Re: Wired mag article on spammers playing traceroute games with trojaned boxes
* [EMAIL PROTECTED] (Andy Ellifson) [Fri 10 Oct 2003, 01:04 CEST]: And as soon as you call law enforcement what happends? The spammer is located offshore. Then what? This hasn't stopped the FTC before. Recently it named a Dutch national in a complaint: http://www.ftc.gov/opa/2003/09/fyi0357.htm -- Niels.
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
I mentioned before that it doesn't really make much sense with web hosting because the port can easily be changed so it's not very effective at all. Stop thinking of policing the user and start thinking of providing a security service. The default setting of the security service might include a block on port 80 inbound, but if the user needs to enable this traffic, give them a web form that they can use to reconfigure their settings. Or, if you can't handle such a variety of individual ACLs on your equipment, give them the option of buying a broadband router with a recommended default config and un-blocked service. If the user has to intervene in order to enable a server type application to function, that makes it a lot harder for trojan exploits to take hold. --Michael Dillon
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
With all due respect, we have a *problem*. End user machines on broadband connections are being misconfigured and/or compromised in frightening numbers. These machines are being used for everything from IRC flooder to spam engines, to DNS servers to massive DDoS infrastructure. If the ability of a teenager to launch a gb/s DDoS, or of someone DoSing mailservers off the internet with a trojan that contains a spam engine is not operational, perhaps it's just me that's confused. Why don't you come to the next NANOG in Miami in February and give a presentation on how people are doing these things? The trouble with a mailing list discussion is that it wanders all over the place. But at NANOG you could focus on the network operational issues of these networks of compromised machines. --Michael Dillon
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
[EMAIL PROTECTED] writes on 10/10/2003 4:39 PM: Why don't you come to the next NANOG in Miami in February and give a presentation on how people are doing these things? The trouble with a mailing list discussion is that it wanders all over the place. But at NANOG you could focus on the network operational issues of these networks of compromised machines. If somebody (preferably from the asia-pac region) wants to come to APRICOT 2004 in Kuala Lumpur - also in Feb 2004 - and do a presentation on this subject at the APCAUCE meet there, do let me know ASAP. FYI, APCAUCE (http://www.apcauce.org) has a two day program at APRICOT - a workshop and a conference track on spam ... srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Wired mag article on spammers playing traceroute games with trojaned boxes
http://www.wired.com/news/business/0,1367,60747,00.html -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thursday, October 9, 2003, at 10:04 AM, Suresh Ramasubramanian wrote: http://www.wired.com/news/business/0,1367,60747,00.html -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations I found one of these today, as a matter of fact. The spam was advertising an anti-spam package, of course. The domain name is vano-soft.biz, and looking up the address, I get Name:vano-soft.biz Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168, 193.165.6.97 12.229.122.9 A few minutes later, or from a different nameserver, I get Name:vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129 This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it? --Chris
RE: Wired mag article on spammers playing traceroute games with trojaned boxes
- -I found one of these today, as a matter of fact. The spam was -advertising an anti-spam package, of course. - -The domain name is vano-soft.biz, and looking up the address, I get - -Name:vano-soft.biz -Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168, -193.165.6.97 - 12.229.122.9 - -A few minutes later, or from a different nameserver, I get - -Name:vano-soft.biz -Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, -12.229.122.9 - 12.252.185.129 - -This is a real Hydra. If everyone on the list looked up -vano-soft.biz -and removed the trojaned boxes, would we be able to kill it? - ---Chris I got : Canonical name: vano-soft.biz Addresses: 165.166.182.168 193.92.62.42 200.80.137.157 12.229.122.9 12.252.185.129 I think even if we get all the ones for this domain name today, assuming we can muster even man hours to get it today, another 5000 will be added tomarrow. And looking at my list We have US(a very small ISP and a large ISP) RIPE, and LACNIC. I wonder if the better question should be: Can Broadband ISP's require a Linksys, dlink or other broadband router without too many problems? That is what it will take to slow this down, and then only if ALL of ISP's do it. This not only affects this instance but global security as a whole. Just a few days ago, Cisco was taken offline by a large # of Zombies, I am willing to say that those are potentially some of the same compromised systems. Thoughts? Jim
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
