Re: IP address spoofing

From: JC (jhoppyc_at_westnet.com.invalid)
Date: 09/12/04 

Date: Sun, 12 Sep 2004 16:39:56 +1000

On Sat, 11 Sep 2004 19:55:08 -0500, ibuprofin@painkiller.example.tld (Moe Trin)
wrote:

> Care to identify the ISP? Remember, we have a _state_ of Washington,
> where Boeing and Microsoft are located, and the federal capital of
> Washington (District of Columbia, which isn't really a state), where a
> lot of companies have corporate addresses.

One of the addresses is 66.235.180.193. In total, since 9PM Sydney, Australia
local time on 2004/9/7 (yyyy/mm/dd) this address and 22 similar addresses have
sent 2015 UDP packets on port 1026.

I have no way of telling if they are spoofed of real addresses.

I have, this morning, sent an email to my ISP and APNIC listing the probes and
requesting that certain address ranges be blacklisted into Australia. That may
get some action to stop the flood.

> Wow, somebody loves you.

I wish they loved another! :-)
 
> >Could this be US election spam?
>
> I doubt it for two reasons. First, why would anyone hoping to influence
> voters in the USA be sending spam to a 202.0.0.0/7 (202.0.0.0 to
> 203.255.255.255) address, as there is _one_ IP block (202.72.96.0/20)
> that is _allocated_ (not _assigned_) to a US address, and even that one
> isn't used here (Intelsat Corp - Pacific Region). All of the rest of
> the registrations are Asia/Pacific. (IANA has allocated 58/7, 60/7,
> 202/7, 210/7, 218/7, 220/7 and 222/8 to APNIC - in all of those blocks,
> that Intelsat allocation is the _only_ one not in AP.)
>
> Second, the November election is still far enough away that the heavy
> crap level hasn't hit yet - gotta hit the sheep just before the election
> (and then do it constantly) so they remember it at the polls. At this
> point, we're still running through the "primary" elections (to see who
> will be on the November ballot other that Pres/ViceP) in some areas - our
> primary here (Arizona) was last Tuesday.

OK, it was one possibility that crossed my mind.
 
> >I am sending reports to the ISP requesting that they be stopped.
> >Hopefully they will listen and do something about it. I suppose it
> >comes down to "net responsibility" versus money from the perpetrator.
>
> If this is a home provider like Comcast, ATTBI, or SBC, messenger spam
> has a slightly higher chance to being corrected than (for example)
> e-mail spam from the same source. If it's a commercial company like
> MCI, SBC, UU.NET, or similar, then the chances are fairly poor.

So far the requests have been ignored by the ISP.
 
> >>>That is possible. I am retired now
> >>
> >> Isn't it wonderful? ;-)
> >
> >It sure beats both of the alternatives. :-)
>
> True. Eventually, I'm sure we'll get bored, but right now, not having
> these deadlines and critical tasks that have to be done NOW sure are
> not missed. I'm at the point where I often even forget to wear a watch.

Please explain what a "watch" is? :-)

> >I may well end up ignoring the logs knowing that the firewall is
> >stopping the crap before it hits the PC. I'm an ex engineer and like
> >to know what is happening in my area.
>
> If there is nothing you can do about it - other than sending mail to
> abuse@mumble.TLD (which is often ignored anyway), then not logging it
> is likely to be the better idea.

That may be the end result.
 
> >I agree that most don't really want to know so long as they can read
> >their emails and play their games.
>
> And the pity is that (I'm told) it takes a few mouse clicks to disable
> this 'feature' in windoze. There is _NO_ added software needed.
>
> >> If you are lucky, your ISP might be convinced to drop UDP messenger
> >> spam at _their_ perimeter. One of my ISPs drops _all_ packets on
> >> ports 135, 137-139, 445, and 1025-1029 inbound AND outbound. My
> >> primary ISP won't do that.
> >
> >That is probably easier said than done and may have repercussions.
>
> Not very easy to convince the ISP - at least here, there are conflicting
> arguments of 'censorship' and 'protecting the cheeldrin'. Many of the
> ISPs here have taken the guise of "Common Carrier" meaning they only
> transport packets, and are not responsible for the content of those
> packets. Thus, they don't want to get involved in filtering. The city
> decided to _extend_ the filtering on the computers at the city libraries
> (they already filtered the ones in the 'Children' area - now it's all
> public PCs), and several civil rights organizations have threatened to
> take the city to court on 'Freedom of Speech' rights. Sigh...

We get the same here as well.
 
> From a _technical_ rather than _legal_ view, implementing perimeter
> filters is a piece of cake. It's just a few lines added to the
> configuration file - just like the home routers.
>
> Because there is still a huge market for messenger spam (there are
> billions of systems in the world that are still wide open because the
> users are incompetent to configure them to ignore it, and the default
> installs have it enabled), I don't see this going away soon. If a
> spammer sends out a million messages, and only sells 0.001 percent,
> that's ten sales (and 999,990 misses, but who cares about that). Those
> ten sales paid for the spam campaign, and gave a profit.

I figure that the ISP is also getting money from the traffic and would not want
to dump a paying customer.
 
> >When I switched to ADSL I kept the dial up account alive for a few
> >months with a routing instruction to send emails to my new email address.
> >The old dial up account had spam filtering in place so all I got were
> >legit emails. The account is now dead, and spam filtering stopped, but
> >the routing instruction is still in place so now I get the spam. Wonderful!
>
> That's weird. If your account is closed, they should not be accepting
> mail on your behalf - nevermind forwarding it. If they really are a
> regular ISP, drop them a line and ask them why this is happening, and
> remind them that you are not going to pay for that "service". In theory,
> you could probably send a legal weasel after them on computer privacy laws.

I've done that. I guess closing an dial up and the associated account are easy
things to do but a mail relay is outside the normal things done and would
require some thinking to figure out how it was done. They'll get there
eventually if I keep nagging - I may start sending the spam to the helpdesk so
that they can see what is coming and follow the headers if they don't fix it
soon. :-)

We are drifting way off topic here.

Cheers . . . JC

Relevant Pages

  • Re: Help, ntlers
    ... Account is with) will always get spam eMails like that (some Mail ... the ISP won't usually do much about it!!! ... Use more efficient Filtering. ...
    (uk.people.silversurfers)
  • Re: Gradual move to own mail server - strategy for noob
    ... account at your ISP, at yahoo, gmail, etc. provided they have IMAP, ... and try retreiving emails from that account. ... I never used fetchmail, ... Spam is touchy question, no one like spam, but every one may have a ...
    (freebsd-questions)
  • Re: Bigfoot.com forwarding problems
    ... and I have all my Bigfoot addresses forwarding to ... spam messages every day when I was with my previous ISP. ... If my emails get compromised, I don't have the option of changing my ...
    (uk.telecom.broadband)
  • Re: IP address spoofing
    ... Care to identify the ISP? ... If this is a home provider like Comcast, ATTBI, or SBC, messenger spam ... they don't want to get involved in filtering. ... >months with a routing instruction to send emails to my new email address. ...
    (comp.security.firewalls)
  • Re: Using real email addresses to mailing lists (was Re: securing an Ubuntu box in a shared office?)
    ... But all gmail does is filter the spam out. ... use this account just for mailing list subscriptions. ... But I am having problems with other mailing lists like vim ... But this inconvenience is minor compared to going through hundreds of emails ...
    (Debian-User)