-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
If you already know the MAC address(es), then you're going about this the wrong way. Login to your switch(es) and look in the CAM/MAC table. Find which port on the switch has learned the offending MAC and follow the cable to the computer.
Yes of course! (silly me - I have all the used mac's)
If you don't already know the MAC address, ping the offending IP(s) from
any computer on the local subnet and then look in it's ARP table. Then follow the above instructions. If the pings fail (because of a local
firewall for example) then look in the ARP table of the default gateway.
Since the IP(s) are one and off, changing randomly every 1-2 min. or so, followed by nothing for 30 min. to nine hours and then taking a spin again, makes ping'ing hard. I have to be there spot on with the right IP i.e. the IP used NOW and not the IP from 60 sec. ago or the next.
They do show up in my arpwatch file. Yes I'm running both mac-lockdown on customer-switches and arpwatch. Paranoide ? .. maybe.
Also, unless you are sniffing on a SPAN port on the switch, you won't see traffic from other devices (like the spammer) on the network which aren't destined to your sniffer. If your switch doesn't support SPAN ports, either plan on upgrading to one that does or getting a network tap (such as sold by NetOptics). If you're really cheap, you could run ettercap to "sniff" on a switch, but I wouldn't run that in a production network with 300 servers.
So fare I've done all my "tapping" on the backbone's SPAN port.
I do have SPAN ports on all the customer switches as well, but don't use them right now - I'm building an NDIS master with sensors (hardware clients) going into these ports .. all the way down. It's not production ready yet, though.
Good luck.
Thank you Aaron and thank you for the help.
respectfully /per [EMAIL PROTECTED]
- -- Aaron Turner <aturner at pobox.com|synfin.net> http://synfin.net/
They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin
All emails are PGP signed; a lack of a signature indicates a forgery.
On Thu, Mar 24, 2005 at 08:19:49AM +0100, Per Engelbrecht wrote:
Hi all
I have a big problem finding a customer with tcpdump (dedicated serverhosting / ~300 servers / switched network [mac-lockdown] / no "central" firewall other than my BGP-router protecting itself) who's spamming the world using a fake IP and a pseudo VMware mac-addr. in the mail-header.
The spammer uses a few different mac-addr. plus a whole unused (old "C-net size") IP range in a loop (script) and I expect him/her to bridge(*) between the host-server (with valid IP/mac) and the N+ number of local "virtual" installations with fake VMware mac-addr./IP i.e. the host nic is probably running in promiscuous mode(*).
IP src in mail-header is always RFC1918 or draft-manning.net net (I don't route these net BGP-wise!) but that's only in the mailheader.
In short;
#0 - I can't find any src smtp traffic from the spammer on my net
#1 - I get a lot of dst (complaints, reply's and bounces) smtp traffic to the spammer on my net
How do I (with tcpdump) find the spammer ? I've done this so fare;
# tcpdump -e -n -i eth0 -XX -vvv -tttt -s 0 -w /var/tmp/tcpdumps/spammer.lpc src 82.xxx.xxx.xxx not arp
# tcpdump -e -n -i eth0 -XX -vvv -tttt -s 0 -w /var/tmp/tcpdumps/spammer_smtp.lpc src 82.xxx.xxx.xxx port smtp and not arp
The reply almost always has seebest.com.tw as number two smtp server (our ip-range > seebest.com.tw > whomever > target) when reading the
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc
iD8DBQFCQuJyhweYF/hu2uYRAmYXAJ9s4pSdomR/d6E7TtjFVDljz/220gCeIVX7 LDhsQmxVAkSLCURDK8mncrk= =I9g3 -----END PGP SIGNATURE----- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