At 11:51 AM 10/9/2003, Chris Boyd wrote: On Thursday, October 9, 2003, at 10:04 AM, Suresh Ramasubramanian wrote: http://www.wired.com/news/business/0,1367,60747,00.html -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations I found one of these today, as a matter of fact. The spam was advertising an anti-spam package, of course. The domain name is vano-soft.biz, and looking up the address, I get Name:vano-soft.biz Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168, 193.165.6.97 12.229.122.9 A few minutes later, or from a different nameserver, I get Name:vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129 This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it? They're using extremely low TTL's on most of their records. Typically 2 minutes to accomplish this. The thing is I would imagine at least ONE of those NS servers cannot change within a 2 hour window whereas the others can change every 2 minutes. If you identify the server that only changes every 2 hours and track what it's replaced with every 2 hours, you're likely to find a rotating list of master servers... Another question is why is NeuLevel (the registrar for .biz) allowing TTL's on the NS records to be 2 hours and submitting those to the GTLD servers. Maybe it's just me, but that's the first time I've seen a registrar set such a low TTL on an NS record. If NeuLevel is any good they would likely have some sort of information to identify the owner of the domain, even if the information is invalid listed on their whois server. They might have a credit card transaction although that too could always be a stolen credit card number. Any other ideas or different angles/experiences? ; DiG 9.2.2 +trace a vano-soft.biz. ;; global options: printcmd . 80336 IN NS l.root-servers.net. . 80336 IN NS m.root-servers.net. . 80336 IN NS i.root-servers.net. . 80336 IN NS e.root-servers.net. . 80336 IN NS d.root-servers.net. . 80336 IN NS a.root-servers.net. . 80336 IN NS h.root-servers.net. . 80336 IN NS c.root-servers.net. . 80336 IN NS g.root-servers.net. . 80336 IN NS f.root-servers.net. . 80336 IN NS b.root-servers.net. . 80336 IN NS j.root-servers.net. . 80336 IN NS k.root-servers.net. ;; Received 449 bytes from 216.182.1.1#53(216.182.1.1) in 40 ms biz.172800 IN NS A.GTLD.biz. biz.172800 IN NS B.GTLD.biz. biz.172800 IN NS C.GTLD.biz. biz.172800 IN NS D.GTLD.biz. biz.172800 IN NS E.GTLD.biz. biz.172800 IN NS F.GTLD.biz. ;; Received 228 bytes from 198.32.64.12#53(l.root-servers.net) in 270 ms vano-soft.biz. 7200IN NS NS1.UZC12.biz. vano-soft.biz. 7200IN NS NS2.UZC12.biz. vano-soft.biz. 7200IN NS NS3.UZC12.biz. vano-soft.biz. 7200IN NS NS4.UZC12.biz. vano-soft.biz. 7200IN NS NS5.UZC12.biz. ;; Received 223 bytes from 209.173.53.162#53(A.GTLD.biz) in 150 ms vano-soft.biz. 120 IN A 200.80.137.157 vano-soft.biz. 120 IN A 12.229.122.9 vano-soft.biz. 120 IN A 12.252.185.129 vano-soft.biz. 120 IN A 165.166.182.168 vano-soft.biz. 120 IN A 193.92.62.42 vano-soft.biz. 120 IN NS ns5.uzc12.biz. vano-soft.biz. 120 IN NS ns1.uzc12.biz. vano-soft.biz. 120 IN NS ns2.uzc12.biz. vano-soft.biz. 120 IN NS ns3.uzc12.biz. vano-soft.biz. 120 IN NS ns4.uzc12.biz. ;; Received 287 bytes from 204.210.76.197#53(NS4.UZC12.biz) in 130 ms Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Chris Boyd writes on 10/9/2003 9:21 PM: A few minutes later, or from a different nameserver, I get Name:vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129 This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it? Nope - the guy would get more trojaned boxes, no shortage of unpatched windows machines on broadband. There are two ways to go here - * Nullroute or bogus out in your resolvers the DNS servers for this domain -- two problems here. One is that the spammer doesn't use vano-soft.biz in the smtp envelope, and second, he abuses open redirectors like yahoo's srd.yahoo.com * Follow the money - find out the spammer / the guy who he spams for, from payment information etc. Sic law enforcement on them. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
RE: Wired mag article on spammers playing traceroute games with trojaned boxes
At 12:01 PM 10/9/2003, McBurnett, Jim wrote: - -I found one of these today, as a matter of fact. The spam was -advertising an anti-spam package, of course. - -The domain name is vano-soft.biz, and looking up the address, I get - -Name:vano-soft.biz -Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168, -193.165.6.97 - 12.229.122.9 - -A few minutes later, or from a different nameserver, I get - -Name:vano-soft.biz -Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, -12.229.122.9 - 12.252.185.129 - -This is a real Hydra. If everyone on the list looked up -vano-soft.biz -and removed the trojaned boxes, would we be able to kill it? - ---Chris I got : Canonical name: vano-soft.biz Addresses: 165.166.182.168 193.92.62.42 200.80.137.157 12.229.122.9 12.252.185.129 I think even if we get all the ones for this domain name today, assuming we can muster even man hours to get it today, another 5000 will be added tomarrow. And looking at my list We have US(a very small ISP and a large ISP) RIPE, and LACNIC. I wonder if the better question should be: Can Broadband ISP's require a Linksys, dlink or other broadband router without too many problems? That is what it will take to slow this down, and then only if ALL of ISP's do it. This not only affects this instance but global security as a whole. Just a few days ago, Cisco was taken offline by a large # of Zombies, I am willing to say that those are potentially some of the same compromised systems. Thoughts? Personally, I think preventing residential broadband customers from hosting servers would limit a lot of that. I'm not saying that IS the solution. Whether or not that's the right thing to do in all circumstances for each ISP is a long standing debate that surfaces here from time to time. Same as allowing people to host mail servers on cable modems or even allowing them to access mail servers other than the ISP's. Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Thursday, October 9, 2003, 9:19:37 AM, you wrote: VA Personally, I think preventing residential broadband customers from hosting VA servers would limit a lot of that. I'm not saying that IS the solution. VA Whether or not that's the right thing to do in all circumstances for each VA ISP is a long standing debate that surfaces here from time to time. Same as VA allowing people to host mail servers on cable modems or even allowing them VA to access mail servers other than the ISP's. It's not like those customers are aware they are hosting servers, they most likely were exploited and are now unaware they are hosting websites. Regards, Joe Boyce --- InterStar, Inc. - Shasta.com Internet Phone: +1 (530) 224-6866 x105 Email: [EMAIL PROTECTED]
