Re: IP address spoofing

From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 09/12/04 

Date: Sat, 11 Sep 2004 19:55:08 -0500

In article <7na5k01s5d513tonb5338m88kivccclpet@4ax.com>, JC wrote:
>On Fri, 10 Sep 2004 20:44:33 -0500, ibuprofin@painkiller.example.tld
>(Moe Trin) wrote:
>
>> In article <8a22k0597p4n0p5k605nqg0h10vuqvpq8c@4ax.com>, JC wrote:
>> >In the last 2.5 days I have received 872 UDP packets from 14 IP
>> >addresses all belonging to one Washington ISP.

Care to identify the ISP? Remember, we have a _state_ of Washington,
where Boeing and Microsoft are located, and the federal capital of
Washington (District of Columbia, which isn't really a state), where a
lot of companies have corporate addresses.

>> Yeah, that sounds more like the (unfortunately) increasing background
>> noise of the Internet now.
>
>It's getting worse - the 14 have grown to 21 with 511 hits yesterday and 240
>hits midnight to 9AM. That is 25+ hits per hour.

Wow, somebody loves you.

>Could this be US election spam?

I doubt it for two reasons. First, why would anyone hoping to influence
voters in the USA be sending spam to a 202.0.0.0/7 (202.0.0.0 to
203.255.255.255) address, as there is _one_ IP block (202.72.96.0/20)
that is _allocated_ (not _assigned_) to a US address, and even that one
isn't used here (Intelsat Corp - Pacific Region). All of the rest of
the registrations are Asia/Pacific. (IANA has allocated 58/7, 60/7,
202/7, 210/7, 218/7, 220/7 and 222/8 to APNIC - in all of those blocks,
that Intelsat allocation is the _only_ one not in AP.)

Second, the November election is still far enough away that the heavy
crap level hasn't hit yet - gotta hit the sheep just before the election
(and then do it constantly) so they remember it at the polls. At this
point, we're still running through the "primary" elections (to see who
will be on the November ballot other that Pres/ViceP) in some areas - our
primary here (Arizona) was last Tuesday.

>I am sending reports to the ISP requesting that they be stopped.
>Hopefully they will listen and do something about it. I suppose it
>comes down to "net responsibility" versus money from the perpetrator.

If this is a home provider like Comcast, ATTBI, or SBC, messenger spam
has a slightly higher chance to being corrected than (for example)
e-mail spam from the same source. If it's a commercial company like
MCI, SBC, UU.NET, or similar, then the chances are fairly poor.

>> >That is possible. I am retired now
>>
>> Isn't it wonderful? ;-)
>
>It sure beats both of the alternatives. :-)

True. Eventually, I'm sure we'll get bored, but right now, not having
these deadlines and critical tasks that have to be done NOW sure are
not missed. I'm at the point where I often even forget to wear a watch.

>I may well end up ignoring the logs knowing that the firewall is
>stopping the crap before it hits the PC. I'm an ex engineer and like
>to know what is happening in my area.

If there is nothing you can do about it - other than sending mail to
abuse@mumble.TLD (which is often ignored anyway), then not logging it
is likely to be the better idea.

>I agree that most don't really want to know so long as they can read
>their emails and play their games.

And the pity is that (I'm told) it takes a few mouse clicks to disable
this 'feature' in windoze. There is _NO_ added software needed.

>> If you are lucky, your ISP might be convinced to drop UDP messenger
>> spam at _their_ perimeter. One of my ISPs drops _all_ packets on
>> ports 135, 137-139, 445, and 1025-1029 inbound AND outbound. My
>> primary ISP won't do that.
>
>That is probably easier said than done and may have repercussions.

Not very easy to convince the ISP - at least here, there are conflicting
arguments of 'censorship' and 'protecting the cheeldrin'. Many of the
ISPs here have taken the guise of "Common Carrier" meaning they only
transport packets, and are not responsible for the content of those
packets. Thus, they don't want to get involved in filtering. The city
decided to _extend_ the filtering on the computers at the city libraries
(they already filtered the ones in the 'Children' area - now it's all
public PCs), and several civil rights organizations have threatened to
take the city to court on 'Freedom of Speech' rights. Sigh...

>From a _technical_ rather than _legal_ view, implementing perimeter
filters is a piece of cake. It's just a few lines added to the
configuration file - just like the home routers.

Because there is still a huge market for messenger spam (there are
billions of systems in the world that are still wide open because the
users are incompetent to configure them to ignore it, and the default
installs have it enabled), I don't see this going away soon. If a
spammer sends out a million messages, and only sells 0.001 percent,
that's ten sales (and 999,990 misses, but who cares about that). Those
ten sales paid for the spam campaign, and gave a profit.

>When I switched to ADSL I kept the dial up account alive for a few
>months with a routing instruction to send emails to my new email address.
>The old dial up account had spam filtering in place so all I got were
>legit emails. The account is now dead, and spam filtering stopped, but
>the routing instruction is still in place so now I get the spam. Wonderful!

That's weird. If your account is closed, they should not be accepting
mail on your behalf - nevermind forwarding it. If they really are a
regular ISP, drop them a line and ask them why this is happening, and
remind them that you are not going to pay for that "service". In theory,
you could probably send a legal weasel after them on computer privacy laws.

        Old guy

Relevant Pages

  • Re: Help, ntlers
    ... Account is with) will always get spam eMails like that (some Mail ... the ISP won't usually do much about it!!! ... Use more efficient Filtering. ...
    (uk.people.silversurfers)
  • Re: Bigfoot.com forwarding problems
    ... and I have all my Bigfoot addresses forwarding to ... spam messages every day when I was with my previous ISP. ... If my emails get compromised, I don't have the option of changing my ...
    (uk.telecom.broadband)
  • RE: [fw-wiz] The home user problem returns
    ... Spam is a global problem. ... are misunderstood by whatever filtering system my ISP is using. ... smoking is becoming a huge problem. ...
    (Firewall-Wizards)
  • Re: Beware of ISP spam filtering
    ... touched this ISP with a bargepole. ... are accessible in the "bulk mail" (spam) folder on webmail. ... I retained my old BTYahoo email addresses when I moved to another ISP ... it isn't difficult to create one's own filtering system using ...
    (uk.telecom.broadband)
  • Re: Discrimination by IP address
    ... Spam is also registered on a range of addresses if they used to ... be in a pool of dynamic addresses, issued by an ISP. ... >> consultants think about my opinions on filtering by IP address? ... Dynamic DNS providers are becoming more ...
    (microsoft.public.windows.server.sbs)