This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
To: balug-talk@balug.org Subject: Re: [Balug-talk] Hi-Jacked Email Address From: Rick Moen <rick@linuxmafia.com> Date: Fri, 16 Aug 2002 16:22:19 -0700 Quoting Robert Gilman (rbob@dnai.com): > Just recently I received a piece of spam showing my own email address > as sender. Welcome to the Internet. ;-> Those of us who hunt down spammers know that _every_ header in a spam-o-gram can be and usually is forged, with the exception of at least some contents of some of the Received headers. Spammers do everything possible to shift both costs and consequences onto other people -- but mostly using automated, dumbed-down Win32 spam generation programs and lists of names they've bought from somewhat more competent but equally scummy people. Thus, Caveman Og's rules: 1. Spammers lie. 2. Spammers are stupid. Some choice quotations from Chairman Og: http://linuxmafia.com/pub/humour/caveman-og > I contacted my ISP and had them reset my password. That put you and the ISP through some trouble for no benefit, I'm sorry to say. === From: Joseph Zitt <jzitt@metatronpress.com> To: "Brian Sroufek" <brian_sroufek@msdesigninc.com> Cc: balug-talk@balug.org Subject: Re: [Balug-talk] Hi-Jacked Email Address Date: Fri, 16 Aug 2002 18:22:49 -0700 On Fri, 16 Aug 2002 20:17:42 -0400 "Brian Sroufek" <brian_sroufek@msdesigninc.com> wrote: > Since most of my spam comes from a limited (?) > set of ISPs, typically some non-US ISPs willing, > perhaps, to host anything for $$, a good spam > filter would black list the ISP, and > > ==> > return > an email indicating to the poor opportunist that > their ISP has been black listed. > <== > > Wonder how fast the proliferation of that technique > would quell the trafficers? How fast is a dead snail? Most of what it would do is block you from getting mail from innocent people whose addresses were forged into the email, including (especially?) friends whose addresses happened to reside with yours in some poor fool's Outlook address book, and who might be confused and insulted by receiving email from you accusing them of wrongdoing. === To: balug-talk@balug.org Subject: Re: [Balug-talk] Hi-Jacked Email Address From: Rick Moen <rick@linuxmafia.com> Date: Fri, 16 Aug 2002 18:35:09 -0700 Quoting Brian Sroufek (brian_sroufek@msdesigninc.com): > Since most of my spam comes from a limited (?) > set of ISPs, typically some non-US ISPs willing, > perhaps, to host anything for $$, a good spam > filter would black list the ISP, and > > ==> > return > an email indicating to the poor opportunist that > their ISP has been black listed. > <== Out of curiosity, how are you identifying originating ISPs? A lot of people seem to try to do this by taking some of the spam headers at face value. In my experience, nailing down the originating host sometimes takes some detective work. === From: "Brian Sroufek" <brian_sroufek@msdesigninc.com> To: balug-talk@balug.org Subject: Re: [Balug-talk] Hi-Jacked Email Address Date: Fri, 16 Aug 2002 22:11:42 -0400 > Quoting Brian Sroufek (brian_sroufek@msdesigninc.com): > > > Since most of my spam comes from a limited (?) > > set of ISPs, typically some non-US ISPs willing, > > perhaps, to host anything for $$, a good spam > > filter would black list the ISP, and > > > > ==> > > return > > an email indicating to the poor opportunist that > > their ISP has been black listed. > > <== > > Out of curiosity, how are you identifying originating ISPs? > A lot of people seem to try to do this by taking some of the spam > headers at face value. In my experience, nailing down the originating > host sometimes takes some detective work. From having wasted a lot of time chasing down and reporting spammers to major free-email ISPs: they got tired of me and gave me instructions on how to identify the first received: header (lowest in view). This header cannot be forged, I'm to understand and, sure enough, go chase it down (arin.net - least likely, usually european, asian, ...) and you find joe blow ISP on some small island - sometimes, this is not exaggeration. So, having recently written an N-tier servlet with header analysis stuff, I can easily see an automation method that suggests...the ISP for an "Add" to the "black-list" mentioned earlier. Only trouble is that most of those foreign ones that do this conveniently have no "abuse","spam","postmaster" type of addresses: so, the offending ISP isn't always notifiable (easily). === From: "Brian Sroufek" <brian_sroufek@msdesigninc.com> To: balug-talk@balug.org Subject: Re: [Balug-talk] Hi-Jacked Email Address Date: Fri, 16 Aug 2002 22:25:08 -0400 How about a pre-recorded message sent via (free?) internet telephone to the phone number snatched from the Registry for the offending ISP? Too big brot-hery, even Sea Eye A scarey, but as long as the ISPs are hand-added, and they have no way of hi-tting your residence with an over-the-sea mis-sile.... Anyway, as long as the spam stops, they don't *have* to know. === From: "Brian Sroufek" <brian_sroufek@msdesigninc.com> To: balug-talk@balug.org Subject: Re: [Balug-talk] Hi-Jacked Email Address Date: Fri, 16 Aug 2002 22:25:30 -0400 How about a pre-recorded message sent via (free?) internet telephone to the phone number snatched from the Registry for the offending ISP? Too big brot-hery, even Sea Eye A scarey, but as long as the ISPs are hand-added, and they have no way of hi-tting your residence with an over-the-sea mis-sile.... Anyway, as long as the spam stops, they don't *have* to know. === From: "Brian Sroufek" <brian_sroufek@msdesigninc.com> To: balug-talk@balug.org Subject: Re: [Balug-talk] Hi-Jacked Email Address Date: Fri, 16 Aug 2002 22:25:52 -0400 How about a pre-recorded message sent via (free?) internet telephone to the phone number snatched from the Registry for the offending ISP? Too big brot-hery, even Sea Eye A scarey, but as long as the ISPs are hand-added, and they have no way of hi-tting your residence with an over-the-sea mis-sile.... Anyway, as long as the spam stops, they don't *have* to know. === To: balug-talk@balug.org