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Vinny Abello writes on 10/9/2003 9:41 PM: They're using extremely low TTL's on most of their records. Typically 2 minutes to accomplish this. The thing is I would imagine at least ONE of those NS servers cannot change within a 2 hour window whereas the others They are using a whole lot of stuff that's basically dynamic DNS. low TTL on an NS record. If NeuLevel is any good they would likely have some sort of information to identify the owner of the domain, even if They seem to have a spammer infestation though. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Hi, #I think even if we get all the ones for this domain name today,=20 #assuming we can muster even man hours to get it today, another #5000 will be added tomarrow. Actually, we wrote a little tool to systematically track the dotted quads associated with the vano-soft domain name. We have been seeing a steady stream of new dotted quads advertised for that host, but no where near thousands per day. There have also been some Usenet posts talking about this particular site and the methodology it uses; see: http://groups.google.com/groups?selm= pan.2003.10.03.19.40.44.564854%40frontiernet.netoutput=gplain Regards, Joe
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
At 10:51 AM -0500 10/9/03, Chris Boyd wrote: A few minutes later, or from a different nameserver, I get Name:vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129 This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it? I think in this instance your best approach may be to go after the name servers. Anything else is going to be a game of whack-a-mole. Our spam filtering software actually uses the address of a domain's name server in it's scoring system. Sometime's that's the only way we've been able to reliably detect a spammer. -- Kee Hinckley http://www.messagefire.com/ Next Generation Spam Defense http://commons.somewhere.com/buzz/ Writings on Technology and Society I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's.
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Hank Nussbacher writes on 10/9/2003 10:00 PM: I think we can all safely assume that the people behind this are most probably on NANOG or reading the archives and are now aware of your idea :-) vano-soft has been extensively discussed on other forums (spam-l, nanae etc) for quite some time. But yeah - it's stayed at the discussion level so far. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Vinny Abello wrote: Personally, I think preventing residential broadband customers from hosting servers would limit a lot of that. I'm not saying that IS the solution. Whether or not that's the right thing to do in all circumstances for each ISP is a long standing debate that surfaces here from time to time. Same as allowing people to host mail servers on cable modems or even allowing them to access mail servers other than the ISP's. The issue comes in defining a server. You can block 1024 access, but spammers don't have to reference port 80 in their emails. You can mandate NAT, but this breaks commonly used systems (especially for broadband) like DirectPlay. One of the selling points for broadband is gaming. Yet some gaming systems were designed to make connections both ways and dynamic port forwarding doesn't work in all senarios. -Jack
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thu, 9 Oct 2003 12:01:35 -0400 McBurnett, Jim [EMAIL PROTECTED] wrote: | I think even if we get all the ones for this domain name today, | assuming we can muster even man hours to get it today, another | 5000 will be added tomorrow. And looking at my list We have US | (a very small ISP and a large ISP) RIPE, and LACNIC. This malware is not new, but is only just becoming widely visible. It succeeds solely because of the Dynamic-DYS (real-time updating) functionality built into the dot-biz registry. Certainly it can be killed, but the techniques to achieve that are better discussed OFF this list - for both AUP and other valid reasons. As soon as this exploit is killed, no doubt another, similar, exploit would follow. We therefore need a more generic solution to the issue. | This not only affects this instance but global security as a whole. | Just a few days ago, Cisco was taken offline by a large # of Zombies, | I am willing to say that those are potentially some of the same | compromised systems. Empirical evidence would seem to support your view. Even where they are not the same zombies, networks that allow this type of zombie to remain in place are just as likely to allow DDoS zombies to continue undisturbed. The problem is that many ISPs filter all issues of this nature through their abuse teams, rather than sending them directly to their security specialists. Most abuse teams have neither the time nor experience to investigate, and this particular trojan has been written to make it too easy for abuse teams to dismiss reports of its activity, and then to justify taking no action - that is exactly what the writers of the malware intended to happen. A step change in attitude from providers who offer 24/7-on connectivity is what is needed now, and agreement to separate all network security issues from their abuse desk procedures should be number one priority. -- Richard Cox
