Full Disclosure mailing list archives

Re:Proposal: how to notify owners of compromised PC's

From: "Erik van Straten" <emvs.fd.3FB4D11C () cpo tn tudelft nl>
Date: Thu, 29 Jan 2004 01:15:20 +0100

On Wed, 28 Jan 2004 23:08:57 +0100 Thomas Zangl wrote:

Am Wed, 28 Jan 2004 21:27:33 +0100, schrieb "Remko Lodder":

i want the ability host these stuff myself on my home ADSL
line.

And this is the point. Most ISP (here in Austria) doesn't allow its end
users to have public servers open. SSH is tolerated but other services not.
Exceptions are offered against money (or in same cases beer :) ).


I don't care about ingress blocks. You can run any server you like. Just
don't want compromised grannie PC's to SEND spam/viruses directly to MTA's
anywhere in the world (Joe-jobbing us, we get the bounces and stuff).

The original problem mentioned was with dynamic IP's. Those should be
behind bars (egress 25/tcp blocked, don't care about ingress) to prevent
clean PC's from being accused of anyting nasty.

Some "new friends" I made tonight are shown below (Austria as an example,
really getting loads from any country/ISP). Mostly spambots on DSL/cable
or dialups, (not sure if these are static/dynamic IP's) usually listed on
cbl.abuseat.org and/or Spamcop (Remko: the last cistron box to hit me was
195.64.90.156 on Jan 11, still in CBL; Thomas: zero hiway.at boxes so far
in 2004 :)

BCC to abuse <at> surfer.at. Probably their mbox is full with complaints
sent by people who received a virus From: someone <at> surfer.at so this
BCC is probably going /dev/null.

Which is why we need another way to inform PC owners of the misery they
cause - what this discussion is about. Comments on that, better ideas?

Erik

Received: from chello080109016118.9.14.vie.surfer.at (HELO dutndo7.tn.tudelft.nl)
  (80.109.16.118) by wb3.mail.utexas.edu with SMTP; 28 Jan 2004 18:53:50 -0000

Received: from glummert.de (chello080110229023.116.11.vie.surfer.at [80.110.229.23])
  by spitfire.law.miami.edu (Postfix) with SMTP id 0772C5C3B35
  for <majordomo@munged>; Wed, 28 Jan 2004 14:00:30 -0500 (EST)

Received: from med.toho-u.ac.jp (chello062178080135.27.11.vie.surfer.at [62.178.80.135])
  by bsd.ver.megared.net.mx (8.11.7/8.11.7) with SMTP id i0SKBx351376
  for <munged>; Wed, 28 Jan 2004 14:11:59 -0600 (CST)

Received: from ka.nl (chello062178154224.8.14.vie.surfer.at [62.178.154.224])
  by mgw-x2.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id i0SKjgK11785
  for <munged>; Wed, 28 Jan 2004 22:45:47 +0200 (EET)

Received: from  drescher.pl (chello062178032068.11.11.vie.surfer.at [62.178.32.68])
  by rly-na01.mx.aol.com (v97.10) with ESMTP id MAILRELAYINNA15-f401832a0b3;
  Wed, 28 Jan 2004 17:07:41 -0500

Received: from thema-media.de (chello080110113024.510.15.vie.surfer.at [80.110.113.24])
  by SIRIUS.unicc.org (Switch-2.2.8/Switch-2.2.8) with SMTP id i0SMDa029491
  for <munged>; Wed, 28 Jan 2004 23:13:37 +0100

Received: from thea.gr (chello080110093038.507.15.vie.surfer.at [80.110.93.38])
  by mx18.singnet.com.sg (8.12.11/8.12.11) with ESMTP id i0SMeVTJ005750
  for <munged>; Thu, 29 Jan 2004 06:40:45 +0800

Received: from dune.de (chello080110229023.116.11.vie.surfer.at [80.110.229.23])
  by leia.infotel.it (8.10.2/8.10.2) with SMTP id i0SNOe103658;
  Thu, 29 Jan 2004 00:24:41 +0100

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: Proposal: how to notify owners of compromisedPC's Remko Lodder (Jan 28)
- <Possible follow-ups>
- Re:Proposal: how to notify owners of compromisedPC's Thomas Zangl - Mobil (Jan 28)
  - Re:Proposal: how to notify owners of compromised PC's Erik van Straten (Jan 28)