Subject: Re: [Balug-talk] Hi-Jacked Email Address From: Rick Moen <rick@linuxmafia.com> Date: Fri, 16 Aug 2002 21:33:12 -0700 Quoting Brian Sroufek (brian_sroufek@msdesigninc.com): > From having wasted a lot of time chasing down and reporting spammers > to major free-email ISPs: they got tired of me and gave me > instructions on how to identify the first received: header (lowest in > view). > > This header cannot be forged, I'm to understand and, sure enough, go > chase it down (arin.net - least likely, usually european, asian, ...) > and you find joe blow ISP on some small island - sometimes, this is > not exaggeration. If you are merely electing to believe the bottom-most Received header ("lowest in view"), and are believing any information whatsoever in any such header other than that generated by SMTP servers you have reason to trust, then you're setting yourself up to be fooled. Alas, I've seen many, many people go bother innocent parties because they relied on bogus header data. And misdirected complaints from the inexperienced are among the major reasons why "postmaster" and "abuse" mailboxes have been overwhelmed and rendered effectively unusable. Having been given "instructions" by an ISP is just not sufficient preparation, I'm afraid. I seriously recommend studying how SMTP works and how header forgery works. There's good information on-line. === To: balug-talk@balug.org From: Robert Gilman <rbob@dnai.com> Subject: [Balug-talk] Hi-Jacked Email Address Date: Fri, 16 Aug 2002 22:15:39 -0700 The following is the message header from my spam: X-Authentication-Warning: moe.sfrn.dnai.com: 62-37-182-26.dialup.uni2.es [62.37.182.26] didn't use HELO protocol From: rbob@dnai.com Subject: You're Paying Too Much X-Sender: rbob@dnai.com To: rbob@dnai.com Reply-To: rbob@dnai.com Importance: Normal MIME-Version: 1.0 X-Encoding: MIME Date: Wed, 14 Aug 2002 17:40:57 -0500 Status: U The gist of what I'm picking up is that I should not worry too much and pick up some mail filtering software. Thx for the replies. === From: Nick Moffitt <nick@zork.net> To: balug-talk@balug.org Subject: Re: [Balug-talk] Hi-Jacked Email Address Date: Fri, 16 Aug 2002 22:07:32 -0700 begin Brian Sroufek quotation: > they got tired of me and gave me instructions on how to identify the > first received: header (lowest in view). > > This header cannot be forged, I'm to understand and, Your understanding needs a real good fixin'. === From: Nick Moffitt <nick@zork.net> To: balug-talk@balug.org Subject: Re: [Balug-talk] Hi-Jacked Email Address Date: Fri, 16 Aug 2002 22:08:50 -0700 begin Robert Gilman quotation: > The following is the message header from my spam: > > X-Authentication-Warning: moe.sfrn.dnai.com: 62-37-182-26.dialup.uni2.es > [62.37.182.26] didn't use HELO protocol > From: rbob@dnai.com > Subject: You're Paying Too Much > X-Sender: rbob@dnai.com > To: rbob@dnai.com > Reply-To: rbob@dnai.com > Importance: Normal > MIME-Version: 1.0 > X-Encoding: MIME > Date: Wed, 14 Aug 2002 17:40:57 -0500 > Status: U Woefully incomplete, at best. Lots more bogus information will likely be available for your perusal and entertainment if you bring up FULL headers for that message. === To: balug-talk@balug.org Subject: Re: [Balug-talk] Hi-Jacked Email Address From: Rick Moen <rick@linuxmafia.com> Date: Fri, 16 Aug 2002 22:20:07 -0700 Quoting Robert Gilman (rbob@dnai.com): > The following is the message header from my spam: ^ highly incomplete news.admin.net-abuse.email is probably where you want to be. === Subject: Re: [Balug-talk] Hi-Jacked Email Address From: "David L. Sifry" <david@sifry.com> To: Rick Moen <rick@linuxmafia.com> Cc: Balug <balug-talk@balug.org> Date: 16 Aug 2002 22:37:04 -0700 Rick and Brian, There is one line in an email header that you can (reasonably) trust - the first Received: header. The reason for this is because it is YOUR email MTA that creates this header. If I used Rick's email as an example: Return-Path: <balug-talk-admin@balug.org> Received: from colo1.sifry.com (root@colo1.sifry.com [198.186.203.94]) by inferno.sifry.com (8.12.2/8.12.2/Debian -5) with ESMTP id g7H4YlcC021274 for <david@sifry.com>; Fri, 16 Aug 2002 21:35:07 -0700 Received: from colo1.sifry.com (mailman@colo1 [127.0.0.1]) by colo1.sifry.com (8.12.3/8.12.3/Debian -4) with ESMTP id g7H4XAaG025230; Fri, 16 Aug 2002 21:33:10 -0700 Received: from linuxmafia.com (linuxmafia.COM [198.144.195.186]) by colo1.sifry.com (8.12.3/8.12.3/Debian -4) with ESMTP id g7H4WmaG025208 for <balug-talk@balug.org>; Fri, 16 Aug 2002 21:32:48 -0700 Received: from rick by linuxmafia.com with local (Exim 3.35 #1 (Debian)) id 17fvGy-0005vB-00 for <balug-talk@balug.org>; Fri, 16 Aug 2002 21:33:12 -0700 To: balug-talk@balug.org Subject: Re: [Balug-talk] Hi-Jacked Email Address Message-ID: <20020817043312.GQ9654@linuxmafia.com> References: <E17ft42-0003Xj-00@hydrogen.liquidweb.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <E17ft42-0003Xj-00@hydrogen.liquidweb.com> User-Agent: Mutt/1.4i From: Rick Moen <rick@linuxmafia.com> === Date: 16 Aug 2002 21:33:12 -0700 The first Received line is something I can trust, because I am reasonably sure that my mail server (inferno.sifry.com) hasn't been hacked: Received: from colo1.sifry.com (root@colo1.sifry.com [198.186.203.94]) by inferno.sifry.com (8.12.2/8.12.2/Debian -5) with ESMTP id g7H4YlcC021274 for <david@sifry.com>; Fri, 16 Aug 2002 21:35:07 -0700 This tells me that the MTA that connected to my mail server was located at 198.186.203.94 and that it called itself colo1.sifry.com. When you check most spam email, its headers look something like this: Return-Path: <errors@buyingfrenzy.com> Received: from localhost.localdomain (mail2.nexplore.com [157.238.138.36] (may be forged)) by inferno.sifry.com (8.12.2/8.12.2/Debian -5) with ESMTP id g772PEcC024271 for <david@sifry.com>; Tue, 6 Aug 2002 19:25:15 -0700 To: david@sifry.com X-FP: 64617669644073696672792e636f6d Received: from 127.0.0.1 ([127.0.0.1]) by nexdeals.com (8.11.2/8.11.2) with SMTP id 2345911028685998 for to; Tue Aug 6 22:02:33 2002 Date: 06 Aug 2002 22:02:33 +0000 Message-Id: <2002822233.2345911028685998@mail2.nexdeals.com> X-Form: 1649 From: FREE Quote! <GreatDeals@nexdeals.com> Reply-To: nexdeals <errors@nexdeals.com> Subject: *****SPAM***** You Need Auto Insurance, Not a Big Bill! Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Note the first (and in this case, only) Received: header. It tells me: Received: from localhost.localdomain (mail2.nexplore.com [157.238.138.36] (may be forged)) by inferno.sifry.com (8.12.2/8.12.2/Debian -5) with ESMTP id g772PEcC024271 for <david@sifry.com>; Tue, 6 Aug 2002 19:25:15 -0700 Someone from 157.238.138.36, which called itself "localhost.localdomain", but whose reverse DNS lookup shows "mail2.nexplore.com" connected to my mail server and delivered the spam. All that means is that I can trust the last hop; It might be that that machine is a cracked or trojaned mail server of a perfectly legitimate ISP or company, or it could be a dynamic dialup account, but at least I can then go to ARIN with the IP address block and find out who the upstream ISP is. I can also do a traceroute on the IP address to get some good info, here's an excerpt: $ traceroute 157.238.138.36 .... 11 so-7-0-0.gar2.SanJose1.Level3.net (64.159.1.78) 16.499 ms 14.918 ms 16.606 ms 12 so-7-0-0.edge1.SanJose1.level3.net (209.244.3.142) 18.630 ms 19.717 ms 18.126 ms 13 unknown.ix.singtel.com (209.245.146.154) 18.732 ms 19.554 ms 18.327 ms 14 p16-0-1-0.r20.snjsca04.us.bb.verio.net (129.250.3.86) 21.520 ms 19.067 ms 18.711 ms 15 p16-3-0-0.r00.mlpsca01.us.bb.verio.net (129.250.5.8) 23.594 ms 19.263 ms 22.193 ms 16 p16-5-0-0.r00.nwrknj01.us.bb.verio.net (129.250.5.113) 88.631 ms 92.251 ms 96.791 ms 17 p1-1-0-0.r01.rochny01.us.bb.verio.net (129.250.2.148) 100.158 ms 99.188 ms 99.093 ms 18 ge-1-2.a00.rochny01.us.da.verio.net (129.250.29.217) 98.052 ms 99.486 ms 99.202 ms 19 157.238.140.34 (157.238.140.34) 99.576 ms 105.270 ms 100.056 ms 20 mail2.nexplore.com (157.238.138.36) 100.796 ms 98.150 ms * So this tells me that I can feel comfortable sending abuse emails to nexplore.com and to its upstream provider, verio.net. In fact, I have a pretty good idea which juristiction the spammer is in - Rochester, NY. See line 18 for where I get that hint. Of course, I could have just gone to http://www.nexplore.com/ and found out that they are: an online media placement company founded in 2000. We deliver marketing solutions by working closely with publishers, agencies, and fresh opt-in list owners. We identify and plan media for all industry segments. Nexplore will find the right medium for your next banner, email, or lead generation campaign. Yikes! Professional spammers! A check of their whois record shows: Registrant: Nexplore Ltd. (NEXPLORE5-DOM) null null null Domain Name: NEXPLORE.COM Administrative Contact: Nexplore, Ltd (PYVCYSDRLI) support@NEXPLORE.COM Nexplore, Ltd. 29B Commodore Street Albany, NY 12205 US 518-446-1153 518-446-1105 Technical Contact: VeriSign, Inc. (HOST-ORG) namehost@WORLDNIC.NET VeriSign, Inc. 21355 Ridgetop Circle Dulles, VA 20166 US 1-888-642-9675 fax: - namehost@worldnic.net Ah ha! So they are located in Albany, NY, not far from Rochester. At this point, I could contact them via their phone number, or I could call the NY State Attorney General's office, have a lawyer send a cease-and-desist, instigate civil procedures against them, etc. Enjoy spam hunting. I installed SpamAssassin and 99% of my spam has been tagged; Makes email a much more pleasant experience nowadays. Dave On Fri, 2002-08-16 at 21:33, Rick Moen wrote: > Quoting Brian Sroufek (brian_sroufek@msdesigninc.com): > > > From having wasted a lot of time chasing down and reporting spammers > > to major free-email ISPs: they got tired of me and gave me > > instructions on how to identify the first received: header (lowest in > > view). > > > > This header cannot be forged, I'm to understand and, sure enough, go > > chase it down (arin.net - least likely, usually european, asian, ...) > > and you find joe blow ISP on some small island - sometimes, this is > > not exaggeration. > > If you are merely electing to believe the bottom-most Received header > ("lowest in view"), and are believing any information whatsoever in any > such header other than that generated by SMTP servers you have reason to > trust, then you're setting yourself up to be fooled. > > Alas, I've seen many, many people go bother innocent parties because > they relied on bogus header data. And misdirected complaints from the > inexperienced are among the major reasons why "postmaster" and "abuse" > mailboxes have been overwhelmed and rendered effectively unusable. > > Having been given "instructions" by an ISP is just not sufficient > preparation, I'm afraid. I seriously recommend studying how SMTP works > and how header forgery works. There's good information on-line. > === To: "David L. Sifry" <david@sifry.com> From: Deirdre Saoirse Moen <deirdre@deirdre.net> Subject: Re: [Balug-talk] Hi-Jacked Email Address Cc: Balug <balug-talk@balug.org> Date: Fri, 16 Aug 2002 22:46:50 -0700 At 10:37 PM -0700 8/16/02, David L. Sifry wrote: >Rick and Brian, > >There is one line in an email header that you can (reasonably) trust - >the first Received: header. The reason for this is because it is YOUR >email MTA that creates this header. Wrong. You can forge that too! You just simply add a line and pretend it's not your MUA. http://www.rahul.net/falk/mailtrack.html You're using unforged mail to explain how forgeries work. Not smart. This reminds me of a usenet discussion I had about forgeries in 1995. Same kind of problem. === From: Rick Moen <rick@linuxmafia.com> To: Balug <balug-talk@balug.org> Subject: Re: [Balug-talk] Hi-Jacked Email Address Date: Fri, 16 Aug 2002 22:49:22 -0700 Quoting David L. Sifry (david@sifry.com): > There is one line in an email header that you can (reasonably) trust - > the first Received: header. Dave, sorry, no. All the spammer has to do is inject mail that already has forged Received headers in it. Again: news.admin.net-abuse.email === Subject: Re: [Balug-talk] Hi-Jacked