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Date: Thu, 9 Oct 2003 10:51:08 -0500 Subject: Re: Wired mag article on spammers playing traceroute games with trojaned boxes From: Chris Boyd [EMAIL PROTECTED] To: [EMAIL PROTECTED] On Thursday, October 9, 2003, at 10:04 AM, Suresh Ramasubramanian wrote: http://www.wired.com/news/business/0,1367,60747,00.html -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations I found one of these today, as a matter of fact. The spam was advertising an anti-spam package, of course. The domain name is vano-soft.biz, and looking up the address, I get Name:vano-soft.biz Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168, 193.165.6.97 12.229.122.9 A few minutes later, or from a different nameserver, I get Name:vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129 This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it? This is NOT a hydra. The IP addresses are the same but presented differently. This happens because of THIS setup in DNS: vano-soft.biz. IN A 131.220.108.232 IN A 165.166.182.168 IN A 193.165.6.97 IN A 12.229.122.9 IN A 12.252.185.129 This setup is called Round-robin because the name server provides the first IP address FIRST to the first query; the second IP address first to the second query; the third IP address first to the third query; ... to the fifth query. Then it starts over with the first IP Address in response to the sixth query... In each case, ALL IP addresses are provided in response to each query. Yes, the TTL may be a bit low, but it is a workable setup... And no, I am NOT condoning what vano-soft.biz is doing, just trying to explain why, when you checked the first time, you got one answer, and when you checked sometime later, you got a different answer... (Donning flameproof underwear...) Regards, Gregory Hicks --- The trouble with doing anything right the first time is that nobody appreciates how difficult it was. When a team of dedicated individuals makes a commitment to act as one... the sky's the limit. Just because We've always done it that way is not necessarily a good reason to continue to do so... Grace Hopper, Rear Admiral, United States Navy
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Oops... Try this again... And as soon as you call law enforcement what happends? The spammer is located offshore. Then what? --- Hank Nussbacher [EMAIL PROTECTED] wrote: On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote: * Follow the money - find out the spammer / the guy who he spams for, from payment information etc.Sic law enforcement on them. srs I think we can all safely assume that the people behind this are most probably on NANOG or reading the archives and are now aware of your idea :-) -Hank
RE: Wired mag article on spammers playing traceroute games with trojaned boxes
There are two ways to go here - * Nullroute or bogus out in your resolvers the DNS servers for this domain -- two problems here. One is that the spammer doesn't use vano-soft.biz in the smtp envelope, and second, he abuses open redirectors like yahoo's srd.yahoo.com There is another option, create an email filter and block any email that includes the text .biz/ in any email. That will do two things, it will stop the spams from being received in the first place and it will cause one heck of a headache for the .biz domain so they clean up their act and deal with their problems. Geo.
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On 9 Oct 2003, at 12:19, Vinny Abello wrote: Personally, I think preventing residential broadband customers from hosting servers would limit a lot of that. I'm not saying that IS the solution. Whether or not that's the right thing to do in all circumstances for each ISP is a long standing debate that surfaces here from time to time. Same as allowing people to host mail servers on cable modems or even allowing them to access mail servers other than the ISP's. Hosting a server looks very similar to using an ftp client in active mode, playing games over the network or using a SIP phone to the network. Enumerating all permissible servers and denying all prohibited ones arguably requires an unreasonable shift of intelligence into the network. Allowing inbound connections by default and blocking specific types of traffic reactively has been demonstrated not to be an adequate solution, I think. A more aggressive policy of blocking all inbound connections (and analogues using connectionless protocols) essentially denies direct access between edge devices, which implies quite an architectural shift. I think it's more complicated than prevent residential users from hosting servers. Joe
RE: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thursday, October 9, 2003, at 12:24 PM, Suresh Ramasubramanian wrote: Nope - the guy would get more trojaned boxes, no shortage of unpatched windows machines on broadband. There are two ways to go here - * Nullroute or bogus out in your resolvers the DNS servers for this domain -- two problems here. One is that the spammer doesn't use vano-soft.biz in the smtp envelope, and second, he abuses open redirectors like yahoo's srd.yahoo.com This may apply w/r/t something I've been seeing for the last couple of days. I've been seeing e-mails into our server with the following characteristics: 1). Sent to invalid user on our domain 2). Sent from varying origins; usually, groups of three arriving ~ every half hour 3). Origin IP on mostly home broadband networks in US 4). Frequently, purported sender's e-mail address non-US domain although originating from US domain, with the language of the e-mail text matching the purported sender's domain (lots of German spam...guess that's the current flavor). 5). Invalid user send-to addresses arriving in groups in alphabetical order (nice list processing) It looks like person(s) responsible is using distributed network of trojaned pcs, varying send-to mail servers every 3 messages or so. This way, spam arrives at purported sender's address as undelivered mail bounce with our address in the SMTP envelope, in low enough volume (they hope) not to trigger filtering based on source IP. I wonder about how long until legitimate mail servers start getting blackholed because of bounce messages? David Keith
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
