Re: Domain HiJacking by SPAMMERS

From: sil (jesus_at_resurrected.us)
Date: 01/30/04

  • Next message: J. Yoon: "RE: Internal Instant Messaging" 
    Date: Thu, 29 Jan 2004 18:37:18 -0500 (EST)
To: Ho Chaw Ming <chawming@pacific.net.sg>

    On Fri, 30 Jan 2004, Ho Chaw Ming wrote:

    > I would be interested too, since we got a client who got "attacked" in such
    > a way yesterday. We received an estimated 30,000 bounced emails alone from
    > the fake reply to email address in a matter of hours. The data center
    > received hundreds of ill-informed abuse reports.
    >
    > We took a sample and they trace to US and Europe, from a large variety of
    > ISPs, leading us to believe it's probably compromised machines.
    >
    > I would thus be interested too to hear about how this can be resolved. We
    > don't wish to terminate the client, or ask him to move, but this causes us
    > tremendous resources to deal with. At the same time, we don't want
    > ill-informed reports to cause us to be blacklisted by ISPs or Spam lists.
    >
    > Any suggestions will be appreciated. Thanks.
    >

    What you can do to minimize the majority of messages from making their way
    onto your machine is setting up procmail rules to delete the messages from
    making their way into the network. That is only of course if you have a
    *nix based machine set up. I haven't configured MS Exchange for some time,
    but I'm sure if I remember correctly, there are options to minimize this
    as well.

    Microsoft's OE 6 also disables attachments from being opened by the user,
    and while some may find this to be an annoyance, I find it a damn good way
    to halt the flow of someone opening a message thinking it's from their
    friend/family/relative/co-worker, only turning out to be a pseudo spoofed
    virus infected message.

    On a personal note, for the first few messages that did make their way
    through my networks, I made some scripts to auto check the Received from
    fields and auto block out their ranges via IPF. I can always remove them
    every two days, or leave them blocked from sending data to port 25 until I
    feel the dust is clear in regards to this nuisance, and unblock them.

    Again however, this is mainly for a personal based webserver with about 60
    or so users. To date however I think I received under 10 messages with
    that annoying "Hi\|Hello\|Test" subject which is great considering my work
    email address is getting pounded with over 200 per day. None of the other
    users on my machines have complained, but I've told them to forward me the
    messages they get so they too can be blocked.

    Maybe network admins can minimize attachments of the size of the virus
    from coming in, and being sent in order to minimize it. E.g.

    If an infected message is say 10k altogether, have strict checks on them
    and block as necessary. A perl/python/shell script is not so difficult to
    create for this, however, on a network of decent size, with massive
    incoming outgoing messages it just may not be feasible.

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    Quis custodiet ipsos custodes? - Juvenal

    J. Oquendo
    GPG Key ID 0x51F9D78D
    Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D
    http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D

    sil @ politrix . org http://www.politrix.org
    sil @ infiltrated . net http://www.infiltrated.net

    ---------------------------------------------------------------------------
    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
    course! All of our class sizes are guaranteed to be 10 students or less.
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
    and many other technical hands on courses.
    Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
    any course!
    ----------------------------------------------------------------------------

  • Next message: J. Yoon: "RE: Internal Instant Messaging"

    Relevant Pages

    • Re: Can find Vista box, cant share folders or printers.
      ... When I click 'Network' on the laptop the ... I've disabled Norton and Windows firewall entirely to make sure that's not ... public folder sharing - on ... start by running the Network Setup Wizard on all machines (see ...
      (microsoft.public.windows.vista.networking_sharing)
    • Re: XP to Vista -- only halfway there
      ... concerning networks that combine Vista and XP machines. ... I am setting up an inhouse network that links together three machines, ... by 1) a misconfigured firewall or overlooked firewall (including stateful ...
      (microsoft.public.windows.vista.networking_sharing)
    • Re: Audacity and Gentoo
      ... can only pick up radio 4 when using the TV aerial to ... I freak if my machines disagree by more than about 50 ... > ADSL cable, 2 power cables, one network ...
      (uk.comp.os.linux)
    • Re: Active Directory Setup Advice
      ... A domain is really an entity with a single security remit. ... seen as on the same network it will be like one big network. ... Under one domain all machines have to be unique in naming scheme. ... sub domains you can have same names under different domain. ...
      (microsoft.public.windows.server.active_directory)
    • Re: install
      ... You just need to set up your network correctly. ... start by running the Network Setup Wizard on all machines (see ... Problems sharing files between computers on a network are generally caused ... by 1) a misconfigured firewall or overlooked firewall (including a stateful ...
      (microsoft.public.windows.vista.installation_setup)