Email Address From: "David L. Sifry" <david@sifry.com> To: Deirdre Saoirse Moen <deirdre@deirdre.net> Cc: Balug <balug-talk@balug.org> Date: 16 Aug 2002 22:55:34 -0700 Um, I'm sorry Dierdre, but either you misread my email or you didn't read the URL you referenced: To whit: >From <http://www.rahul.net/falk/mailtrack.html>: Received: These are the most reliable lines in the header. They form a list of all sites through which the message traveled in order to reach you. They are completely unforgeable after the point where it was injected. Up to that point, they may be forgeries. I trust my last-hop MTA, and unless it has been hacked, the first Received header is reliable. If I'm wrong and you know of a way to forge that header outside of something exotic like IP spoofing, please correct me. Dave On Fri, 2002-08-16 at 22:46, Deirdre Saoirse Moen wrote: > At 10:37 PM -0700 8/16/02, David L. Sifry wrote: > >Rick and Brian, > > > >There is one line in an email header that you can (reasonably) trust - > >the first Received: header. The reason for this is because it is YOUR > >email MTA that creates this header. > > Wrong. You can forge that too! You just simply add a line and pretend > it's not your MUA. > > http://www.rahul.net/falk/mailtrack.html > > You're using unforged mail to explain how forgeries work. Not smart. > > This reminds me of a usenet discussion I had about forgeries in 1995. > Same kind of problem. === To: Balug <balug-talk@balug.org> From: Bill Moseley <moseley@hank.org> Subject: Re: [Balug-talk] Hi-Jacked Email Address Date: Fri, 16 Aug 2002 22:55:44 -0700 At 10:49 PM 08/16/02 -0700, Rick Moen wrote: >Quoting David L. Sifry (david@sifry.com): > >> There is one line in an email header that you can (reasonably) trust - >> the first Received: header. > >Dave, sorry, no. > >All the spammer has to do is inject mail that already has forged >Received headers in it. Dave was talking about the top header, inserted locally upon receipt from a remote machine. How is that forged if delivered to your system via SMTP? === Subject: Re: [Balug-talk] Hi-Jacked Email Address From: "David L. Sifry" <david@sifry.com> To: Rick Moen <rick@linuxmafia.com> Cc: Balug <balug-talk@balug.org> Date: 16 Aug 2002 22:57:25 -0700 On Fri, 2002-08-16 at 22:49, Rick Moen wrote: > Quoting David L. Sifry (david@sifry.com): > > > There is one line in an email header that you can (reasonably) trust - > > the first Received: header. > > Dave, sorry, no. > > All the spammer has to do is inject mail that already has forged > Received headers in it. > > Again: news.admin.net-abuse.email Yes, but those forged headers appear BELOW the first Received: header. I can still trust the first Received: header, even if I can't trust all the ones after it. In most cases, it points me straight to the spammer, if others, it points me to an open relay or a trojaned box that is acting as a relay. === From: Rick Moen <rick@linuxmafia.com> To: Balug <balug-talk@balug.org> Subject: Re: [Balug-talk] Hi-Jacked Email Address Date: Fri, 16 Aug 2002 23:05:44 -0700 Quoting David L. Sifry (david@sifry.com): > Yes, but those forged headers appear BELOW the first Received: header. > I can still trust the first Received: header, even if I can't trust all > the ones after it. The bottom-most Received header _is_ the one that purports to be first. What you seem to be aiming at is the key problem of determining where the spam injection point was. _If_ you can do that, then you know where it came from. The problem is that many people assume they know what information is forged, when they really have no idea. === To: "David L. Sifry" <david@sifry.com> From: Deirdre Saoirse Moen <deirdre@deirdre.net> Subject: Re: [Balug-talk] Hi-Jacked Email Address Cc: Balug <balug-talk@balug.org> Date: Fri, 16 Aug 2002 23:09:36 -0700 At 10:55 PM -0700 8/16/02, David L. Sifry wrote: >Um, I'm sorry Dierdre, but either you misread my email or you didn't >read the URL you referenced: You've known me for three years and you still can't spell my name. >To whit: > > >From <http://www.rahul.net/falk/mailtrack.html>: > >Received: > These are the most reliable lines in the header. They form a list of >all sites through which the message traveled in order to reach you. They >are completely unforgeable after the point where it was injected. Up to >that point, they may be forgeries. Right. So, say you've got 5 received headers on a piece of spam. You know #5 is accurate. I think the problem is that you say "first received header" which I understood as earliest in time -- you are apparently calling it the LAST in time, which I call #5. You know that somewhere between 1 and 4, the spam was injected. You don't know WHICH host it was without further examination, which that URL will tell you how to do. >If I'm wrong and you know of a way to forge that header outside of >something exotic like IP spoofing, please correct me. Yes, you insert fake Received headers *BELOW* where your header will be injected. And that kind of IP spoofing *isn't* exotic. They've been doing it for at least 7 years now. === To: Balug <balug-talk@balug.org> Subject: Re: [Balug-talk] Hi-Jacked Email Address From: Rick Moen <rick@linuxmafia.com> Date: Fri, 16 Aug 2002 23:12:09 -0700 Quoting Bill Moseley (moseley@hank.org): > Dave was talking about the top header, inserted locally upon receipt from a > remote machine. How is that forged if delivered to your system via SMTP? Oh, _that_ Received header is guaranteed to record (at least) a valid IP, since it was appended by one's own system using information taken directly from the socket. If that's what he meant, then yeah. But that may not tell you where the spam originated, just what IP address it transited immediately before yours. You may end up trying to get an open relay closed -- or pressure for an end to SMTP acceptance from a dial-up host. Not that that's a bad thing. === Subject: Re: [Balug-talk] Hi-Jacked Email Address From: "David L. Sifry" <david@sifry.com> To: Rick Moen <rick@linuxmafia.com> Cc: Balug <balug-talk@balug.org> Date: 16 Aug 2002 