[ cest @ 02.07.2002. 12:16 ] @
Uvod:
Dobijem pismo (xxx-SPAM) i pokusam da uradim reply ili bounce.
Pismo se vrati sa net-a uz poruku da korisnik ne postoji...
Otvorim source i vidim tri (3) razlicite - nehumano nasumicne adrese tipa *@yahoo.com ili *@msn.com
Pri tom izvor pisma (izvorni smtp server) ili nema ime ili je ime boze-sacuvaj.
O.K. e-mail se moze fake-ovati
O.K. SMTP server se moze lokalno podici na kucnoj masini.
Kucnoj masini se moze dati proizvoljno ime i domen...

Kako uci u trag SPAM-eru?

Ima li zastite osim filtriranja?
Kako da postanem 'nevidljiv' takvog spamera/ da ga odvratim?

Ima li leka?

P.S. dobijam 2 e-mail-a dnevno i vise?
[ stinger @ 02.07.2002. 14:39 ] @
vec se pisalo o tome, i mozes procitati ovde:
http://www.elitesecurity.org/tema.php?TopicID=8962#77699
http://www.elitesecurity.org/tema.php?TopicID=11037
http://www.elitesecurity.org/tema.php?TopicID=11220

a sto se tice tvog problema, morao bi da ostavis ceo header
poruke kako bi smo mogli da ti pomognemo.

[ Gojko Vujovic @ 02.07.2002. 18:02 ] @
Citat:
cest:
Kako uci u trag SPAM-eru?


Pročitaj teme koje ti je stinger dao, koristiće ti. Ukratko, svodi se na sledeće:

1. nalaženje tačne ip adrese iz headera, postuj ih kompletno da bi smo ti objasnili koja ti ip adresa treba
2. nalaženje vlasnika ip adrese ili nadprovajdera kome se treba žaliti (preko samspade.org na primer)
3. slanje abuse mail-a na abuse adresu za tog provajdera ili za tu ip adresu ili koordinatoru tog bloka ip adresa ili sve ove adrese zajedno + ripe ili arin zavisi ko je nadležan.

Ovo možda izgleda malo nabacano ali sasvim ima smisla, i siguran sam da će ti biti jasnije kada pročitaš one stare teme.

[ cest @ 02.07.2002. 18:55 ] @
Citat:
stinger:
..., morao bi da ostavis ceo header
poruke kako bi smo mogli ...


Pokusacu da uzposhaljem djubre (upload)

U usput eto i ovo:

From [email protected] Mon Jul 1 09:02:48 2002
Return-Path: <[email protected]>
Received: from ns1.ptt.yu (ns1.ptt.yu [212.62.32.1])
by pop3.ptt.yu (8.11.6/8.11.6) with ESMTP id g61LGE004846
for <[email protected]>; Mon, 1 Jul 2002 23:16:14 +0200
Received: (from [email protected])
by ns1.ptt.yu (8.11.6/8.11.6) id g61LGI928868
for [email protected]; Mon, 1 Jul 2002 23:16:18 +0200
Received: from svr1.fl.cq.gov.cn ([61.128.176.77])
by ns1.ptt.yu (8.11.6/8.11.6) with ESMTP id g61LGGf28755
for <[email protected]>; Mon, 1 Jul 2002 23:16:17 +0200
Message-Id: <[email protected]>
Received: from smtp023.mail.yahoo.com (SERVER [202.164.168.14]) by svr1.fl.cq.gov.cn with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.1960.3)
id N7C4XA08; Tue, 2 Jul 2002 00:09:16 +0800
Date: Mon, 1 Jul 2002 00:02:48 -0700
From: [email protected]
X-Priority: 3
To: [email protected]
CC:
Subject: Attention
Mime-Version: 1.0
Content-Type: text/html;
charset=us-ascii
Content-Transfer-Encoding: 7bit
X-UIDL: G\0"!DAJ!!_he!!RX~!!
Status: RO
X-Status: O
[ cest @ 07.07.2002. 22:35 ] @

