--On Thursday, April 22, 2004 1:57 PM -0500 Chris Myers <[EMAIL PROTECTED]> wrote:
I don't have a way to get my hands on one of the compromised systems, so I don't know how they're communicating (I can speculate of course...), but it seems pretty clear to me that they ARE communicating.
We had one on campus. The communication is not by mail but through other ports. It is a distributed network too. The campus host-- a Windows PC of course-- was getting small bursts of inbound data, sending a few dozen spam messages, and also sending small bursts of outbound data to other hosts. It was taken off the network and the owner reformatted the disk. Clearly some kind of software had been installed on it to do what it was doing. The owner may have downloaded dodgy file sharing software or the like; we don't know.
I have also seen the results in syslog in other cases. If I extract lines with similar subjects like vicodin ads, sometimes I can see recipients progress through the alphabet, even though the mail comes from different IPs, almost one recipient per sender IP, it is so widely distributed. The only sign of not being coincidental is the nice alphabetical progression of recipient addresses.
Following the money... the advertised web sites were hosted in China. They are believed to be controlled by the very large spam enterprises like Alan Ralsky's operation.
The lovely irony for us is that because the government of China has some political issues with Columbia University, many Chinese sites won't resolve for our IP space, and thus sometimes the spammer's sites are unreachable from here. It doesn't really make me feel any better but it is a small laff.
Joseph Brennan Academic Technologies Group, Academic Information Systems (AcIS) Columbia University in the City of New York
_______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