23:12:27 -0700 Rick Moen wrote: > Quoting David L. Sifry (david@sifry.com): > > > Yes, but those forged headers appear BELOW the first Received: header. > > I can still trust the first Received: header, even if I can't trust all > > the ones after it. > > The bottom-most Received header _is_ the one that purports to be first. > > What you seem to be aiming at is the key problem of determining where > the spam injection point was. _If_ you can do that, then you know where > it came from. The problem is that many people assume they know what > information is forged, when they really have no idea. OK so it sounds like there was a bit of confusion over what the "first" header was - I always look at email from the perspective of the receiver, and in my example, I use "first" to mean the Header that appeared topmost in the email. I think the confusion came from the reading of "first" as being the header that is bottommost in the email, purporting to be the Header that was attached first. Of course, as you and Dierdre point out, that header can easily be forged. === Subject: Re: [Balug-talk] Hi-Jacked Email Address From: "David L. Sifry" <david@sifry.com> To: Deirdre Saoirse Moen <deirdre@deirdre.net> Cc: Balug <balug-talk@balug.org> Date: 16 Aug 2002 23:16:11 -0700 Deirdre, My apologies on the misspelling of your name, it was unintentional. On Fri, 2002-08-16 at 23:09, Deirdre Saoirse Moen wrote: > At 10:55 PM -0700 8/16/02, David L. Sifry wrote: > >Um, I'm sorry Dierdre, but either you misread my email or you didn't > >read the URL you referenced: > > You've known me for three years and you still can't spell my name. > > >To whit: > > > > >From <http://www.rahul.net/falk/mailtrack.html>: > > > >Received: > > These are the most reliable lines in the header. They form a list of > >all sites through which the message traveled in order to reach you. They > >are completely unforgeable after the point where it was injected. Up to > >that point, they may be forgeries. > > Right. So, say you've got 5 received headers on a piece of spam. You > know #5 is accurate. I think the problem is that you say "first > received header" which I understood as earliest in time -- you are > apparently calling it the LAST in time, which I call #5. Yup, it appears that's where the confusion started. > > You know that somewhere between 1 and 4, the spam was injected. You > don't know WHICH host it was without further examination, which that > URL will tell you how to do. > Right. > >If I'm wrong and you know of a way to forge that header outside of > >something exotic like IP spoofing, please correct me. > > Yes, you insert fake Received headers *BELOW* where your header will > be injected. > > And that kind of IP spoofing *isn't* exotic. Well, that isn't IP spoofing. You still know that that last hop was either that originator of the spam, an open relay, or a cracked box, which at least gives you some cause of action. > > They've been doing it for at least 7 years now. > -- > _Deirdre http://deirdre.net > "It is lots easier to build a house from plans than from dumping a pile of > 2x4s into a vacant lot then moving them around until they look like a > house." -- James D. MacDonald === To: "David L. Sifry" <david@sifry.com> From: Deirdre Saoirse Moen <deirdre@deirdre.net> Subject: Re: [Balug-talk] Hi-Jacked Email Address Cc: Balug <balug-talk@balug.org> Date: Fri, 16 Aug 2002 23:20:08 -0700 At 11:12 PM -0700 8/16/02, David L. Sifry wrote: >OK so it sounds like there was a bit of confusion over what the "first" >header was - I always look at email from the perspective of the >receiver, and in my example, I use "first" to mean the Header that >appeared topmost in the email. That's the way Rahul does it too. And yes, it's the first header come across. Being contrary, I tend to think chronologically rather than linearly. Usenet spam has everything bang-separated on one line in the Path header. Bonus points to the old hands (except Nick or Rick) who can explain why. >I think the confusion came from the reading of "first" as being the >header that is bottommost in the email, purporting to be the Header that >was attached first. Of course, as you and Deirdre point out, that >header can easily be forged. Yes. As long as we agree that the earliest isn't reliable. On my name, I just tell people: spelled as in DEITY, not as in DIET. ;) === From: Dan Lyke <danlyke@flutterby.com> To: Balug <balug-talk@balug.org> Subject: Re: [Balug-talk] Hi-Jacked Email Address Date: Sat, 17 Aug 2002 08:01:11 -0700 Rick Moen writes: > Quoting David L. Sifry (david@sifry.com): > > > There is one line in an email header that you can (reasonably) trust - > > the first Received: header. > > Dave, sorry, no. Ummmm... Sendmail as I've always had it configured inserts its "Received" header above all the other "Received" headers. Thus the first line is trustable to the extent that I trust the MTA on the box which got the message. Forged "Received" lines get pushed further down in the stack. What MTA are you and Dierdre running? Dan _______________________________________________ Balug-talk mailing list Balug-talk@balug.org http://www.balug.org/mailman/listinfo/balug-talk === To: Balug <balug-talk@balug.org> Subject: Re: [Balug-talk] Hi-Jacked Email Address From: Rick Moen <rick@linuxmafia.com> Date: Sat, 17 Aug 2002 09:07:33 -0700 Quoting Dan Lyke (danlyke@flutterby.com): > Ummmm... Sendmail as I've always had it configured inserts its > "Received" header above all the other "Received" headers. Thus the > first line is trustable to the extent that I trust the MTA on the box > which got the message. Forged "Received" lines get pushed further down > in the stack. > > What MTA are you and Dierdre running? Let me know if you still have questions after catching up on the message thread (and learning how to spell Deirdre ;-> ). === To: balug-talk@balug.org From: Bill Moseley <moseley@hank.org> Subject: [Balug-talk] Routing table question Date: Sat, 17 Aug 2002 10:14:30 -0700 Good Morning, I was looking at my routing tables for my home lan. It all works fine, so