North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Spam from weird IP

  • From: Matthew Sweet
  • Date: Mon Jun 16 13:51:39 2003

Look carefully at the headers again. I have seen a few like this running
around. The IP listed is not actually an IP, but marked as a supposed
FQDN. The ones I have seen appear to originate out of brazil for the most
part. I do not have a sample handy at the moment, but if someone wants it
(for whatever reason), just let me know.


On Mon, 16 Jun 2003, Richard D G Cox wrote:

> On Mon, 16 Jun 2003 17:33:11 +0200, "Pascal Gloor" <> wrote:
> | Getting SPAM from relayed by ?
> |
> | this network is not allocated, nor announced. I have been looking everywhere
> | to find if it has been announced (historical bgp update databases, like RIS
> | RIPE / CIDR REPORT / etc..)... I didnt found anything.... this probably mean
> | is routing that network internaly.
> This is very likely to be a known exploit I have been tracking.  In all the
> cases which we have so far confirmed, the spam was not relayed, but proxied
> by a trojan executable which is able to mimic a "previous" header with such
> a degree of accuracy that it is indistinguishable from the genuine article!
> | If there is any guy around. Could you please check this?
> Our advice would be that the server-that-connected-to-you needs to be taken
> offline by the security people at its site (which you say is RoadRunner) and
> they should have ALL its disk(s) imaged for forensic analysis purposes.
> Our experience is that sites hit by this exploit will do basic checks on
> the server and claim it is uncompromised and "cannot possibly be sending
> that spam".  Such a claim would be entirely incorrect.  You would need to
> persuade them that something is wrong, which is difficult at the best of
> times.  RoadRunner being involved in this case suggests this may *not* be
> the "best of times".
> --
> Richard Cox