[Dshield] Bizarre Activity Spurt...

Freek de Kruijf f.de.kruijf at hetnet.nl
Thu Oct 20 09:53:50 GMT 2005


On Wednesday 19 oktober 2005 13:13, jayjwa wrote:
> People say that the source IP's are spoofed, but I don't think they even
> go that far: they all are sitting on ISP's networks who don't seem to
> care, no matter how many times you report them. They're untouchable as it
> is, so why bother to spoof?

I received last night two packets from a source that I feel comfortable with 
to ask their cooperation in investigating whether the address has been 
spoofed or not.

I analysed about 3000 packets now, showing only 6 different URL's. By far 
the highest count is from packets with the URL http://123fixreg.com. But as 
I mentioned earlier all 6 have somehow a referral to hop.clickbank.net 
which has a referral to 5 different final webpages.

This morning at around 06:00 UTC most of the messenger spam activity 
stopped; from about 1100 to less than 100 per day (24 hours). I only have 
one IP-address.

-- 
fr.gr.

Beelaerts ICT Consultancy
Freek de Kruijf


More information about the list mailing list