At 12:53 PM 10/9/2003, you wrote: On 9 Oct 2003, at 12:19, Vinny Abello wrote: Personally, I think preventing residential broadband customers from hosting servers would limit a lot of that. I'm not saying that IS the solution. Whether or not that's the right thing to do in all circumstances for each ISP is a long standing debate that surfaces here from time to time. Same as allowing people to host mail servers on cable modems or even allowing them to access mail servers other than the ISP's. Hosting a server looks very similar to using an ftp client in active mode, playing games over the network or using a SIP phone to the network. Enumerating all permissible servers and denying all prohibited ones arguably requires an unreasonable shift of intelligence into the network. Allowing inbound connections by default and blocking specific types of traffic reactively has been demonstrated not to be an adequate solution, I think. A more aggressive policy of blocking all inbound connections (and analogues using connectionless protocols) essentially denies direct access between edge devices, which implies quite an architectural shift. I think it's more complicated than prevent residential users from hosting servers. Absolutely, and I was just referring to certain things, not all inbound access. I mentioned before that it doesn't really make much sense with web hosting because the port can easily be changed so it's not very effective at all. Blocking people from hosting mail servers that receive mail and can't send mail directly could be enforced much more easily than the web example so my original thought doesn't really apply all that much to web stuff, but then again I stated I didn't say that IS the solution to anything. Just a thought that's been kicked around forever that we've all heard. :) Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thu, 9 Oct 2003, Joe Boyce wrote: VA Personally, I think preventing residential broadband customers from hosting VA servers would limit a lot of that. I'm not saying that IS the solution. It's not like those customers are aware they are hosting servers, they most likely were exploited and are now unaware they are hosting websites. That's obviously the case. No spammer has thousands of legitimately purchased DSL/Cable connections. The article pretty clearly says they're exploiting insecure windows (isn't that redundant?) boxes. Trouble is, how do you stop this? Just blocking common ports like 80 by default (unless the customer plans to actually run a web server and asks for the filter to be removed) won't work. The spammers can just as easily spam with urls containing ports (http://blah.biz:8290/) if they find 80 is filtered or find that filtering has become common. So other than waiting some infinitely long time for a secure out of the box version of windows (and for everyone to upgrade), how do you stop this? Widespread deployment of reflexive access lists? Force all broadband customers to use NAT and let them forward ports or entire IPs to their private IP servers if they have any? Wait for the legal system to catch and prosecute a few people who do this and deter others from trying it? Convince registrars to kill domains that are clearly being used by thieves? -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Michael G writes on 10/9/2003 10:27 PM: Also, after doing some preliminary digging, it would seem that the GTLD.BIZ servers have very low TTLs on a lot of their domains. In fact, 7200 seems high compared to some other ones I found. Any correlation with the unusually high proportion of .biz domains that are being registered by spammers? -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
And as soon as you call law enforcement what happends? The spammer --- Hank Nussbacher [EMAIL PROTECTED] wrote: On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote: * Follow the money - find out the spammer / the guy who he spams for, from payment information etc.Sic law enforcement on them. srs I think we can all safely assume that the people behind this are most probably on NANOG or reading the archives and are now aware of your idea :-) -Hank
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Andy Ellifson writes on 10/9/2003 10:58 PM: Oops... Try this again... And as soon as you call law enforcement what happends? The spammer is located offshore. Then what? 99% of them are americans - and mostly from Florida at that. See http://www.spamhaus.org/rokso/ they might subcontract stuff offshore (to India and China, where a lot of legitimate software development / BPO etc work is also going), sure. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Looks like attachments wont go through, so I will repost without the attachment. If anyone wants a copy, let me know ---Mike At 01:28 PM 09/10/2003, Andy Ellifson wrote: Oops... Try this again... And as soon as you call law enforcement what happends? The spammer is located offshore. Then what? Actually, in the case of the wired article (removeform.com), it seems to be connected to a site in Florida. I asked my programmer ([EMAIL PROTECTED]) to decode the obfuscated java script/page that is served up by one of the zombies (On FreeBSD fetch -B 18192 -o danger.html http://www.removeform.com/d - I got it from 207.5.215.72 at the time). I have attached it as a zip file with its contents. You will note that the form post goes back to form action=http://207.36.47.68/cgi-bin/addinfo.cgi; OrgName:CyberGate, Inc. OrgID: CYBG Address:3250 W. Commercial Blvd. Suite 200 City: Ft. Lauderdale StateProv: FL PostalCode: 33309 Country:US ---Mike --- Hank Nussbacher [EMAIL PROTECTED] wrote: On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote: * Follow the money - find out the spammer / the guy who he spams for, from payment information etc.Sic law enforcement on them. srs I think we can all safely assume that the people behind this are most probably on NANOG or reading the archives and are now aware of your idea :-) -Hank
