[Dshield] question about tracking spam

Johannes Ullrich jullrich at euclidian.com
Tue Nov 26 14:29:11 GMT 2002

> The problem is, although the block is within our
> range, it has never been used (to the best of our knowledge), 

I would start by verifying that it is still not used ;-)... Rogue
hosts are always a big security issue. I see you are an '.edu',
so you probably have limited control over the hosts people plug
into random ethernet jacks.

> In other words I am going around in circles here!!!  Any suggestions or
> comments?

Another issue: 'Received' headers can easily be spoofed. Each host
in the chain just takes all the received headers they get from the
sending hosts and adds the sending host to the chain.
jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20021126/82565ce2/attachment.bin

More information about the list mailing list