Re: Spammers just got smarter.

[Justin Lintz <jlintz () OPTONLINE NET>]

Spamming through wingates is nothing new,  It's been going on ever since
people found the vulnerabilities in Wingates.  The idea of scanning for
proxies before accepting mail could lead to problems for people who have no
choice but to use a proxy to send mail.  I think instead people who are
using wingate as their proxy should configure it correctly and that would
prevent people spamming through them.

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Rune Kristian Viken
Sent: Thursday, August 24, 2000 4:41 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Spammers just got smarter.


I've feared this for a long time.  But it seems that spammers finally has
gotten smarter.  Here is the header for a spam I recevied today:
----
Return-Path: <AdQDmOOX1 () PCMoenkeberg gwdg de>
Delivered-To: arcade () falcon kvinesdal com
Received: (qmail 4758 invoked from network); 23 Aug 2000 07:35:44 -0000
Received: from ip19853.igreatlink.com (HELO nts.hkg.com.hk) (202.122.198.53)
 by falcon.kvinesdal.com with SMTP; 23 Aug 2000 07:35:43 -0000
Received: from Jbm5bH96Z (irix.sit.com.hk [202.161.241.2]) by nts.hkg.com.hk
with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21)
 id RKS0R91Q; Mon, 21 Aug 2000 16:29:13 +0800
DATE: 21 Aug 00 3:28:53 AM
FROM: AdQDmOOX1 () PCMoenkeberg gwdg de
Message-ID: <JsFJtQi1Yyg>
SUBJECT: Can't Get you money?...Try Us...
X-UIDL: m-Z!!j]("!@Pp!!]fk!!
Status: RO
X-Status: O
----
Here, my server is 'falcon.kvinesdal.com'.  I receive the spam via the open
relay "ip193853.igreatlink.com" - which identifies itself as
"nts.hkg.com.hk"
So far, its just an open relay.  No problem and nothing new about that.
(Btw,
the igreatlink.com is just a reverse-dns entry, it doesn't have a forward
one).

The open relay received the spam from "irix.sit.com.hk", and now, the
trouble
starts.  Why?  Because that is not the spammer.  irix.sit.com.hk is a person
with a misconfigured WINGATE.  So, it seems spammers has started using
wingates
to bounce to open relays.  That makes the spam extremely difficult to track.

So, we can continue our battle against open relays, but what on earth can we
do
to track down the spammers,if they all start using this technique? Should
mailservers start to 'scan for proxies' before accepting mail  - like IRC
servers these days scan for proxies, before accepting connections ?

--
"Rune Kristian Viken" <arcade () kvinesdal com> / arcade@irc (EFnet/IRCnet)
Kvinesdalsnett System Administrator (http://arcade.kvinesdal.com/)