Security Incidents mailing list archives
Re: Spammers just got smarter.
From: Justin Lintz <jlintz () OPTONLINE NET>
Date: Thu, 24 Aug 2000 12:57:22 -0400
Spamming through wingates is nothing new, It's been going on ever since people found the vulnerabilities in Wingates. The idea of scanning for proxies before accepting mail could lead to problems for people who have no choice but to use a proxy to send mail. I think instead people who are using wingate as their proxy should configure it correctly and that would prevent people spamming through them. -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Rune Kristian Viken Sent: Thursday, August 24, 2000 4:41 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Spammers just got smarter. I've feared this for a long time. But it seems that spammers finally has gotten smarter. Here is the header for a spam I recevied today: ---- Return-Path: <AdQDmOOX1 () PCMoenkeberg gwdg de> Delivered-To: arcade () falcon kvinesdal com Received: (qmail 4758 invoked from network); 23 Aug 2000 07:35:44 -0000 Received: from ip19853.igreatlink.com (HELO nts.hkg.com.hk) (202.122.198.53) by falcon.kvinesdal.com with SMTP; 23 Aug 2000 07:35:43 -0000 Received: from Jbm5bH96Z (irix.sit.com.hk [202.161.241.2]) by nts.hkg.com.hk with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id RKS0R91Q; Mon, 21 Aug 2000 16:29:13 +0800 DATE: 21 Aug 00 3:28:53 AM FROM: AdQDmOOX1 () PCMoenkeberg gwdg de Message-ID: <JsFJtQi1Yyg> SUBJECT: Can't Get you money?...Try Us... X-UIDL: m-Z!!j]("!@Pp!!]fk!! Status: RO X-Status: O ---- Here, my server is 'falcon.kvinesdal.com'. I receive the spam via the open relay "ip193853.igreatlink.com" - which identifies itself as "nts.hkg.com.hk" So far, its just an open relay. No problem and nothing new about that. (Btw, the igreatlink.com is just a reverse-dns entry, it doesn't have a forward one). The open relay received the spam from "irix.sit.com.hk", and now, the trouble starts. Why? Because that is not the spammer. irix.sit.com.hk is a person with a misconfigured WINGATE. So, it seems spammers has started using wingates to bounce to open relays. That makes the spam extremely difficult to track. So, we can continue our battle against open relays, but what on earth can we do to track down the spammers,if they all start using this technique? Should mailservers start to 'scan for proxies' before accepting mail - like IRC servers these days scan for proxies, before accepting connections ? -- "Rune Kristian Viken" <arcade () kvinesdal com> / arcade@irc (EFnet/IRCnet) Kvinesdalsnett System Administrator (http://arcade.kvinesdal.com/)
Current thread:
- Spammers just got smarter. Rune Kristian Viken (Aug 24)
- Re: Spammers just got smarter. Justin Lintz (Aug 24)
- Re: Spammers just got smarter. Erik Fichtner (Aug 24)
- Re: Spammers just got smarter. Justin Lintz (Aug 24)