RE: Wired mag article on spammers playing traceroute games with trojaned boxes
At 09:01 AM 10/9/2003, McBurnett, Jim wrote: Can Broadband ISP's require a Linksys, dlink or other broadband router without too many problems? The router vendors would like that to happen :^)
RE: Wired mag article on spammers playing traceroute games with trojaned boxes
Actually, running a web server on 8290 isn't as easy as 80. SpamAssassin tests (WEIRD_PORT) for this, as do many other filtering packages. Forcing spammers to use non-standard ports will greatly increase their rate of detection, and in turn help to solve the spam problem. -Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 9:56 AM To: Joe Boyce Cc: [EMAIL PROTECTED] Subject: Re: Wired mag article on spammers playing traceroute games with trojaned boxes On Thu, 9 Oct 2003, Joe Boyce wrote: VA Personally, I think preventing residential broadband customers from hosting VA servers would limit a lot of that. I'm not saying that IS the solution. It's not like those customers are aware they are hosting servers, they most likely were exploited and are now unaware they are hosting websites. That's obviously the case. No spammer has thousands of legitimately purchased DSL/Cable connections. The article pretty clearly says they're exploiting insecure windows (isn't that redundant?) boxes. Trouble is, how do you stop this? Just blocking common ports like 80 by default (unless the customer plans to actually run a web server and asks for the filter to be removed) won't work. The spammers can just as easily spam with urls containing ports (http://blah.biz:8290/) if they find 80 is filtered or find that filtering has become common. So other than waiting some infinitely long time for a secure out of the box version of windows (and for everyone to upgrade), how do you stop this? Widespread deployment of reflexive access lists? Force all broadband customers to use NAT and let them forward ports or entire IPs to their private IP servers if they have any? Wait for the legal system to catch and prosecute a few people who do this and deter others from trying it? Convince registrars to kill domains that are clearly being used by thieves? -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thu, 09 Oct 2003 12:01:35 EDT, McBurnett, Jim [EMAIL PROTECTED] said: Can Broadband ISP's require a Linksys, dlink or other broadband router without too many problems? So now instead of a misconfigured PC, you're going to have a misconfigured router front-ending a misconfigured PC? Or are you planning to require that the ISP provide/maintain/configure the router? pgp0.pgp Description: PGP signature
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thu, 9 Oct 2003 12:55:36 -0400 (EDT), [EMAIL PROTECTED] wrote: Trouble is, how do you stop this? You use the same principles that are successfully applied every in society (except the Internet) to prevent the negligent from injuring the public. http://www.camblab.com/misc/univ_std.txt and (if you have a moment for some chuckles as well as some deep insights into what ails our favorite organism) http://www.camblab.com/nugget/spam_03.pdf (Brief extract: One needs only to enforce existing contracts and management charters (e.g. ICANN's) and to apply the basic principles of civilization to the Internet. No one would fly an airline run like today's Internet. Why should we tolerate such misoperation of an ever more critical resource in modern life? Spam is not inevitable. It is the predictable consequence of management decisions to use the Environmental Polluter business model . . . .) It's not a technical problem and there are NO technical solutions. The only one that works is what is used in every other type of human activity. Jeffrey Race
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
At 03:42 PM 09/10/2003, [EMAIL PROTECTED] wrote: On Thu, 09 Oct 2003 12:01:35 EDT, McBurnett, Jim [EMAIL PROTECTED] said: Can Broadband ISP's require a Linksys, dlink or other broadband router without too many problems? So now instead of a misconfigured PC, you're going to have a misconfigured router front-ending a misconfigured PC? PCs of the MS variety by default are misconfigured and dangerous out of the box. (i.e. they dont have their patches installed and have questionable defaults). Routers of the soho variety generally are not. No its NOT perfect, but I would gladly take b) over a) any day of the week. ---Mike
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thu, 09 Oct 2003 14:36:53 -0400, Mike Tancsa wrote: OrgName:CyberGate, Inc. This is a notorious spam-enabler about which I had a quarrel with ATT management several years back to get them thrown off the ATT network. I had to take it to their lawyers since the abuse staff would do nothing. Jeffrey Race
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
How many times have you received SPAM selling a product from a U.S. based company? I have received plenty follow the money Hank has it right. M (speaking only for myself) Oops... Try this again... And as soon as you call law enforcement what happends? The spammer is located offshore. Then what? --- Hank Nussbacher [EMAIL PROTECTED] wrote: On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote: * Follow the money - find out the spammer / the guy who he spams for, from payment information etc.Sic law enforcement on them. srs I think we can all safely assume that the people behind this are most probably on NANOG or reading the archives and are now aware of your idea :-) -Hank
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thu, 9 Oct 2003 10:28:30 -0700 (PDT), Andy Ellifson wrote: And as soon as you call law enforcement what happends? The spammer is located offshore. Then what? This is an easy one. Again, see http://www.camblab.oom/misc/univ_std.txt
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