Evo jedan BackTrace
1 172.16.2.33 (172.16.2.33) 4351.750 ms 149.466 ms 161.392 ms
2 172.16.2.27 (172.16.2.27) 138.348 ms 131.323 ms 138.311 ms
3 Bgd-NS-I.ptt.yu (212.62.38.1) 140.882 ms 159.757 ms 151.450 ms
4 PTT2-bcn.telekom.yu (195.178.34.49) 498.233 ms 159.750 ms 189.880 ms
5 pa1-srbija-telekom-1-yu.seabone.net (195.22.192.161) 209.856 ms 233.994 ms 175.406 ms
6 ge6-0-pal5-palb.seabone.net (195.22.205.251) 179.905 ms 213.572 ms 216.048 ms
7 POS2-2.GW1.MIA4.ALTER.NET (157.130.78.129) 429.908 ms 391.038 ms 381.278 ms
8 154.at-5-0-0.XR1.MIA4.ALTER.NET (146.188.233.162) 467.140 ms 499.924 ms 509.748 ms
9 0.so-4-2-0.XL1.MIA4.ALTER.NET (152.63.101.42) 529.888 ms 479.677 ms 431.650 ms
10 0.so-1-0-0.TL1.ATL5.ALTER.NET (152.63.85.217) 369.067 ms 489.441 ms 500.010 ms
11 0.so-7-0-0.TL1.MTL1.ALTER.NET (152.63.0.89) 619.901 ms 629.801 ms 619.926 ms
12 0.so-7-1-0.XL1.MTL1.ALTER.NET (152.63.133.69) 549.830 ms 609.681 ms 519.855 ms
13 0.so-3-0-0.XR1.MTL1.ALTER.NET (152.63.133.46) 439.865 ms 419.781 ms 449.831 ms
14 193.ATM7-0.GW1.MTL1.ALTER.NET (152.63.128.225) 379.808 ms 629.844 ms 609.688 ms
15 grouptel21-gw.customer.alter.net (157.130.156.106) 619.884 ms 619.672 ms 539.809 ms
16 GE3-0.WANB-MTRLPQ.IP.GROUPTELECOM.NET (66.59.191.141) 540.108 ms 619.617 ms 619.896 ms
17 POS6-0-0.WANB-HLFXNS.IP.GROUPTELECOM.NET (66.59.191.154) 619.885 ms 629.812 ms 629.864 ms
18 ATM4-0-0.1.MANA-STJHNF.IP.GROUPTELECOM.net (198.165.40.10) 779.735 ms 709.810 ms 679.906 ms
19 198.165.40.38 (198.165.40.38 ) 630.251 ms 539.778 ms 529.902 ms
20 198.165.205.50 (198.165.205.50) 519.854 ms 629.617 ms 609.917 ms


Nisam siguran ali mi se cini:
18 hoop je server u neko organizaciji (telekom?)
A 20 IP broj je masina na kojoj neko radi nesto nevaljalo dok je placen da radi nesto drugo (korisno?)


Sta se kome cini i sta ko zna?

Svaki odgovor je dobrodosao...


U prilogu je inkriminisani E-mail...
[ stinger @ 08.07.2002. 13:26 ] @
Received: from svr1.fl.cq.gov.cn ([61.128.176.77])
Received: from smtp023.mail.yahoo.com (SERVER [202.164.168.14]) by svr1.fl.cq.gov.cn

to ti ko ima openrelay i preko cega je slat mail, znaci host: svr1.fl.cq.gov.cn
ima open relay, i slao je kao :

Return-Path: <[email protected]>

za tebe, stoga prvo posalji na [email protected] ili na [email protected]
da si dobio spam, posalji im ceo header, i to je to... to je najvise sto mozes da ucinis.
[ cest @ 08.07.2002. 14:52 ] @
Pokusao sam nesto elegantnije:

Poslao sam na doticnu e-mail adresu poruku o gresci (fatal error) koju automatski generise moj mail-klijent (K-mail 2.2.1) na komandu bounce.

Medjutim posle nekoliko minuta server mi odgovori da ne postoji korisnicki nalog sa tim imenom (bilo je imena @yahoo.co i @msn.com i sta sve ne...)

Na osnovu toga sam zakljucio da se radi o fake-mailu odnosno o fake (forged) header-u...

Zanima me, pak, sta se moze izvuci izmedju redova kod ovakvih headera?

Probao sam traceroute i pogledaj sta sam dobio ( dve poruke iznad)
Neko radi nesto novo ...
[ Gojko Vujovic @ 08.07.2002. 15:56 ] @
Mislim da stinger gresi. Nije toliko bitan taj open relay preko koga je poslato, to ce se lako zatvoriti. Ovog treba uhvatiti ako ne gresim:

http://www.samspade.org/t/lookat?a=202.164.168.14

Sa Filipina, po svemu sudeci..
[ cest @ 08.07.2002. 18:20 ] @
Citat:
cest:
Citat:
stinger:
..., morao bi da ostavis ceo header
poruke kako bi smo mogli ...


