[Dshield] A new tactic for fighting spam?

John Draper crunch at shopip.com
Wed Sep 11 23:36:48 GMT 2002

>John Draper wrote:
>> One thing I noticed (and sucessfully reported) is the Stock Pumpup scam.   New companies just recently gone IPO are victums...  it works
>> like this...   they (spammers) will send spam out to promote a new company's product (without knowledge of the company),   to increase
>> their sales (and eventually increase the value of their stock)..  before they do that,   they send out spams to millions of people "A Stock
>> deal you just can't refuse to pass up.....".  They buy stock in the new company (usually at the low initial offering price),  but knowing
>> the stock is going to increase.   Once it does,  they go on a mad selling spree (EVEN MORE SPAM),  and people fall for this shit.
>In case you are unaware, this type of spam should be reported to: enforcement at sec.gov
>with the subject: UCE Regarding Stocks/Investment
>And the SEC does respond. I have call backs on about 10% of my reports. Again, be sure you send full headers...
>Jon R. Kibler
>ASET, Inc.
>Charleston, SC  USA

I already did...   but don't recall using that address you mentioned above.   I filled out their online forms page,  giving them all the info I had.  I included FULL HEADERS,  Spamcop report,  traceroute,  dates and times it was relayed,  etc.   I was assured their victim (who I initially accused of spamming me) had also filed the complaint.

If anyone experiences a DDOS attack on their networks,  and has Snort turned on,   just before you see those Snort DDOS attack entrys in the logs,   check for portscans just a few minutes before the attack took place.   If you have your firewall setup to stop stealth scans,  they are forced to use less stealthy ones,   and our attacker foolishly scanned us with his REAL IP address,  and we nailed him.   Shortly afterwards,  went to #hacker and #2600 IRC Chats,  and sure enough they were "bragging" about it.   Amazingly enough the IP address of opne of the braggers matched the IP address in my snort logs.   I quick phone call to his ISP confirmed he was logged in at that time.   I not only got his real name,  but his phone number and address.  He's been "Dissing" me on the chats for years.   

I passed the info to our ISP and told them "Here!  YOu deal with it".   They thanked me,  restored my service.   Herd nothing about it....   just wanted to say,   keep checking those logs....

By the way,  I've been getting a lot of:  

[**] spp_stream4: TTL EVASION (reassemble) detection [**]
08/13-07:55:31.548641 ->
TCP TTL:118 TOS:0x0 ID:7324 IpLen:20 DgmLen:514 DF
***AP*** Seq: 0x73A70074  Ack: 0xA55AA7C1  Win: 0xF900  TcpLen: 20

  Can someone tell me what these are?

These appear to be going to a web server with a site called InfoGrip.

We have our DEMO box on the same subnet as a few commercial sites at our temp local Co-Location.   So our demo box sniffs and IDS's traffic to everything on this class C.


More information about the list mailing list