I don't think I'm trying to fix anything, but on the other hand it doesn't completely make sense. Might be a lack of Peets this morning. Anyway, my goal with linux is to have things make sense, even if I have to ask basic questions ;). Hope you don't mind. I have a simple setup: /29 subnet with a DSL modem hooked to a switch, with a few machines on the internet side, and one acts as a router (really NAT) for my internal 192.168 segment. Destination Gateway Genmask Flags Metric Ref Use Iface 63.205.225.168 * 255.255.255.248 U 0 0 0 eth1 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo default gateway.hank.or 0.0.0.0 UG 0 0 0 eth1 "gateway" is PacBell's machine. Here's where I'm a bit confused. Here's one of my internal machine's table: Destination Gateway Genmask Flags Metric Ref Use Iface localnet * 255.255.255.0 U 0 0 0 eth0 default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 I'm wondering why I don't have (or seem to need) an entry of: 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 That is, if 192.168.0.10 wants to talk to 192.168.0.20 it looks like the only defined route is "default". The page at: http://www.debian.org/doc/manuals/network-administrator/ch-tcpip.html#s3.4 makes me think I should have a route to the local net. So, do why don't I need that route in the table? Thanks, === From: Dan Lyke <danlyke@flutterby.com> To: Balug <balug-talk@balug.org> Subject: Re: [Balug-talk] Hi-Jacked Email Address Date: Sat, 17 Aug 2002 10:03:15 -0700 Rick Moen writes: > Let me know if you still have questions after catching up on the message > thread Got it now from the web, most of those messages hadn't arrived at my address as of my writing the previous message. There's a puzzle for the "Received" lines, but given that I switched email addresses for my subscription this morning, probably a moot one. > (and learning how to spell Deirdre ;-> ). Yeesh. Yep, or just learning how to read without transposition, given that there seem to be a good number of "Dierdre"s in the world too, I must've only known the "diet" sort previously. And on Deirdre's question about bang-path addressing, I stopped adminning professionally 7 years ago, and I did *not* need the NNTP memories dredged up again. shudder. Time to spend some time with eliza... > What would it mean to you if you got to discuss your nightmares > about adminning usenet feeds? === From: Ramin Keyvan <keyvan@rhinonetworksolutions.com> To: balug-talk@balug.org Subject: [Balug-talk] Newbie question..Print queue configuration on home LAN... Date: Sat, 17 Aug 2002 12:06:06 -0700 Group, I have a LINUX (SuSe 8.0 Pro) box and a WIN2K box running on my LAN and I would like to configure my LINUX box to be able to use my WIN2K box as a "print server" and route print jobs to the Epson printer I have connected to the WIN2K box. I am having a devil of a time configuring this to work. What files do I need to edit in order to make this happen. What entries should I look for/add, etc.? Any insight you might be able to provide would be greatly appreciated. Cheers, Rain _______________________________________________ Balug-talk mailing list Balug-talk@balug.org http://www.balug.org/mailman/listinfo/balug-talk === From: Kent Howard <balug@thisway.net> To: Bill Moseley <moseley@hank.org> Cc: balug-talk@balug.org Subject: Re: [Balug-talk] Routing table question Date: Sat, 17 Aug 2002 14:06:58 -0700 On Sat, Aug 17, 2002 at 10:14:30AM -0700, Bill Moseley wrote: > Here's where I'm a bit confused. Here's one of my internal machine's table: > > Destination Gateway Genmask Flags Metric Ref Use Iface > localnet * 255.255.255.0 U 0 0 0 eth0 > default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 > > I'm wondering why I don't have (or seem to need) an entry of: > > 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 > > That is, if 192.168.0.10 wants to talk to 192.168.0.20 it looks like the > only defined route is "default". > > The page at: > > http://www.debian.org/doc/manuals/network-administrator/ch-tcpip.html#s3.4 > > makes me think I should have a route to the local net. > > So, do why don't I need that route in the table? You probably do have it. Turn off name lookup for your routing table output by using the -n option to either route or netstat. (i.e. "route -n" or "netstat -r -n") I suspect "localnet" may actually be your LAN route 192.168.0.0. On a basic system (not using NIS, or LDAP, etc for this) /etc/networks defines the symbolic names for networks and that's where "localnet" is likely defined on your system. It looks to me like you are actually missing your loopback route which looks like this. Destination Gateway Genmask Flags Metric Ref Use Iface 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo - Kent _______________________________________________ Balug-talk mailing list Balug-talk@balug.org http://www.balug.org/mailman/listinfo/balug-talk === From: Samantha Atkins <samantha@objectent.com> To: balug <balug-talk@balug.org> Subject: [Balug-talk] DNS question Date: Sat, 17 Aug 2002 17:27:24 -0700 I tend to have several domains running against my local set of machines with fixed IP addresses. So far I have had my DSL ISP provider handle mapping domain MX, www, ftp records to one of my IP addrs. But it gets old and annoying to call them up and map new ones or move them about. So I am thinking of doing my own DNS stuff also. But the DNS literature looks a bit daunting. Can someone put me onto the minimum I need to know to map a few domain name records to a handful of IP addresses? I am drowning a bit in too much information without a clear idea how much of it is relevant to my specific needs. One question is whether I will need to handle the entire household (block of 32 contiquous IP addresses) if I only really want to map my own domains to my set of 7 addrs. Thanks for any clues. === To: Robert Gilman <rbob@dnai.com> Cc: balug-talk@balug.org Subject: Re: [Balug-talk] Hi-Jacked Email Address From: davidw@dedasys.com (David N. Welton) Date: 16 Aug 2002 13:05:15 -0700 Do you still have that piece of spam? Did it really