North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Spam from weird IP

  • From: Lars Higham
  • Date: Tue Jun 17 00:21:42 2003

It would be useful if this exploit could be named and documented at
least for one known instance -

Lars Higham

-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of
Richard D G Cox
Sent: Monday, June 16, 2003 9:32 PM
To: [email protected]
Subject: Re: Spam from weird IP

On Mon, 16 Jun 2003 17:33:11 +0200, "Pascal Gloor"
<[email protected]> wrote:

| Getting SPAM from relayed by ?
| this network is not allocated, nor announced. I have been looking 
| everywhere to find if it has been announced (historical bgp update 
| databases, like RIS RIPE / CIDR REPORT / etc..)... I didnt found 
| anything.... this probably mean is routing that network 
| internaly.

This is very likely to be a known exploit I have been tracking.  In all
the cases which we have so far confirmed, the spam was not relayed, but
proxied by a trojan executable which is able to mimic a "previous"
header with such a degree of accuracy that it is indistinguishable from
the genuine article!

| If there is any guy around. Could you please check this?

Our advice would be that the server-that-connected-to-you needs to be
taken offline by the security people at its site (which you say is
RoadRunner) and they should have ALL its disk(s) imaged for forensic
analysis purposes.

Our experience is that sites hit by this exploit will do basic checks on
the server and claim it is uncompromised and "cannot possibly be sending
that spam".  Such a claim would be entirely incorrect.  You would need
to persuade them that something is wrong, which is difficult at the best
of times.  RoadRunner being involved in this case suggests this may
*not* be the "best of times".

Richard Cox