North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Spam from weird IP 22.214.171.124
- From: John Brown
- Date: Tue Jun 17 00:43:52 2003
I name this
On Tue, Jun 17, 2003 at 09:48:07AM +0530, Lars Higham wrote:
> It would be useful if this exploit could be named and documented at
> least for one known instance -
> Lars Higham
> -----Original Message-----
> From: email@example.com [mailto:firstname.lastname@example.org] On Behalf Of
> Richard D G Cox
> Sent: Monday, June 16, 2003 9:32 PM
> To: email@example.com
> Subject: Re: Spam from weird IP 126.96.36.199
> On Mon, 16 Jun 2003 17:33:11 +0200, "Pascal Gloor"
> <firstname.lastname@example.org> wrote:
> | Getting SPAM from 188.8.131.52 relayed by rr.com ?
> | this network is not allocated, nor announced. I have been looking
> | everywhere to find if it has been announced (historical bgp update
> | databases, like RIS RIPE / CIDR REPORT / etc..)... I didnt found
> | anything.... this probably mean rr.com is routing that network
> | internaly.
> This is very likely to be a known exploit I have been tracking. In all
> the cases which we have so far confirmed, the spam was not relayed, but
> proxied by a trojan executable which is able to mimic a "previous"
> header with such a degree of accuracy that it is indistinguishable from
> the genuine article!
> | If there is any rr.com guy around. Could you please check this?
> Our advice would be that the server-that-connected-to-you needs to be
> taken offline by the security people at its site (which you say is
> RoadRunner) and they should have ALL its disk(s) imaged for forensic
> analysis purposes.
> Our experience is that sites hit by this exploit will do basic checks on
> the server and claim it is uncompromised and "cannot possibly be sending
> that spam". Such a claim would be entirely incorrect. You would need
> to persuade them that something is wrong, which is difficult at the best
> of times. RoadRunner being involved in this case suggests this may
> *not* be the "best of times".
> Richard Cox