RE: About the Unsolicited Use of Our Legal IP Addresses
- Date: Tue, 30 Jul 2002 15:01:12 +0300
Hi Rodney,
Many thanks for your detailed analysis. What happened is that, we have been
getting too many emails similar to the one I sent in the last 3-4 months.
All have the same "Received:" line which includes one of our legal but unused
addresses (194.29.209.49).
I tried the same thing by using SMTP connection with Sendmail in Solaris 2.6.
I wrote those "Received:" lines to the DATA portion, and I can comfortably
confirm that you are right.
An interesting progress happened today, we have noticed from the IDS logs that
an IP address belonging to CONCENTRIC.NET range performs several unicode attack
scans continuously in some days. So, as I had started that Concentric.Net has
nothing to be blamed, I don't believe that they are not guilty anymore.
About Tripod and the FreeAccess.exe, those parts are really not important at all
sincw we have too many spam mails which are all about different things. So, we are
interested in the source not the destination. Right?
We would like to get to know what to do in such a case. We have decided to develop
some strategies about spam & abuse mailing activities, Acceptable Use of Policy,
and also actions to take when faced with such events. Also, we need to think of
saving ourselves. We needd to know where to talk with and/or register with in order
to declare that we are in no way involved in a mass mailing activity, and we are
opoosite to such thoughts, and we would like to cooperate to anyone who insists on
blaming us to involve in such an activity in order to clarify the situation and
prevent attacks.
Any comments?
Thanks in advance.
__________________________________________
Muharrem AY
Garanti Technology
IT Security Department
Phone : +90.212.4783422
Fax : +90.212.6570473
Mailto : muharremay@localhost
Address : Evren Mah. Kocman Cd. No: 22
34550 Gunesli Istanbul/TURKEY
www.garantitechnology.com
__________________________________________
-----Original Message-----
From: Rodney Tillotson [
]
Sent: Monday, July 29, 2002 5:28 PM
To: RIPE anti-spam WG
Subject: Re: About the Unsolicited Use of Our Legal IP Addresses
At 29/07/2002 12:17 +0300, Muharrem Ay wrote:
> We don't want to be put in the blacklists or shitlists of
> organizations. We would like to get help from you to do this.
> Also, we would be glad if you can tell us what exactly is
> being happening, and what can we be done to get rid.
First, what has happened. Your analysis was right and I've
just written it out in more detail here.
The top Received: line is internal to MSN. Not interesting.
The next line says that the MSN mailer had the message from
61.153.231.139, somewhere in China. I have to guess that the
person who complained to you did not change that IP address.
In this line, '210.179.36.2' is a meaningless forgery. The
bulk mailer connected from the Chinese system with
'HELO 210.179.36.2' to confuse anyone reading the header.
There is no connection between that line and the other
Received: lines, so you have to assume they are fictional
and included by the bulk mailing program to confuse anyone
reading the header. _None_ of these addresses:
159.218.252.32,
137.155.98.192,
88.58.121.118,
194.29.209.49
or these domain names:
n7.groups.yahoo.com,
f64.law4.hotmail.com,
anther.webhostingtalk.com,
da001d2020.lax-ca.osd.concentric.net
had any part in the origination or transmission of the message.
The message passed by the bulk mailer in the DATA phase already
included all the false Received: lines.
So who has done anything wrong here?
The managers of 61.153.231.139, who left it insecure either
as an open mail relay (not to my casual test), an open proxy
server of some kind (it is listening on port 1080), or a system
vulnerable to root compromise.
The person who sent the bulk mail. That could be a manager or
user of 61.153.231.139 but it probably wasn't. The managers
might in principle be able to partly trace the misuse but they
probably won't.
The person operating the advertised Web site. Unfortunately the
URL in the mail is a free Tripod page for which the only
responsibility Tripod will accept is to remove it. Perhaps
nobody has asked them, because it's still there at present.
The person operating the site that the downloaded program
FreeAccess.exe connects to. I haven't dared to try that :-)
I believe you should complain to Tripod (in VE and US), to
Chinanet and perhaps to CN-CERT. There is no guarantee that any
of them will help you but they may close an account and the
bulk mailer may move on to some different forged Received:
lines.
Other people may take a more optimistic view?
Rodney Tillotson, JANET-CERT
+44 1235 822 255.
Received: from cpimssmtpa48.msn.com ([10.48.181.222])
by cpimsstra06.email.msn.com
with Microsoft SMTPSVC(5.0.2195.4905);
Sun, 28 Jul 2002 00:31:59 -0700
Received: from 210.179.36.2 ([61.153.231.139])
by cpimssmtpa48.msn.com with Microsoft SMTPSVC(5.0.2195.4905);
Sun, 28 Jul 2002 00:31:52 -0700
Received: from [159.218.252.32] by n7.groups.yahoo.com with SMTP;
Jul, 28 2002 12:19:32 AM +0300
Received: from [137.155.98.192] by f64.law4.hotmail.com with QMQP;
Jul, 27 2002 11:05:48 PM -0200
Received: from anther.webhostingtalk.com ([88.58.121.118])
by da001d2020.lax-ca.osd.concentric.net with QMQP;
Jul, 27 2002 10:28:43 PM +0300
Received: from unknown (HELO da001d2020.lax-ca.osd.concentric.net)
(194.29.209.49) by f64.law4.hotmail.com with QMQP;
Jul, 27 2002 9:14:49 PM -0200
From: Vim hing@localhost <>>
To: You
Cc:
Subject: School Girl Teens Caught Fuck'n In Showers !!!!! dmlwt
Sender: Vim hing@localhost
Mime-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Date: Sun, 28 Jul 2002 00:32:48 -0700
X-Mailer: MIME-tools 5.503 (Entity 5.501)
X-Priority: 1
Return-Path: hing@localhost
Message-ID: <>
X-OriginalArrivalTime: 28 Jul 2002 07:31:59.0606 (UTC) FILETIME=[DBDBF960:01C23608]
HOT FREE MORPHEUS XXX MILLIONS OF MOVIES AND PICS TO DOWNLOAD FOR FREE!!!
Click Here <http://members.tripod.com.ve/alladian828r>To Download Free Software!
P.S DOWNLOAD IT NOW BEFORE IT'S GONE!