[Dshield] Spam related but kind of interesting

Chris Brenton cbrenton at chrisbrenton.org
Fri Dec 26 22:00:05 GMT 2003


On Fri, 2003-12-26 at 15:04, JD wrote:
>
> Sounds like what you are getting is from a shitload of infected zombies
> as you described above.   How are you able to sniff this traffic?
> Are you logging all of this? 

But of course! :)

>    can you pinpoint the exact time it
> started? 

Nov  3 06:46:17 EST. I'm guessing this is when I was added to the
spammer's list rather than when the spammer got started though.

>    If so,  look just before that time,  to see just when a scan
> might have taken place,   you might even be lucky enough to nail a
> real un-spoofed IP address. 

Actually, the mail is being sent to one of my honeypot addresses, so I
know _exactly_ where it came from. The source was from a post from this
address to a Security Focus mailing list (Bugtraq specifically). 

> I would venture to say you are possibly right.   I've known for years 
> that
> certain spam gangs in my "radar" have been setting up their own boxen
> at co-lo sites,  but not actively using them.   Most are Linux,  and 
> can be
> configured to make fingerprinting difficult.

Its possible that the "masters" are running Linux, but these Zombies are
definitely Windows. You can't change NOOP and packet size on a Linux box
without some serious kernel hacking. All the sources fingerprint as
Windows, not Linux. Also, all the sources are on cable/DSL networks
rather than co-lo ranges. 

> This is now becoming yet another way for spammers to smut their stuff.

Agreed. There is a thread on NANOG today about this:
http://news.bbc.co.uk/1/hi/technology/3324883.stm

Obviously this scheme is of little use today as most spam sources are
'0wn3d' one way or another and would not slow down the modern spammer in
the least. Leave it to MS to have a good idea about 3 years too late.
;-)

Thanks!
C





More information about the list mailing list