Hello,
I'm not sure if this request crosses any lines re the scope of this list,
so I'm posting a request first rather than simply pasting what I have. If
the list mods are concerned about analysis of what could arguably be a
criminal act, then I'll take it off-list.
The problem:
A person in the blindness community has been posting to various mailing
lists in the last few days. They have been sending mail in the name of
well-respected list members with relevant-looking subject lines, but
placing offensive material in the body of the message.
I'm not asking here about blocking this sort of mail, as this is something
I can have addressed elsewhere. What is concerning me is how it's being
done.
The person seems to be able to find a host that they can send through.
This host is easy enough to find from the message headers. The problems
are finding out how they are doing what they are doing with the host
concerned, and the fact that connections to these hosts seem to be coming
from multiple machines which appear on the surface to be anonymous
proxies.
The host I dealt with on Monday had an account compromised (or at least
said they did) on one of their machines which is not their mail server.
Now clearly they could prevent this by preventing trafic from port 25
going out to the world, but perhaps there are reasons for not doing this.
They also appear to be accepting telnet connections which seems nuts to
me... But anyway, I digress. They are disinclined to take this matter
further due to the complexity involved, though they might change their
mind when I tell them we got another one from their IP address today.
Meanwhile, we've seen examples from other (presumably) compromised hosts.
This person is obviously doing this to get a kick out of it, and he's
clearly becoming arrogant. He just sent a message to one of the lists
which includes a bash script. As the list mostly deals with Windows
technical support queries, he probably figured no-one would understand
what it was, or that even if anyone did, nothing could be done to catch
him or stop him.
This script seems to make use of socks proxies, which is something I don't
know about. It also calls some perl code which I also don't understand.
So I don't exactly understand what they are doing.
Now that I look at it, it appears that this person is using the Tor
network (torproject.org) to do this. Since the whole point of Tor is to
hide your tracks, I'm not at all confident about tracking this person down
unless they make a mistake.
Given that I have this script which I am willing to send on, my questions
are:
1. What exactly is being done?
2. Is there anything that admins can do to block this sort of spoofing
through their hosts? I don't want any of the hosts I admin to be used for
this, for example, and I'd like to tell those who are bieng used for this
how to block the hole.
and 3. Is there any way at all of tracking this person down?
Any guidance anyone can provide wil be most gratefully received.
Geoff.
_______________________________________________
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
