Request for help with mail spoofing

Request for help with mail spoofing

Geoff Shang geoff at QuiteLikely.com
Wed Feb 17 13:49:07 IST 2010 

Hello,

I'm not sure if this request crosses any lines re the scope of this list, 
so I'm posting a request first rather than simply pasting what I have.  If 
the list mods are concerned about analysis of what could arguably be a 
criminal act, then I'll take it off-list.

The problem:

A person in the blindness community has been posting to various mailing 
lists in the last few days.  They have been sending mail in the name of 
well-respected list members with relevant-looking subject lines, but 
placing offensive material in the body of the message.

I'm not asking here about blocking this sort of mail, as this is something 
I can have addressed elsewhere.  What is concerning me is how it's being 
done.

The person seems to be able to find a host that they can send through. 
This host is easy enough to find from the message headers.  The problems 
are finding out how they are doing what they are doing with the host 
concerned, and the fact that connections to these hosts seem to be coming 
from multiple machines which appear on the surface to be anonymous 
proxies.

The host I dealt with on Monday had an account compromised (or at least 
said they did) on one of their machines which is not their mail server. 
Now clearly they could prevent this by preventing trafic from port 25 
going out to the world, but perhaps there are reasons for not doing this. 
They also appear to be accepting telnet connections which seems nuts to 
me... But anyway, I digress.  They are disinclined to take this matter 
further due to the complexity involved, though they might change their 
mind when I tell them we got another one from their IP address today.

Meanwhile, we've seen examples from other (presumably) compromised hosts.

This person is obviously doing this to get a kick out of it, and he's 
clearly becoming arrogant.   He just sent a message to one of the lists 
which includes a bash script.  As the list mostly deals with Windows 
technical support queries, he probably figured no-one would understand 
what it was, or that even if anyone did, nothing could be done to catch 
him or stop him.

This script seems to make use of socks proxies, which is something I don't 
know about.  It also calls some perl code which I also don't understand. 
So I don't exactly understand what they are doing.

Now that I look at it, it appears that this person is using the Tor 
network (torproject.org) to do this.  Since the whole point of Tor is to 
hide your tracks, I'm not at all confident about tracking this person down 
unless they make a mistake.

Given that I have this script which I am willing to send on, my questions 
are:

1.  What exactly is being done?

2.  Is there anything that admins can do to block this sort of spoofing 
through their hosts?  I don't want any of the hosts I admin to be used for 
this, for example, and I'd like to tell those who are bieng used for this 
how to block the hole.

and 3.  Is there any way at all of tracking this person down?

Any guidance anyone can provide wil be most gratefully received.

Geoff.

More information about the Linux-il mailing list