come from your box, or did someone just use that as a 'from' address? You could post the headers here and I'm sure we could figure it out from that. If it's just a forgery, you don't have to worry. If it's coming from your box, then you may have been hacked, or simply allow mail relaying, and you have problems. === From: Mark Cohen <markc@binaryfaith.com> To: <balug-talk@balug.org> Subject: [Balug-talk] PIM help Date: Fri, 16 Aug 2002 15:34:10 -0700 (PDT) I have an interesting problem. I've got all of my contacts in (ahem) outlook and Id like to get them into one of the many linux contact management tools. Is there an easy way to convert them? -Mark === To: <bear@pagansexcult.org> Cc: Byron <snail945@yahoo.com>, <balug-talk@balug.org>, Subject: Re: [Balug-talk] Hi-Jacked Email Address From: davidw@dedasys.com (David N. Welton) Date: 16 Aug 2002 17:01:35 -0700 On the topic of spam, this is pretty interesting: http://www.paulgraham.com/spam.html === From: Brian.Sroufek@WellsFargo.COM To: balug-talk@balug.org Subject: RE: [Balug-talk] Hi-Jacked Email Address Date: Fri, 16 Aug 2002 17:13:42 -0700 josv@osp.nl [mailto:josv@osp.nl] wrote: > Robert Gilman wrote: > > > I'm looking for advice. > > > Just recently I received a piece of spam showing my own > > email address as sender. I contacted my ISP and had them > > reset my password. I have a dial-up ISDN connection. Now > > I'm wondering whether there's any danger that whoever took > > my email address would also be able to steal my on-line > > accounts information; for example, with my bank; and steal > > from me that way. My ISP says "unlikely" but I'd be > > grateful for opinions. > > It happened to me a couple of times as well. And, surprisingly, I never > got any mail from people saying that they did not want their penis > enlarged, that they were fine with the natural breasts they had or that > they did not need any Viagra thank-you-very-much... :-) Since most of my spam comes from a limited (?) set of ISPs, typically some non-US ISPs willing, perhaps, to host anything for $$, a good spam filter would black list the ISP, and ==> return an email indicating to the poor opportunist that their ISP has been black listed. <== Wonder how fast the proliferation of that technique would quell the trafficers? === From: Brian.Sroufek@WellsFargo.COM To: balug-talk@balug.org Subject: RE: [Balug-talk] Hi-Jacked Email Address Date: Fri, 16 Aug 2002 18:37:09 -0700 Joseph Zitt [mailto:jzitt@metatronpress.com] wrote: > "Brian Sroufek" <brian_sroufek@msdesigninc.com> wrote: > > > Since most of my spam comes from a limited (?) > > set of ISPs, typically some non-US ISPs willing, > > perhaps, to host anything for $$, a good spam > > filter would black list the ISP, and > > > > ==> > > return > > an email indicating to the poor opportunist that > > their ISP has been black listed. > > <== > > > > Wonder how fast the proliferation of that technique > > would quell the trafficers? > > How fast is a dead snail? > > Most of what it would do is block you from getting mail from innocent > people whose addresses were forged into the email, including > (especially?) friends whose addresses happened to reside with yours in > some poor fool's Outlook address book, and who might be confused and > insulted by receiving email from you accusing them of wrongdoing. No worries, I'm sure, because my acquaintances would probably not be using the specific, small-island hideout ISP's as their originators. === From: Joseph Zitt <jzitt@metatronpress.com> To: Brian.Sroufek@wellsfargo.com Cc: balug-talk@balug.org Subject: Re: [Balug-talk] Hi-Jacked Email Address Date: Sat, 17 Aug 2002 21:19:35 -0500 Brian.Sroufek@wellsfargo.com wrote: > No worries, I'm sure, because my acquaintances > would probably not be using the specific, > small-island hideout ISP's as their originators. But again: it can be extremely difficult to tell that they came from them. See, again, the references on spam forgery. === From: "Karsten M. Self" <kmself@ix.netcom.com> To: Balug <balug-talk@balug.org> Subject: Re: [Balug-talk] Multiple rows in Mozilla Personal Toolbar? Date: Sun, 18 Aug 2002 13:59:54 -0700 David L. Sifry (david@sifry.com) wrote: > Has anyone found a way to get multiple rows availabe in the Mozilla > personal toolbar? It really sucks because I love the personal toolbar > to save well-used bookmarks - but as soon as I shrink a window, all my > rightmost bookmarks scroll off the edge. I've been looking through > Google and mozilla.org, but haven't been able to find any thing so far. > > Any Mozilla experts out there that know the magic incantation to get a > multiline personal toolbar working? A. Move bookmarks from the top of your screen to the right/left side. The bar becomes verticle. Downside: sucks more real estate. For a sufficiently large display, not a problem. Note: I may be confusing Moz with Galeon, which I *know* has this feature. B. Switch to Galeon. Smaller widgets ;-) There's also a ***VERY*** handy "Open whole folder in (tabs|windows)" option which lets you open a slew of bookmarks in one swell foop. I find this convenient for, e.g.: my morning newsfeeds. One click: 17 sites open. This in turn makes book mark folders the *logical* way for organizing sites. Galeon wins massively on a number of UI points -- it's far more designed for use than Mozilla. Small difference matter much -- open tab behind current tab (rather than at the end of the tab stack) is just _so_ way the Right Way To Do It.