Full Disclosure mailing list archives
Re: leaking
From: "Marek Isalski" <Marek.Isalski () smuht nwest nhs uk>
Date: Thu, 13 May 2004 11:08:25 +0100
Each visitor is given a different email address. It's made up of their IP address, the Unix time and a partial hash value, encrypted with a private Serpent-256 key.
Dave Horsfall <dave () horsfall org> 13/05/2004 03:50:14 >>>Yep, and that way you can see who sold it to whom.
Absolutely. For instance, the last mail to appear in the box had a recipient address decoding to:
IP that picked up the address: 216.185.57.146
Picked up at: Sun Nov 30 03:53:42 2003 UTC
Picked up on the 22385th hit to the site (since email addresses were generated this way) from the front page.
And from the spam, we can determine they sold/gave this address to someone who then spammed, or perhaps they themselves
spammed, from 61.3.216.165 at Thu, 13 May 2004 10:34:18 +0100 (BST) using a mail server which for about 3 months hasn't
been listed as an MX for the domain (but still accepts mail all the same), spamming on behalf of someone offering
university certificates ("Call to register and get yours in days - 1 203 286 2403.").
Perhaps one "attack" against such long-lived MX entries in the spammers' databases would be to walk a couple of MXs
across IP space, changing the DNS MX entries as you go. At least one spambot use a technique such as this:
http://www.securityfocus.com/guest/24043 Not a lot of good when we run out of IP address space. But maybe by then the
spammers' database will have been updated anyway (hopefully to a now old or soon-to-expire MX!).
Not having access to my full mail archive, I can't let you know whether the aforementioned address has been hit before.
I'll do a trawl through the addresses compromised so far, but I don't think there will be any revelatory findings. I
think the main thing that would surprise me is if spammers are using the Google cache to hide from traps like this.
There's probably no need: botnets will pin the blame elsewhere.
Marek
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: leaking, (continued)
- Re: leaking Nancy Kramer (May 12)
- Re: leaking Dave Horsfall (May 12)
- Message not available
- Re: leaking Nancy Kramer (May 12)
- Re: leaking Nancy Kramer (May 12)
- RE: leaking Felipe Angoitia (May 12)
- Re: leaking Valdis . Kletnieks (May 12)
- Re: leaking Marek Isalski (May 12)
- Re: leaking Dave Horsfall (May 12)
- RE: leaking Felipe Angoitia (May 12)
- RE: leaking Duquette, John (May 12)
- RE: leaking Felipe Angoitia (May 13)
- Re: leaking Marek Isalski (May 13)