Hi all
I have a big problem finding a customer with tcpdump (dedicated serverhosting / ~300 servers / switched network [mac-lockdown] / no "central" firewall other than my BGP-router protecting itself) who's spamming the world using a fake IP and a pseudo VMware mac-addr. in the mail-header.
The spammer uses a few different mac-addr. plus a whole unused (old "C-net size") IP range in a loop (script) and I expect him/her to bridge(*) between the host-server (with valid IP/mac) and the N+ number of local "virtual" installations with fake VMware mac-addr./IP i.e. the host nic is probably running in promiscuous mode(*).
IP src in mail-header is always RFC1918 or draft-manning.net net (I don't route these net BGP-wise!) but that's only in the mailheader.
In short;
#0 - I can't find any src smtp traffic from the spammer on my net
#1 - I get a lot of dst (complaints, reply's and bounces) smtp traffic to the spammer on my net
How do I (with tcpdump) find the spammer ? I've done this so fare;
# tcpdump -e -n -i eth0 -XX -vvv -tttt -s 0 -w /var/tmp/tcpdumps/spammer.lpc src 82.xxx.xxx.xxx not arp
# tcpdump -e -n -i eth0 -XX -vvv -tttt -s 0 -w /var/tmp/tcpdumps/spammer_smtp.lpc src 82.xxx.xxx.xxx port smtp and not arp
The reply almost always has seebest.com.tw as number two smtp server (our ip-range > seebest.com.tw > whomever > target) when reading the mailheaders and no rdns.
respectfully /per [EMAIL PROTECTED]
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
