spam for them). Lastly, there are plenty of spam service providers who make money from selling email addresses, selling spam software, selling spam hosting services, you name it... in fact, some of the largest American carriers are *perfectly* willing to provide connectivity for spamvertised web sites so long as the spam doesn't actually get sent from that connectivity (and with hundreds of thousands of open proxies out there, well, there's no need for a spammer to be that gauche!) If you want to stop spam, take the time to see where spamvertised web sites are being hosted, and who's providing transit for those hosts. I've been doing this for a while now, and I can *definitely* see some pretty obvious patterns. I guess those transpacific OC3s and OC12s for strategic customers are just too lucrative to risk jeopardizing with trifles like enforcing terms of service... Regards, Joe
Syn Flood
I have a problem on a home PC of all things. Every once in a while it bursts into life and syn floods an IP address on port 80. The IP addresses it chooses are random and varied. The network counters ratchet up alarmingly (as viewed in the connections window). I am running winXP Pro on this box. I have zone alarm, an SMC Barricade firewall, and Norton anti virus. I dont seem to be able to catch the computer at it, I just have the evidence after the event. I dont like the anti social behavior that this is exhibiting and am wondering if the collective wisdom of this group might have any ideas how to track the issue down. According to virus checkers, I am clean. Thanks in advance Chris Bird