On Wed, Feb 17, 2010, Geoff Shang wrote about "Re: Request for help with mail spoofing": > I know this. This is not what I was asking. I want to know how this > person is sending mail through the affected host.
You called these hosts "affected" and "compromised". Why? It is possible they are, but also possible they are just open relays or socks proxies or whatever - either deliberately or by misconfiguration. > Yes. I used this to identify the compromised hosts. But this only shows > where the SMTP session started, and blocking these will surely be a > cat-and-mouse game. I want to get this guy. Why is it a cat-and-mouse-game? The person has currently has two choices. Either send mail directly from his machine (at which point you got him), or send it through some open relay or proxies. Since, as I said, there are blacklists who specialize on collecting lists of such relays (for anti-spam filters to block these out), it likely that all the relays that your adversary can use are already blacklisted, and you can filter all of them out in one fell swoop. > I'll look at this, though as I said before, I'm not so concerned about > blocking it, as some of the lists are on Yahoogroups and trying to report > spam there is like pulling teeth. I want to find out how he's doing it so > that hosts can be guarded against it, and I want to try to track this > idiot down. Many of the open proxies or relays are *deliberately* open. Tor, which you mentioned, is deliberately open and anonymous (although, as far as I know Tor does not allow connections to port 25, so I'm suprised it was involved in this attack). See http://en.wikipedia.org/wiki/Open_mail_relay#Modern-day_proponents for another person who deliberately keeps an open relay. The blacklists which I mentioned are already doing a good job "guarding" against open relays of all sort - anybody who has an open relay or socks proxy will soon find himself unable to send mail to half the Internet. -- Nadav Har'El | Wednesday, Feb 17 2010, 3 Adar 5770 [email protected] |----------------------------------------- Phone +972-523-790466, ICQ 13349191 |AlGoreithm, n: Repeating a calculation http://nadav.harel.org.il |until a prior desired result is produced. _______________________________________________ Linux-il mailing list [email protected] http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
