Re: Domain HiJacking by SPAMMERS

[sil <jesus () resurrected us>]

On Fri, 30 Jan 2004, Ho Chaw Ming wrote:

> I would be interested too, since we got a client who got "attacked" in such
> a way yesterday. We received an estimated 30,000 bounced emails alone from
> the fake reply to email address in a matter of hours. The data center
> received hundreds of ill-informed abuse reports.
>
> We took a sample and they trace to US and Europe, from a large variety of
> ISPs, leading us to believe it's probably compromised machines.
>
> I would thus be interested too to hear about how this can be resolved. We
> don't wish to terminate the client, or ask him to move, but this causes us
> tremendous resources to deal with. At the same time,  we don't want
> ill-informed reports to cause us to be blacklisted by ISPs or Spam lists.
>
> Any suggestions will be appreciated. Thanks.

What you can do to minimize the majority of messages from making their way
onto your machine is setting up procmail rules to delete the messages from
making their way into the network. That is only of course if you have a
*nix based machine set up. I haven't configured MS Exchange for some time,
but I'm sure if I remember correctly, there are options to minimize this
as well.

Microsoft's OE 6 also disables attachments from being opened by the user,
and while some may find this to be an annoyance, I find it a damn good way
to halt the flow of someone opening a message thinking it's from their
friend/family/relative/co-worker, only turning out to be a pseudo spoofed
virus infected message.

On a personal note, for the first few messages that did make their way
through my networks, I made some scripts to auto check the Received from
fields and auto block out their ranges via IPF. I can always remove them
every two days, or leave them blocked from sending data to port 25 until I
feel the dust is clear in regards to this nuisance, and unblock them.

Again however, this is mainly for a personal based webserver with about 60
or so users. To date however I think I received under 10 messages with
that annoying "Hi\|Hello\|Test" subject which is great considering my work
email address is getting pounded with over 200 per day. None of the other
users on my machines have complained, but I've told them to forward me the
messages they get so they too can be blocked.

Maybe network admins can minimize attachments of the size of the virus
from coming in, and being sent in order to minimize it. E.g.

If an infected message is say 10k altogether, have strict checks on them
and block as necessary. A perl/python/shell script is not so difficult to
create for this, however, on a network of decent size, with massive
incoming outgoing messages it just may not be feasible.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Quis custodiet ipsos custodes? - Juvenal

J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D

sil @ politrix . org    http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net




---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------