<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: Fraud: 163.21.153.3 mail.jjes.tp.edu.tw


At 15:12 +0100 18/02/2002, Jan-Pieter Cornet wrote:

 > This might be explained using incompetence, rather than malice.
 > The box you're connecting to might be doing NAT and port
 > forwarding in a clumsy way, and using a non-private IP address
 > block internally: your 192.71.1/24. (of course, I'm just guessing
 > they are using a /24...).
 > 
 > If this is the case, then the mail server always sees the
 > connection coming from the gateway's internal IP address, which
 > just happens to be your IP space.

I had one of these where someone in the US had used addresses from
the routable space of one of my customers for their internal IPs.
They spoke English (well, American) so I was able to establish
what had happened and some weeks later to persuade them to change
it. My Mandarin would not allow me to do the same with a university
in Taiyuan ...

There was a further problem that the mailer was Exchange, which is
inflexible about its anti-relaying. To treat mail from the proxy
as external meant treating all other addresses as external, so
nothing would work. The obvious fix was to use proper RFC1918
address space -- 'too hard', they said. They solved it by listing
all the separate desktops individually so that they are
permitted to relay, with a default deny so that the proxy can't
(I think).

So their inbound mail still all says it comes from my network,
but that is no longer a problem for me or the rest of the world.

Rodney Tillotson, JANET-CERT
01235 822 255.





<<< Chronological >>> Author    Subject <<< Threads >>>