Re: Req: info on IP range popup ad software supposedly called "Extreme Marketing"

From: Dave Platt (dplatt@radagast.org)
Date: 12/30/02


From: dplatt@radagast.org (Dave Platt)
Date: Mon, 30 Dec 2002 21:52:49 -0000


>> You are absolutely correct. However, remember that we are talking about
>> spoofing legitimate internal IPs from within your own subnet on your
>> ISP.... The spam could be traced back to your subnet, but it would lead to
>> the decoy machines IP that you spoofed, not yours.
>
>Only if the spammer first broke into the network and cracked that machine.

Yup.

It's surprisingly common. Or, maybe "not-so-surprisingly common"
these days.

Think "Back Orifice" and "SubSeven" trojans, think backdoors installed
by worms such as CodeRed or Nimda.

Also think "Open proxies".

>That's more than just spoofing addresses, and also opens the spammer up to
>being charged with Federal felonies for the break-in itself.

Yup. The hard part in the prosecution is, of course, getting close
enough to put salt on the spammer's tail.

I've helped investigate a handful of system crack-ins. In almost
every case, the actual attack came from another third-party system
which had, itself, been compromised. In one case, when I contacted
the admin of that system, he reported that _it_ has been broken into
from another compromised system.

The exploit/root kits floating around the Net make this sort of
multi-level crackery fairly simple, if the victim systems are running
software with a known exploit. Tracing back the attack N hops to find
the actual origin of the attack is usually difficult... and if one or
more of the systems turns out to be compromised dialup system, it may
be effectively impossible.

> Then again, any
>computer system should already have protection against break-ins in place
>(eg. e-mail filtering, firewalls, routine security updates, etc.).

##howling laughter##

"Should" is the right word. Look at the number of consumer-grade
Windows installations which are on the Net, with neither a hardware
nor a software firewall, and known security exploits (which _should_
have been patched months ago but the owner is clueless about such
things). Add the handful of older Linux boxen in a similar state.
Toss in the numerous systems running insecure proxies.

If the number is down in the six-digit range, I think we're not doing
too badly.

-- 
Dave Platt <dplatt@radagast.org>                                   AE6EO
Hosting the Jade Warrior home page: http://www.radagast.org/jade-warrior
  I do _not_ wish to receive unsolicited commercial email, and I will
     boycott any company which has the gall to send me such ads!


Relevant Pages

  • Re: ShareFS Windows client?
    ... It is inherently more secure from network attack, ... eg Off, Stealth, steath to hosts off the subnet, closed to hosts off ...
    (comp.sys.acorn.apps)
  • Re: What is ipfw telling me ?
    ... subnet has been trying to attack my machine ... and this is not an isolated incident. ... ports); only log_in_vain is enabled, but I almost want to configure ipf/w ... just so i can block this whole subnet. ...
    (FreeBSD-Security)
  • Re: New ZoneAlarmPro Install
    ... We are talking about subnetting on a Software Firewall and DSL ... > And my router is on a subnet range 192.168.1.0. ... > is commonly plenty of addresses for one network." ... >> established by the Linksys device. ...
    (microsoft.public.security)
  • Re: New ZoneAlarmPro Install
    ... We are talking about subnetting on a Software Firewall and DSL ... > And my router is on a subnet range 192.168.1.0. ... > is commonly plenty of addresses for one network." ... >> established by the Linksys device. ...
    (microsoft.public.win2000.security)