It looks like they are using there little team of zombie machines that are doing the port 80 redirect to also respond to DNS requests: ;; AUTHORITY SECTION: vano-soft.biz. 120 IN NS ns3.uzc12.biz. vano-soft.biz. 120 IN NS ns4.uzc12.biz. vano-soft.biz. 120 IN NS ns5.uzc12.biz. vano-soft.biz. 120 IN NS ns1.uzc12.biz. vano-soft.biz. 120 IN NS ns2.uzc12.biz. ;; ADDITIONAL SECTION: ns3.uzc12.biz. 7200IN A 24.91.206.103 ns3.uzc12.biz. 7200IN A 12.206.49.107 ns4.uzc12.biz. 7200IN A 12.227.146.168 ns5.uzc12.biz. 7200IN A 66.21.211.204 ns5.uzc12.biz. 7200IN A 165.166.182.168 ns1.uzc12.biz. 7200IN A 24.243.218.127 ns1.uzc12.biz. 7200IN A 12.239.143.71 ns1.uzc12.biz. 7200IN A 66.90.158.89 ns1.uzc12.biz. 7200IN A 12.229.122.9 ns2.uzc12.biz. 7200IN A 24.107.74.166 ns2.uzc12.biz. 7200IN A 207.6.75.110 103.206.91.24.in-addr.arpa domain name pointer h00402b45512d.ne.client2.attbi.com. 168.182.166.165.in-addr.arpa domain name pointer rhhe16-168.2wcm.comporium.net 110.75.6.207.in-addr.arpa domain name pointer d207-6-75-110.bchsia.telus.net On Thu, 2003-10-09 at 11:53, Kee Hinckley wrote: At 10:51 AM -0500 10/9/03, Chris Boyd wrote: A few minutes later, or from a different nameserver, I get Name:vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129 This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it? I think in this instance your best approach may be to go after the name servers. Anything else is going to be a game of whack-a-mole. Our spam filtering software actually uses the address of a domain's name server in it's scoring system. Sometime's that's the only way we've been able to reliably detect a spammer.
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]): [snip] it? Convince registrars to kill domains that are clearly being used by thieves? From a post on NANE, here's what the registar for vano-soft.biz had to say on Oct 1: In order to terminate service of this domain name we will need a strong sampling of complaints. Please fax a complaint to 858.560.9417 and include your complaint, name, email address and any supporting evidence you have. It is not our intent to keep a domain active that promoted criminal activity but we do take the suspension of a domain name very seriously. Thank you in advance for you cooperation and I can assure you that your faxed complaint will be taken seriously. Anyone with half a clue can see that vano-soft.biz is using a network of zombies. Obviously domaindiscover.com/buydomains.com has no clue. I started the day with a few hundred bounces from vano-soft's spam runs due to forged sender addresses in one of my domains. I spent the rest of the day googleing for case law that might be applied to the network operators providing connectivity to the trojaned boxes being used for illegal activities, identity theft. Didn't accomplish much except wasting the day. John Capo
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Folks, let's move this discussion onto one of the many lists that focuses on spam: http://www.claws-and-paws.com/spam-l/spam-l.html -- spam-l list for spam prevention and discussion http://www.abuse.net/spamtools.html -- spam tools list for software tools that detect spam net.admin.net-abuse.email | net.admin.net-abuse.usenet -- usenet lists Thanks -- Susan
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
--On Thursday, October 09, 2003 7:54 PM -0400 Susan Harris [EMAIL PROTECTED] wrote: Folks, let's move this discussion onto one of the many lists that focuses on spam: http://www.claws-and-paws.com/spam-l/spam-l.html -- spam-l list forspam prevention and discussion http://www.abuse.net/spamtools.html -- spam tools list for softwaretools that detect spam net.admin.net-abuse.email | net.admin.net-abuse.usenet -- usenet lists I am curious as to why open proxies, compromised hosts, trojans and routing games are not considered operational issues simply because the vehicle being discussed is spam. With all due respect, we have a *problem*. End user machines on broadband connections are being misconfigured and/or compromised in frightening numbers. These machines are being used for everything from IRC flooder to spam engines, to DNS servers to massive DDoS infrastructure. If the ability of a teenager to launch a gb/s DDoS, or of someone DoSing mailservers off the internet with a trojan that contains a spam engine is not operational, perhaps it's just me that's confused. Two-three years ago the warnings were ignored because it was only IRC. Now it's only spam. What does it take to make the Network Operators and NANOG decide that things that are a very bad thing on one protocol generally can bite you later on another if you ignore it because it's only insert your least favorite program or protocol here? -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -= Margie Arbon Mail Abuse Prevention System, LLC [EMAIL PROTECTED] http://mail-abuse.org
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
Margie Arbon wrote: I am curious as to why open proxies, compromised hosts, trojans and routing games are not considered operational issues simply because the vehicle being discussed is spam. With all due respect, we have a *problem*. End user machines on broadband connections are being misconfigured and/or compromised in frightening numbers. These machines are being used for everything from IRC flooder to spam engines, to DNS servers to massive DDoS infrastructure. If the ability of a teenager to launch a gb/s DDoS, or of someone DoSing mailservers off the internet with a trojan that contains a spam engine is not operational, perhaps it's just me that's confused. Two-three years ago the warnings were ignored because it was only IRC. Now it's only spam. What does it take to make the Network Operators and NANOG decide that things that are a very bad thing on one protocol generally can bite you later on another if you ignore it because it's only insert your least favorite program or protocol here? I believe that to be one of the most succint summaries of the issues as I have read.
