[Dshield] question about tracking spam

Johannes Ullrich jullrich at euclidian.com
Tue Nov 26 14:29:11 GMT 2002


> The problem is, although the block is within our
> range, it has never been used (to the best of our knowledge), 

I would start by verifying that it is still not used ;-)... Rogue
hosts are always a big security issue. I see you are an '.edu',
so you probably have limited control over the hosts people plug
into random ethernet jacks.

> In other words I am going around in circles here!!!  Any suggestions or
> comments?

Another issue: 'Received' headers can easily be spoofed. Each host
in the chain just takes all the received headers they get from the
sending hosts and adds the sending host to the chain.
-- 
--------------------------------------------------------------------
jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20021126/82565ce2/attachment.bin


More information about the list mailing list