Educause Security Discussion mailing list archives
Re: Question regarding Marketscore spyware
From: Gary Flynn <flynngn () JMU EDU>
Date: Thu, 2 Dec 2004 10:12:51 -0500
Lutzen, Karl F. wrote:
I've been researching this a bit last night. Here are the IP's I've found so far: Web site: 66.119.41.71 www.marketscore.com Proxy servers via port 8000: 66.119.33.134 proxy.ia3.marketscore.com 66.119.33.166 proxy.ia4.marketscore.com 66.119.33.198 proxy.ia5.marketscore.com 66.119.34.38 proxy.ia2.marketscore.com 170.224.224.101 no DNS match this morning 170.224.224.133 no DNS match this morning 170.224.224.69 no DNS match this morning
There are a bunch in the 216.246 netblock too. I just started collecting this morning: 216.148.246.74 244.77 246.73 241.71 244.69 246.71 246.133 246.137 224.137 66.119.34.42 34.32 33.138 33.139 33.168 41.76 170.224.224.73 224.105 Doesn't look like an IP based block will be easy. I noticed a few universities saying they are handling it with DNS shenanigans. Looks to me so far like both netsetter.com and marketscore.com domains are involved with varying hosts and subdomains. An ngrep for an HTTP user agent of OSSProxy provides interesting inventory results. Our Juniper IDP Profiler inventories this for us but ngrep will provide the same data. If you have the capability to write IDP signatures, blocking traffic with those user agent strings would seem to be a possible blocking method for campus desktops. Looking for the Marketscore certificate during SSL negotiations may be another. Interesting that the proxy-agent string is "Proxy-agent: ManInTheMiddle-Proxy/1.0" Borders on the illegal IMHO. -- Gary Flynn Security Engineer James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Question regarding Marketscore spyware Jason Richardson (Dec 01)
- <Possible follow-ups>
- Re: Question regarding Marketscore spyware Joel Rosenblatt (Dec 01)
- Re: Question regarding Marketscore spyware Gary Flynn (Dec 01)
- Re: Question regarding Marketscore spyware Gary Flynn (Dec 01)
- Re: Question regarding Marketscore spyware Brent Sweeny (Dec 01)
- Re: Question regarding Marketscore spyware Gary Dobbins (Dec 02)
- Re: Question regarding Marketscore spyware Steele, John E. (Dec 02)
- Re: Question regarding Marketscore spyware Lutzen, Karl F. (Dec 02)
- Re: Question regarding Marketscore spyware Gary Flynn (Dec 02)
- Re: Question regarding Marketscore spyware Joel Rosenblatt (Dec 02)
- Re: Question regarding Marketscore spyware Dave Monnier, IT Security Office, Indiana University (Dec 02)
- Re: Question regarding Marketscore spyware rwatts (Dec 02)
- Re: Question regarding Marketscore spyware Mike Iglesias (Dec 02)
- Re: Question regarding Marketscore spyware Schultz, Stephen (Dec 02)
- Re: Question regarding Marketscore spyware Joel Rosenblatt (Dec 02)
- Re: Question regarding Marketscore spyware Jeff Kell (Dec 02)
- Re: Question regarding Marketscore spyware Tom Klimek (Dec 02)
- Re: Question regarding Marketscore spyware Gary Dobbins (Dec 02)
- Re: Question regarding Marketscore spyware Scholz, Greg (Dec 02)
(Thread continues...)