[Dshield] Spam related but kind of interesting
lists at webcrunchers.com
Sat Dec 27 00:51:09 GMT 2003
On Dec 26, 2003, at 2:00 PM, Chris Brenton wrote:
>> If so, look just before that time, to see just when a scan
>> might have taken place, you might even be lucky enough to nail a
>> real un-spoofed IP address.
> Actually, the mail is being sent to one of my honeypot addresses, so I
> know _exactly_ where it came from. The source was from a post from this
> address to a Security Focus mailing list (Bugtraq specifically).
So it looks like they were farming Emails from this list?
>> I would venture to say you are possibly right. I've known for years
>> certain spam gangs in my "radar" have been setting up their own boxen
>> at co-lo sites, but not actively using them. Most are Linux, and
>> can be
>> configured to make fingerprinting difficult.
> Its possible that the "masters" are running Linux, but these Zombies
> definitely Windows. You can't change NOOP and packet size on a Linux
> without some serious kernel hacking. All the sources fingerprint as
> Windows, not Linux. Also, all the sources are on cable/DSL networks
> rather than co-lo ranges.
Then I'm pretty sure these are from infected trojans. if this is the
Please send them to the ISP they originally came from - and of course
to include full headers.
>> This is now becoming yet another way for spammers to smut their stuff.
> Agreed. There is a thread on NANOG today about this:
> Obviously this scheme is of little use today as most spam sources are
> '0wn3d' one way or another and would not slow down the modern spammer
> the least. Leave it to MS to have a good idea about 3 years too late.
M$ has always been the problem instead of the solution. It's almost as
created the spam problem themselves, but releasing such an insecure
Obviously spammers are taking full advantage of this flawed system,
people to do stupid things like opening up unknown attachments.
More information about the list