RE: sending out spam through IRC server ?

["Bill Lavalette" <billl () cyberbase7 com>]

Bronek -

Do you have the supposed Spam plus the headers? alot of these Spam clowns
are using peoples email addresses in the from line and then that person gets
nailed with all the complaints a quick look at the headers reveals the
originating MTA and client that sent it.....  It's happened to me and some
clients so this is becoming a popular way to Spam people...

Hope this helps....


As far as IRC goes as far as I know unless you have some real wild
configuration I would say its not possible to send via IRC there are some
IRC services that allow the sending of email but I don't believe they are
widely used for this very reason...

Best regards,

Bill

Chief Security Officer
CyberBase7 Security Services METRO-SOC
WWW:http://mss.cyberbase7.com
PH: 972-782-6595
cell:469.766.9692


-----Original Message-----
From: Bronek Kozicki [mailto:brok () rubikon pl]
Sent: Sunday, March 02, 2003 6:36 AM
To: incidents () securityfocus com
Subject: sending out spam through IRC server ?


Hi guys

Recently I received some complains on spam apparently sent from one of
my servers (Win2K + SP3 + recent hotfixes). The problem is that:
- this server is firewalled and accepting only HTTP, HTTPS (IIS5) and
IRC (Faerion IRC Daemon) connections
- firewall is not an open proxy
- firewall is not allowing incoming SMTP connections
- firewall is allowing outgoing SMTP connections
- local SMTP is used by CDO components in number of web sites runining
on this server, and well, you could problably stop reading here and tell
me to check SMTP logs and/or search for some "leaky" web form for
sending spam. I did. Actually crawling through SMTP logs and ASP code
was the first thing I did after receiving first complain. I'm 100% sure
that spam was *not* sent using SMTP in IIS5 . I have 2 reasons to
believe so:
1. IIS5 SMTPSVC has to accept message and create suitable "Received:"
header before sending anything out. This might be "mail pickup" or
actual incoming SMTP connections. Complains I have received do not have
such header.
2. SMTP is logging all outgoing communication, and I do not have any
traces in logs that could be connected with this spam. Of course, I have
other traces of outgoing messages, all are verified to be valid and
coming from CDO.

The other thing one could ask me for, would be to check if my IIS was
not compromised. That would fairly difficult even for motivated hacker -
I have very strict security settings (like "hisecweb" plus extra
hardening) on the server, and all recent fixes. I'm also positive that
there's no open proxy on the firewall or running localy on the server.

So here I'm, with spam holding my IP in lowest "Received:" header and no
traces. There are only two things I can think of:
1. some leaky web form NOT using CDO/CDONT to send out messages (and
something else instead)
2. Faerion IRC daemon ver. 1.17.6 . I installed it and configured for
handling only local chat sessions (not connected to any IRC network)

What I'm asking you for, is to tell me if it is possible to use IRC
daemon for sending out spam ? I do not know much about configuring IRC
daemon so there might be some settings that I left default=unsecure .
Any thoughts ?

TIA


B.



----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";>
http://www.securityfocus.com/stillsecure </A>


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>