Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Tracing packets (was Re: Spamhaus Exposed)

  • From: Andrew - Supernews
  • Date: Wed Mar 17 20:20:59 2004

>>>>> "Sean" == Sean Donelan <sean@donelan.com> writes:

 >> Not just a load of BS, but posted to NANOG anonymously, through a
 >> hijacked machine at 198.26.130.36 (The Pentagon) no less.

 Sean> Has that actually been confirmed.  Any machine associated with
 Sean> the path could have been compromised including systems with
 Sean> transitive trust which may not appear in the e-mail headers.

 Sean> Occam's Razor would say the message most likely did originated
 Sean> where it says it originated.

Occam's Razor says that the .mil host is an open web proxy. What, you
thought that .mil systems would be secure?

 Sean> But when I just checked it wasn't listed in any of the major
 Sean> block lists of compromised hosts (spamcop does list it as a
 Sean> spam source),

The spamcop listing is very recent, and I'd bet a large sum it is based
on nothing more than reports of that specific message.

Other lists like DSBL and CBL would not list the proxy unless it is
capable of being abused for CONNECT or POST to port 25. Many proxies
are wide open for normal web access (which is sufficient to send email
via Hotmail) but not abusable for direct SMTP use, and these proxies
are not found by email-centered detection methods.

-- 
Andrew, Supernews
http://www.supernews.com





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.