Ravikant K.Rao saw fit to inform LI that:
> Actually, How would one define a "Script Kiddie" ? Is it like
>a guy who "uses" other peoples "tools" and messes up innocent people's
>happiness ... or is it like he writes/codes his own "scripts" or what?
This guy used two servers which don't even belong to him (AIIMS Delhi and
IIM Bangalore). He spoofed the IP of a Korean university which may get
some complaints without having originated the spam ... if that isn't theft
of service, what is?
As for this, he needn't even _know_ smtp. Lots of cheap-ass software
available on "cr4ck / w4r3z" sites like astalavista for spamming /
mailbombing whatever. Most likely the idiot who sent this wouldn't even
know that smtp listens on port 25.
> Actually, yes, Suresh *did* trace them to some korean place
>but the 203.something IP doesn't even resolve to anything... I guess
>Suresh is way ahead and far more experienced with handling this sort
>of a thing ;)
Simple really - just use whois, nslookup, traceroute ... as easy as that.
> Atul said something about the guy being on aunet.org ?
>localhost? hmmm ;)
He misread the headers - what he got was a bounce from aunet.org (as he
and gopi are not subscribed to the list)
> localhost -> a.b.com
> a.b.com -> c.d.com
> c.d.com -> e.f.org
> e.f.org -> g.h.net
> g.h.net -> LI
With such a huge path, I'd suspect forgery ;)
> Can(t) you make mj2 check if each post from each subscriber
>had atleast 75% of those hops or so? ... well, in afterthought, that
>would be broken .. how about 100% match, or it auto-rejects ... no
>forwarding to list-admin or anything ...
No, please don't. For example, I am subscribed to LI on two accounts (my
office acct gets each post, and one of my personal accts gets a
digest). In both cases, I set from: [EMAIL PROTECTED] to avoid
confusion. I'm at home now and sending through my ISP's smtp server, not
my office server. By the way, I'm also using mutt 1.3.2 and not 1.3 as in
my office :)
> Or how about something like, if I was subscribed from
>[EMAIL PROTECTED] , then I would *have* to have *.bar.com appearing
>*somewhere* in the headers for my mail to get relayed by mj2 ... that
It is trivial to forge headers. You can't keep track of headers for just
this reason.
>post itself wont have any *.mailandnews.com on it .. hehehehe
>... there oughta be a more foolproof way to this ... duh
Only foolproof way - make LI-* 100% moderated, and let Thaths approve all
posts (he'll probably chase me with an ax and lart my head off for
this) :)
The next best way is to hammer any and every spammer who tries these
tricks. The AIIMS and IIM-B open relays should ideally have other system
logs, which might provide further clues about this idiot. If he's
anywhere in VSNL, Satyam or Mantraonline, I know some people who'll nail
his ass to the wall as a trophy.
[[Gopi - the reason I cc'd you was - can you please check the
www.iimb.ernet.in logs and find out, or mail me a copy of the logs?]]
--
Suresh Ramasubramanian + [EMAIL PROTECTED]
"But what we need to know is, do people want nasally-insertable computers?"
-----------------------------------------------------------------------
The LIH mailing list archives are available at:
http://lists.linux-india.org/cgi-bin/wilma/linux-india-help