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thu, Oct 09, 2003 at 07:44:35PM -0500, Laurence F. Sheldon, Jr. wrote: Two-three years ago the warnings were ignored because it was only IRC. Now it's only spam. What does it take to make the Network Operators and NANOG decide that things that are a very bad thing on one protocol generally can bite you later on another if you ignore it because it's only insert your least favorite program or protocol here? I believe that to be one of the most succint summaries of the issues as I have read. Not only that, but it's arguable that the problem is now significantly worse. Now IRC networks are *still* under attack, AND spam is a problem. And reading from the wired article, hard-to-trace, possibly very illegal websites are in the mix also. What next, national security compromised because someone created a massive P2P system with all these trojaned systems, and uploaded the list of names of CIA operatives? Nice. It's not inconceivable. Personally I'm in favour of specific port filtering, and charging a (small) premium ($10 a month?) for be able to run servers on residential broadband connections. Aunt Maggie in Florida doesn't NEED to run a server of any kind, and it would probably make my life easier trying to solve problems for her. -- Avleen Vig Systems Administrator Personal: www.silverwraith.com EFnet:irc.mindspring.com (Earthlink user access only)
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thu, 9 Oct 2003, Margie Arbon wrote: I am curious as to why open proxies, compromised hosts, trojans and routing games are not considered operational issues simply because the vehicle being discussed is spam. Susan did not say it wasn't an operational issue. She said there are other lists which focus on that issue. There are many subjects of interest to operators which occasionally flare up on NANOG, but then move to other lists. BIND issues concern network operations, but a namedroppers list exists for the topic. Peering is of operational interest, but the model-peer mailing list exists for the topic. Network time synchronization if of interest to operators but then the ntp newsgroup exists for the topic. Network security is of interest to operators, but then nsp security mailing lists exists for the topic. Address hijacking is of interest to operators, but then the hijack mailing list exists for the topic. Not every operators' forum must discuss spam. There is a reason why more than one mailing list or forum on different topics exist on the Internet. I now return you to your meta-discussion whether the topic is on topic for a particular forum. If you believe in zero tolorance, should the forum moderator report us to our ISPs for network abuse and terminate our Internet connection for discussion something the forum moderators considers off topic?
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
(I dislike meta-discussion, but since it /is/ applicable to the list...) Thus spake Sean Donelan ([EMAIL PROTECTED]) [09/10/03 21:32]: Susan did not say it wasn't an operational issue. She said there are other lists which focus on that issue. Agreed. There are many subjects of interest to operators which occasionally flare up on NANOG, but then move to other lists. BIND issues concern network operations, but a namedroppers list exists for the topic. Peering is of operational interest, but the model-peer mailing list exists for the topic. Network time synchronization if of interest to operators but then the ntp newsgroup exists for the topic. Network security is of interest to operators, but then nsp security mailing lists exists for the topic. Address hijacking is of interest to operators, but then the hijack mailing list exists for the topic. So if there's a more specific list for every operational issue, should we just shift discussion off to those lists? Should NANOG exist simply as a live resource for 'What mailing list should I consult for ...'?
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thu, Oct 09, 2003 at 05:20:10PM -0700, Margie Arbon wrote: --On Thursday, October 09, 2003 7:54 PM -0400 Susan Harris [EMAIL PROTECTED] wrote: Folks, let's move this discussion onto one of the many lists that focuses on spam: http://www.claws-and-paws.com/spam-l/spam-l.html -- spam-l list forspam prevention and discussion http://www.abuse.net/spamtools.html -- spam tools list for softwaretools that detect spam net.admin.net-abuse.email | net.admin.net-abuse.usenet -- usenet lists I am curious as to why open proxies, compromised hosts, trojans and routing games are not considered operational issues simply because the vehicle being discussed is spam. With all due respect, we have a *problem*. End user machines on broadband connections are being misconfigured and/or compromised in frightening numbers. These machines are being used for everything from IRC flooder to spam engines, to DNS servers to massive DDoS infrastructure. If the ability of a teenager to launch a gb/s DDoS, or of someone DoSing mailservers off the internet with a trojan that contains a spam engine is not operational, perhaps it's just me that's confused. I think that in the case of spam, it is not some teenager, but rather adult, vicious, sociopathic criminals. They are not fooling around, folks. -- -=[L]=-
Re: Wired mag article on spammers playing traceroute games with trojaned boxes
On Thu, 9 Oct 2003 18:40:35 -0400, John Capo wrote: I spent the rest of the day googleing for case law that might be applied to the network operators providing connectivity to the trojaned boxes being used for illegal activities, identity theft. Didn't accomplish much except wasting the day. This is a trivial legal exercise and I remain surprised the infamous plaintiff's bar has not started suing these scum. Some of the obviously relevant legal bases are negligent enablement, unjust enrichment, attractive nuisance. Talk to any lawyer; he'll tell you. I am sure there are BIG BIG damages to be had for a little litigation. Jeffrey Race