Re: Header manipulation...?
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 11/12/04
- Next message: optikl: "Re: XP SP2 Firewall security breach"
- Previous message: Mark S: "Re: Advice on a good firewall for site to site VPN for 15 users total on a fract T-1"
- In reply to: Kenneth: "Re: Header manipulation...?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Nov 2004 17:43:36 -0600
In article <dja5p0l0icm9dp9f4hias2q29n1ecpjru0@4ax.com>, Kenneth wrote:
>I did, and to my surprise, received what I believe to be a response
>of substance.
I am very surprised. I understand that all of Earthlink support (which
includes the abuse desk) was outsourced to India about two years ago.
The external satisfaction level has not been glowing.
>My earlier experience was with Pac Bell and was rather interesting:
To say the least. Pac Bell has a very poor reputation.
>The headers told me that these were coming through Pac Bell servers.
Were these actually Pac Bell mail servers (I vaguely recall that they
have at least 15 different mail servers over 3 different address blocks),
or directly from a zombie host on one of their networks. They have quite
a lot of those.
>To my amazement, about two hours later, I received a call
>from a gentleman who described himself as the head of
>Security for Pac Bell. He insisted that the messages were
>not coming through his servers.
Uhuh. Well, without seeing the headers, it's hard to say.
>I said, "That's fine. I have no way to know. I will contact
>the Attorney General and perhaps they can sort it out."
Normally, that works only within the state. But again, Pac Bell has a very
poor reputation.
>If I understand you correctly, because the headers cannot be
>trusted, there is, in essence, nothing that I can do about
>this situation.
A lot depends on how you are set up now. You are posting from an attbi.com
address, and I don't know how your mail is being received. At a previous
ISP, they made no effort to control the inflow of garbage, and that was
one reason I left. The current primary ISP I'm using uses some blocklists
that drastically reduce the amount of spam coming in. In brief, they do
not accept mail from "dynamic" addresses - meaning (for example) whole
blocks from attbi (they accept mail from the attbi mail servers, but not
from hosts with the words 'cable', 'client' 'dsl', 'dyn', or 'user' [among
others] in the host name). Likewise, they don't accept mail where the
remote host says "hello, my name is $FOO" where $FOO is the names of the
local mail servers - or "my name is $IP.AD.RE,SS" where $IP.AD.RE,SS is
the address of the local mail servers. They also do not accept mail from
some of the more flagrant domains. See the Usenet newsgroup
news.admin.net-abuse.blocklisting for more information.
As far as being trustworthy, you need to analyze the headers for a while,
so that you know what is normal, and what is not. Some is quite obvious
as for example this set of headers (from a posting to the Usenet newsgroup
news.admin.net-abuse.sightings):
Received: from 216.82.94.XXX (71445678@[220.89.170.17])
by mail.ZZZZZ.com (8.13.1/8.13.1) with SMTP id iABEq2D9009375
for <munged@ZZZZZ.com>; Thu, 11 Nov 2004 09:52:08 -0500
Received: from planetarium widow (algebraic.koalaquash.com [20.72.141.199])
by 220.89.170.17 (2.5.9/5.6.7) with ESMTP id OP6053364 for
<munged@ZZZZZ.com>;
The first header was put there by the poster's mail server, saying the mail
transaction began with the remote host saying "Hi, my name is 216.82.94.XXX"
(here munged to protect the victim), but the actual connection was from some
host in Korea (220.89.170.17). This guy's mail server accepted the mail, and
one of the headers it contained was that second "Received:" line. That one
just screams "bogus", because the claimed source address 20.72.141.199
(allocated to CSC in the US) would have no reason to be sending mail to
Korea to be forwarded, and that the claimed domain "koalaquash.com" does
not exist either. Best guess from here: 220.89.170.17 is a zombie, taken
over by the spammer.
That's just one example, chosen at random by the way. The second header
will often have other quite glaring errors, such as the missing timestamp,
or a timestamp with a timezone quite different from the purported location
of the host, IP addresses from blocks that don't exist (see
http://www.iana.org/assignments/ipv4-address-space), and so on.
>I guess that would be true if the messages were sent to me
>maliciously. If, as I suspect, they are being sent by a
>system that is infected with the worm (without the knowledge
>of its owner) then the headers are likely to be trustworthy,
>and thus, contacting the abuse folks might be of some help.
The _only_ thing you can possibly believe is the first received header,
the "Received: from 216.82.94.XXX" header above. Virtually everything
else is under control of the spammer/virus, and is almost certain to be
false.
Now one thing you might be able to do is to ask whoever is running _your_
mail server why they are accepting mail from dynamic addresses. A lot of
spam and nearly all viruses come from zombies that are mailing direct to
your mail server, RATHER THAN handing the mail to their ISP's mail server
and letting it do the delivery. But that is between you and the person
running your mail server. There is a VERY frequent comment posted in
responses in news.admin.net-abuse.blocklisting: "my mail server, my
rules". This means that your mail server isn't REQUIRED to accept mail
from hosts outside their network, unless there is some contract between
that remote site and whoever runs your mail server.
Old guy
- Next message: optikl: "Re: XP SP2 Firewall security breach"
- Previous message: Mark S: "Re: Advice on a good firewall for site to site VPN for 15 users total on a fract T-1"
- In reply to: Kenneth: "Re: Header manipulation...?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