Pokusacu da uzposhaljem djubre (upload)

...
Received: from svr1.fl.cq.gov.cn ([61.128.176.77])
by ns1.ptt.yu (8.11.6/8.11.6) with ESMTP id g61LGGf28755
for <[email protected]>; Mon, 1 Jul 2002 23:16:17 +0200
Message-Id: <[email protected]>
Received: from smtp023.mail.yahoo.com (SERVER [202.164.168.14]) by svr1.fl.cq.gov.cn with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.1960.3)
...
From: [email protected]
...


Dok sam ja ukapirao koji mail...

Evo vam Backtrace...
1 172.16.2.34 (172.16.2.34) 129.822 ms 128.075 ms 128.649 ms
2 172.16.2.27 (172.16.2.27) 119.835 ms 120.084 ms 119.589 ms
3 Bgd-NS-I.ptt.yu (212.62.38.1) 130.225 ms 119.612 ms 119.916 ms
4 PTT2-bcn.telekom.yu (195.178.34.49) 139.847 ms 160.647 ms 129.226 ms
5 pa1-srbija-telekom-1-yu.seabone.net (195.22.192.161) 189.629 ms 159.676 ms 193.008 ms
6 ge9-0-mil8-mila.mil.seabone.net (195.22.208.7) 167.663 ms 179.904 ms 192.586 ms
7 sl-gw10-mil-10-2.sprintlink.net (217.147.129.105) 197.128 ms 179.386 ms 169.856 ms
8 sl-bb20-mil-8-0.sprintlink.net (217.147.128.3 169.836 ms 189.006 ms 161.408 ms
9 sl-bb21-par-12-0.sprintlink.net (213.206.129.25) 188.392 ms 190.026 ms 178.624 ms
10 sl-bb20-lon-13-0.sprintlink.net (213.206.129.69) 199.894 ms 194.334 ms 175.402 ms
11 sl-bb21-lon-15-0.sprintlink.net (213.206.128.3 199.965 ms 189.574 ms 231.056 ms
12 sl-bb20-msq-10-0.sprintlink.net (144.232.19.69) 278.671 ms 268.263 ms 279.861 ms
13 sl-bb21-msq-15-0.sprintlink.net (144.232.9.110) 310.152 ms 260.621 ms 260.932 ms
14 sl-bb22-rly-15-3.sprintlink.net (144.232.19.9 258.449 ms 260.905 ms 310.088 ms
15 sl-bb20-sj-5-3.sprintlink.net (144.232.9.21 309.686 ms 342.512 ms 318.231 ms
16 sl-st20-pa-15-1.sprintlink.net (144.232.20.42) 319.335 ms 350.808 ms 368.784 ms
17 sl-reach1-4-0.sprintlink.net (144.223.243.14) 400.134 ms 349.666 ms 359.977 ms
18 i-1-0.paix04.hkt.net (202.84.251.20) 369.895 ms 369.721 ms 360.003 ms
19 i-1-1.hhtstcbr01.hkt.net (202.84.249.13) 529.661 ms 539.605 ms 529.889 ms
20 i-7-2.tmhstcbr01.hkt.net (202.84.249.9) 529.884 ms 529.778 ms 810.065 ms
21 207.176.96.67 (207.176.96.67) 539.533 ms 549.727 ms 829.908 ms
22 207.176.97.98 (207.176.97.9 589.892 ms 549.662 ms 599.842 ms
23 203.167.82.2 (203.167.82.2) 549.834 ms 559.571 ms 560.096 ms
24 * * *
25 202.164.168.14 (202.164.168.14) 560.187 ms 560.027 ms 589.638 ms

Pa ko voli.

Inace, jel' to MAPUA-INSTITUT-OF-TECH na tom linku?
Jel' me to neki student bomba?

)*(** (ima da ga bijem...)
[ stinger @ 12.07.2002. 15:19 ] @
Citat:
Gojko Vujovic:
Mislim da stinger gresi. Nije toliko bitan taj open relay preko koga je poslato, to ce se lako zatvoriti.


gresim u cemu? :) da treba neko da obavesti te likove da drze open relay? :)
[ Gojko Vujovic @ 12.07.2002. 18:29 ] @
Kao što sam već napisao u citiranom delu, open relay će biti lako zatvoren. Open relay servera ima na stotine aktivnih na netu i nikad nije problem naći nov i aktivan.

Naći i zaustaviti onoga ko ga je koristio je teže.