On Feb 17, 2010, at 1:49 PM, Geoff Shang wrote:
A person in the blindness community has been posting to various
mailing lists in the last few days. They have been sending mail in
the name of well-respected list members with relevant-looking
subject lines, but placing offensive material in the body of the
message.
First of all, how do you know that this is a person as you put it in
the blindness community? It could just be one of those people that
disrupt groups because they can, and found a bunch of people to annoy.
Eventually they get tired of these things and move on to a different
community.
You also should check the email addresses. One common trick used by
commercial posters is to post using a real name with a different email
address. For example, if your email address were geoffsh...@gmail,
they would open an account geoffsh...@yahoo. Or use a different
country, instead of hotmail.com, open one at hotmail.co.uk.
These guys tend to hit hard and fast, post one email advertising their
business and move on, but script kiddies do it too.
I had that happen to me once where I publicly exposed someone for it
and was abused because this person was a close friend and a respected
member of their community. When I pointed out that the person would
have been asleep when they posted the message and they had opened a
new email account at another provider just to post the message, I
never heard anything at all, neither an appology from the people
abusing me nor the person who was spoofed thanking me for pointing it
out.
I'm not asking here about blocking this sort of mail, as this is
something I can have addressed elsewhere. What is concerning me is
how it's being done.
The person seems to be able to find a host that they can send
through. This host is easy enough to find from the message headers.
The problems are finding out how they are doing what they are doing
with the host concerned, and the fact that connections to these
hosts seem to be coming from multiple machines which appear on the
surface to be anonymous proxies.
The host I dealt with on Monday had an account compromised (or at
least said they did) on one of their machines which is not their
mail server. Now clearly they could prevent this by preventing
trafic from port 25 going out to the world, but perhaps there are
reasons for not doing this. They also appear to be accepting telnet
connections which seems nuts to me... But anyway, I digress. They
are disinclined to take this matter further due to the complexity
involved, though they might change their mind when I tell them we
got another one from their IP address today.
I'm not sure how disinclined they would be if CEO of the company
received a copy of the email.
Meanwhile, we've seen examples from other (presumably) compromised
hosts.
This person is obviously doing this to get a kick out of it, and
he's clearly becoming arrogant. He just sent a message to one of
the lists which includes a bash script. As the list mostly deals
with Windows technical support queries, he probably figured no-one
would understand what it was, or that even if anyone did, nothing
could be done to catch him or stop him.
I don;t understand. 99.99% of windows users don't run bash. Why send
them a bash script? I think sloppy is correct, but I wonder if it is a
real person or just a "junk bot" sending stuff out. At one point it
found the mailing list in someone's contacts list and is just dumping
crap to it.
This script seems to make use of socks proxies, which is something I
don't know about. It also calls some perl code which I also don't
understand. So I don't exactly understand what they are doing.
Send me a copy. Or publish it, we can argue over what it does.
Now that I look at it, it appears that this person is using the Tor
network (torproject.org) to do this. Since the whole point of Tor
is to hide your tracks, I'm not at all confident about tracking this
person down unless they make a mistake.
They will. A person who does this kind of thing can go on for years
without being caught as long as they are careful. It's like the guy
who takes one egg out of a carton at the supermarket and hides it in
his pocket. Next week, he takes a carrot. As long as he takes only one
small item, and is very careful not to be observed, he can do it
indefinitely.
But he will become overconfident or sloppy. He might not look
carefully for cameras, or a person watching him, or just have bad
luck, someone will see him.
Or he will move up from one egg to a roast. He will do something too
big to overlook.
You have to keep watching him, and keep meticulous notes. Eventually
he will reveal himself.
I recently had that happen, A few years ago someone wrote me
threatening emails under an assumed name (but with a real, but rarely
used email address) because I called his scam a scam on a public list.
Recently I offered something to give away, and he since forgotten
about our exchange. I wrote him and asked if he also used the other
email address because we had discussed a camera or something like that
(we had 10 years ago). He said, yes that is me too.
You just have to wait and be patient.
It would be best that the mailing lists be set to posting by members
only, and new members are moderated until approved.
Geoff.
--
geoffrey mendelson N3OWJ/4X1GM
Jerusalem Israel [email protected]
New word I coined 12/13/09, "Sub-Wikipedia" adj, describing knowledge
or understanding, as in he has a sub-wikipedia understanding of the
situation. i.e possessing less facts or information than can be found
in the Wikipedia.
_______________________________________________
Linux-il mailing list
[email protected]
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
