[Dshield] Re Dshields email invite: DShield Time Check

Johannes B. Ullrich jullrich at euclidian.com
Mon Oct 11 13:08:00 GMT 2004

> 1. Email I received was flagged by RBL listing from Spambag - 
> thus time wasted checking email headers (themselves somewhat 
> obfuscated/suspicious anyway? ** - see below) 

SPAM is unsoliciated commercial email, not email that matches
criteria established by spam filters ;-). Something a lot of
anti-spam engines don't understand..

Either way. It's 'mrburns.LAN', I leave it up to the reader
to guess other machine names on that lan. The mail was send
used a quick perl hack.

> 2. My ISP uses a transparent cache (interception) server. 
> Dissappointingly this DSHIELD page (unlike a number of other 
> sites) appears unable to circumvent/accommodate this to ascertain 
> true IP? 

Have to see how your proxy indicates the original IP. I got a
script that figures out the real IP (and I *should* use it
for this page).

Overall, I found two basic classes of users where the page 
doesn't work:

- users behind transparent proxies that do not indicate the 
  original IP address
- tarpit users. The LaBrea is monitoring unused IPs only,
  so the user can't submit the request from a monitored IP.

I think the solution to both cases is to allow the user to
specify an ip address (and a check interval) in the 'My Account'
page. Probably I will require that at least one report was submitted
with this target IP for the last 24 hrs, in order to avoid hitting
the wrong IP address.

However, so far the turnout has been quite good, and I think it
achieved its main goal to figure out how good/bad the timestamps are.
The main problem are timezone issues.

For the latest result, see: http://isc.sans.org/timeshiftgraph.php
About 75% come in at 1 min or better, and 80% at 10 min or better.

This is worse then I thought it would be.

> Thus currently for example this process won't work for NTL (UK ISP) users that have Transparent servers enabled in their region anyway.
> 3. Arguably a tenuous criticism but displaying the sender IP with a request to ensure user avoids reporting it AFTER the TCP packet has been allegedly sent is a tad silly surely?    
> Regards
> Tony 
> ------------------------------------------
> FIGHT BACK AGAINST SPAM! Download Spam Inspector, the Award Winning Anti-Spam Filter http://mail.giantcompany.com
> ** copy of salient part of email headers -------
> Received: from localhost (localhost [])
> 	by mrburns.lan (Postfix) with ESMTP id 2859AD22DA
> 	for <xxxxxx at ntlworld.com>; Thu,  7 Oct 2004 12:44:50 -0400 (EDT)
> Received: from unknown by localhost (amavisd-new, unix socket)
>  id client-XXxtXeYx for <xxxxxx at ntlworld.com>;
>  Thu,  7 Oct 2004 12:44:50 -0400 (EDT)
> Received: by mrburns.lan (Postfix, from userid 1000)
> 	id 19065D20A4; Thu,  7 Oct 2004 12:44:50 -0400 (EDT)
> -------------------------------------------------
> Apologies if this embarrasses a real Mr Ian Burns somewhere in SANS! 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.771 / Virus Database: 518 - Release Date: 28/09/2004
> _______________________________________________
> DShield and the Internet Storm Center are sponsored by the SANS Institute.
> To learn more about current SANS training, see http://www.sans.org .
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
Johannes Ullrich                     jullrich at euclidian.com
contact: http://johannes.homepc.org/contact.htm

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20041011/d23f0cdc/attachment.bin

More information about the list mailing list