Security Basics mailing list archives
Re: Domain HiJacking by SPAMMERS
From: sil <jesus () resurrected us>
Date: Thu, 29 Jan 2004 18:37:18 -0500 (EST)
On Fri, 30 Jan 2004, Ho Chaw Ming wrote:
I would be interested too, since we got a client who got "attacked" in such a way yesterday. We received an estimated 30,000 bounced emails alone from the fake reply to email address in a matter of hours. The data center received hundreds of ill-informed abuse reports. We took a sample and they trace to US and Europe, from a large variety of ISPs, leading us to believe it's probably compromised machines. I would thus be interested too to hear about how this can be resolved. We don't wish to terminate the client, or ask him to move, but this causes us tremendous resources to deal with. At the same time, we don't want ill-informed reports to cause us to be blacklisted by ISPs or Spam lists. Any suggestions will be appreciated. Thanks.
What you can do to minimize the majority of messages from making their way onto your machine is setting up procmail rules to delete the messages from making their way into the network. That is only of course if you have a *nix based machine set up. I haven't configured MS Exchange for some time, but I'm sure if I remember correctly, there are options to minimize this as well. Microsoft's OE 6 also disables attachments from being opened by the user, and while some may find this to be an annoyance, I find it a damn good way to halt the flow of someone opening a message thinking it's from their friend/family/relative/co-worker, only turning out to be a pseudo spoofed virus infected message. On a personal note, for the first few messages that did make their way through my networks, I made some scripts to auto check the Received from fields and auto block out their ranges via IPF. I can always remove them every two days, or leave them blocked from sending data to port 25 until I feel the dust is clear in regards to this nuisance, and unblock them. Again however, this is mainly for a personal based webserver with about 60 or so users. To date however I think I received under 10 messages with that annoying "Hi\|Hello\|Test" subject which is great considering my work email address is getting pounded with over 200 per day. None of the other users on my machines have complained, but I've told them to forward me the messages they get so they too can be blocked. Maybe network admins can minimize attachments of the size of the virus from coming in, and being sent in order to minimize it. E.g. If an infected message is say 10k altogether, have strict checks on them and block as necessary. A perl/python/shell script is not so difficult to create for this, however, on a network of decent size, with massive incoming outgoing messages it just may not be feasible. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Quis custodiet ipsos custodes? - Juvenal J. Oquendo GPG Key ID 0x51F9D78D Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D sil @ politrix . org http://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- Domain HiJacking by SPAMMERS saliskor (Jan 29)
- Re: Domain HiJacking by SPAMMERS Lars Johannesen (Jan 29)
- Re: Domain HiJacking by SPAMMERS Ho Chaw Ming (Jan 29)
- Re: Domain HiJacking by SPAMMERS sil (Jan 30)
- Re: Domain HiJacking by SPAMMERS Alejandro Flores (Jan 30)
- Re: Domain HiJacking by SPAMMERS Ho Chaw Ming (Jan 30)
- RE: Domain HiJacking by SPAMMERS David Gillett (Jan 29)
- Re: Domain HiJacking by SPAMMERS Bryan S. Sampsel (Jan 30)
- Re: Domain HiJacking by SPAMMERS Jude Naidoo (Jan 30)
- Re: Domain HiJacking by SPAMMERS Ho Chaw Ming (Jan 30)
- Re: Domain HiJacking by SPAMMERS Ed Weinberg (Jan 30)
- Re: Domain HiJacking by SPAMMERS Jude Naidoo (Jan 30)
- Re: Domain HiJacking by SPAMMERS Michele Orsenigo (Jan 30)
- <Possible follow-ups>
- RE: Domain HiJacking by SPAMMERS Shawn Jackson (Jan 30)
- RE: Domain HiJacking by SPAMMERS Bruyere, Michel (Jan 30)
(Thread continues...)