[Dshield] ISPs - How much monitoring is enough?

Brad Spencer brad.madison at mail.tds.net
Sat Jan 17 01:40:12 GMT 2004


At 03:04 PM 1/16/2004 -0800, you wrote:

>You're arguing for the ISP to have traffic analysts onhand as part of 
>their security detail?
>Fair enough, but as I have observed before...99% of IT people are not 
>security people.  Good luck trying to convince them.


Neither am I - I was a semi-competent system admin.  But even I could run 
(and did run) ntop, sometimes.  I wasn't doing the kind of traffic analysis 
I mean for now but the difference between what I did and that is 
slight.  For not too much money there's even  a Windows version of ntop 
(the Linux version is free, I think.)  I suspect that routers have the 
capability to do such things - but I'm also not a networking person.

IT people could look for spam server zombie systems using ntop.  Just watch 
for improper outbound SMTP traffic - there's your zombie.  See where the 
packets to that system originate and you've got at least the first piece of 
a chain that leads back to the spammer - maybe.  The longer the spammer 
abuse is tolerated (and right now it is nearly 100% tolerated) the more 
sophisticated and hard to detect, track, and stop their abuse will become.

In a browser window I'm right now looking at some captured Cyalus (Viagra 
substitute, they claim) spam on a friend's open relay honeypot (Jackpot) 
system..  Source is 211.241.96.254 - Korea.  That's followed by some from 
82.44.226.209, then some from 219.248.239.184, then 69.46.135.12 - 
obviously the spammer is hitting the fake open relay from open proxies.

Altogether, about 7500 recipients in the little time window I'm observing - 
none of whom got this copy of the spam, at least.

The spammer has simplified his obscuration:

yal<!--gSElrL-->us is known as a Super-Via<!--gSElrL-->gra because

Cyal<!--heKWwi-->us is known as a Super-Via<!--heKWwi-->gra because

etc., with no other imbedded html comments.

Spamming http://www.paraguanarock.com, which just expired.

Here's a tiny bit of the page for 211.241.96.254:

B4-D1AD31CF     superior        04/01/17 00:05:58 GMT   Dropped 99
B4-D1AD31D5     superior stuff  04/01/17 00:07:20 GMT   Dropped 99
B4-D1AD31DC     superior to the expensive stuff 04/01/17 00:09:16 
GMT   Dropped 99
B4-D1AD31E3     surprise her    04/01/17 00:10:47 GMT   Dropped 99
B4-D1AD31E7     the best stuff  04/01/17 00:12:01 GMT   Dropped 99
B4-D1AD31EB     the new champ   04/01/17 00:13:45 GMT   Dropped 99

"99" is the number of recipients.  The first field is an internal pointer 
to the web page for that spam - I removed some of it..  "Dropped" means it 
wasn't delivered, which is good.

And "good luck" is an appropriate wish.  I appreciate it - and the 
implications (where "appreciate" shifts meaning from one thought to the 
other.)  




More information about the list mailing list