=20 Numerous other controls at your fingertips. Mozilla wins slightly with its security panel (for SSL sites, missing in Galeon) and actually has a few content controls built in that Galeon doesn't have -- but they're stuck multiple levels deep in nested menus/controls. Galeon's awfully good making similar features immediately available. More browser review / work in progress at: http://twiki.iwethey.org/twiki/bin/view/Main/NixBrowsers =20 === From: "Karsten M. Self" <kmself@ix.netcom.com> To: balug-talk@balug.org Subject: Re: [Balug-talk] Hi-Jacked Email Address Date: Sun, 18 Aug 2002 14:03:58 -0700 on Fri, Aug 16, 2002, Robert Gilman (rbob@dnai.com) wrote: > I'm looking for advice. http://www.google.com/search?hl=3Den&ie=3DISO-8859-1&q=3Dklez At work, our virus intercepts went from 6-24/day January - mid-April. They've stairstepped first to 80-90, 120-150, and now ~200-250 daily, persistantly. The vast majority are Klez, though Sircam's made something of a resurgance. Klez (if you haven't read any of the above links) forges the 'from' header, making identification of the infected party somewhat difficult. =46rom a virus's perspective, it's been phenomenally successful. If you can't get the message itself, the subject line is often a strong giveaway. Again, research the Google links above. === From: "Karsten M. Self" <kmself@ix.netcom.com> To: balug-talk@balug.org Subject: Re: [Balug-talk] Hi-Jacked Email Address Date: Sun, 18 Aug 2002 14:43:01 -0700 Rick Moen (rick@linuxmafia.com) wrote: > Quoting Brian Sroufek (brian_sroufek@msdesigninc.com): > > Since most of my spam comes from a limited (?) > > set of ISPs, typically some non-US ISPs willing, > > perhaps, to host anything for $$, a good spam > > filter would black list the ISP, and > > > > > > return > > an email indicating to the poor opportunist that > > their ISP has been black listed. > > > > Out of curiosity, how are you identifying originating ISPs? A lot of > people seem to try to do this by taking some of the spam headers at > face value. In my experience, nailing down the originating host > sometimes takes some detective work. I use the expedient (appreciated by some, scorned by others) of using an automated tool to report to *all* receiveds that spam which did, or wants to look like it did, come from/through them, was received. The specific tool is ricochet, an earlier work from Vipul of Vipul's Razor. I hook this in to my spamassassin scripts, triggering the mail automatically on all scores 10+, and manually on most of what falls in below that level. This is somewhat shotgun in its effects, but it's pretty effective at: - Ferretting out frustrated GNU/Linux admins at sf.net. - Identifying borderline sociopaths who make threatening calls to your workplace (one in seven months). - Identifying candidates for submission to rfc-ignorant (http://www.rfc-ignorant.org/) for failing to properly receive/respond to mail to postmaster and/or abuse accounts, and/or have invalid WHOIS contacts. Several per week. - Identify just how much Yahoo, Hotmail, and Lycos mail is forged, among the larger shops, and other smaller ones (lots). - And, several times a week, prompt a response from a sysadmin somewhere who's discoverd, courtesy the report, that they are in fact running an open relay or otherwise hosting a spammer. I've even found that folks getting spoofed appreciate my reports as I send ***FULL HEADERS***, which apparently five nines of their complainants *don't* do, and which makes proper forensics of an issue difficult. In related news, spam intercepts at work have actually *fallen* about 20% since May, peaking at ~55/day, now in the 42-45/day range (this being my own and a bunch of catch-all accounts -- trend matters more than quantity). Home numbers differ somewhat, but appear to be holding relatively steady: http://twiki.iwethey.org/twiki/bin/view/Main/SpamEmailTrends (Spam report and graphics) My philosophy: rapid response and reaction to spam raises costs of doing business. Spam is an economic activity (and a low-margin one at that), so any actions which increase its costs _should_ reduce its prevalence. Both filtering (passive response) and reporting (active response) have strong impacts. Seems we may be winning somewhat at present. === From: "Vipul Jain" <vjainfvc@hotmail.com> To: balug-talk@balug.org Subject: [Balug-talk] PCMCIA card not working Date: Sun, 18 Aug 2002 14:48:44 -0700 I am a newbie to Linux OS. I installed my Red-Hate Linux (7.0) on my Toshiba Laptop. Everything runs fine except the 3Com's PCMCIA network card (3CXFE575BT). The problem is that as soon as I put the card in the system, the complete system hangs. I have no idea how to debug/solve it. I had tried putting the PCMICA patches but with no results. Any help would be highly appreciated. === To: balug-talk@balug.org Subject: Re: [Balug-talk] Hi-Jacked Email Address From: Rick Moen <rick@linuxmafia.com> Date: Sun, 18 Aug 2002 15:06:24 -0700 Quoting Karsten M. Self (kmself@ix.netcom.com): > I use the expedient (appreciated by some, scorned by others) of using an > automated tool to report to *all* receiveds that spam which did, or > wants to look like it did, come from/through them, was received. I'll withhold comment on the automation, about which I'm skeptical. However, I can recommend one nice little tool, a perl script call "hinfo" (not to be confused with the DNS datum of the same name). Description and tarball available here: http://www.blars.org/hinfo.html Excerpt: hinfo is a utility that will display information about a host. It is primarily designed to find the owner of an IP block in order to direct spam complaints to where they may do some good. The first function is to decrypt obfuscated IPs and URLs. You can feed it most forms of obfuscated addresses that I've seen and have it extract the IP or hostname. The second function is to do DNS lookups and check if the forward and reverse DNS match. If hinfo is given a hostname, domain based blacklist checks are done if the -d option is not specified. If the rDNS isn't forged, domain based lookups are done on it as well. These hostnames are also checked on whois.abuse.net's database if the -a option is not specified. The IP is then checked with a number of IP based blackhole lists if the -b option is not specified. If the hostname has multiple IPs, all are checked. Unless the -w option is specified, the whois database is then queried for the owner of the IP block containing this address. This is done with a modified code from the geektools whois proxy, querying ARIN and other whois and rwhois databases. Unfortunately, this output is non-uniformly formated and can be difficult to read. ===