Request for help with mail spoofing

Request for help with mail spoofing

Nadav Har'El nyh at math.technion.ac.il
Wed Feb 17 15:56:09 IST 2010 

On Wed, Feb 17, 2010, Geoff Shang wrote about "Re: Request for help with mail spoofing":
> I know this.  This is not what I was asking.  I want to know how this 
> person is sending mail through the affected host.

You called these hosts "affected" and "compromised". Why? It is possible
they are, but also possible they are just open relays or socks proxies or
whatever - either deliberately or by misconfiguration.

> Yes.  I used this to identify the compromised hosts.  But this only shows 
> where the SMTP session started, and blocking these will surely be a 
> cat-and-mouse game.  I want to get this guy.

Why is it a cat-and-mouse-game? The person has currently has two choices.
Either send mail directly from his machine (at which point you got him),
or send it through some open relay or proxies. Since, as I said, there are
blacklists who specialize on collecting lists of such relays (for anti-spam
filters to block these out), it likely that all the relays that your adversary
can use are already blacklisted, and you can filter all of them out in one
fell swoop.

> I'll look at this, though as I said before, I'm not so concerned about 
> blocking it, as some of the lists are on Yahoogroups and trying to report 
> spam there is like pulling teeth.  I want to find out how he's doing it so 
> that hosts can be guarded against it, and I want to try to track this 
> idiot down.

Many of the open proxies or relays are *deliberately* open. Tor, which you
mentioned, is deliberately open and anonymous (although, as far as I know
Tor does not allow connections to port 25, so I'm suprised it was involved
in this attack). See
http://en.wikipedia.org/wiki/Open_mail_relay#Modern-day_proponents
for another person who deliberately keeps an open relay.

The blacklists which I mentioned are already doing a good job "guarding"
against open relays of all sort - anybody who has an open relay or socks
proxy will soon find himself unable to send mail to half the Internet.

-- 
Nadav Har'El                        |      Wednesday, Feb 17 2010, 3 Adar 5770
nyh at math.technion.ac.il             |-----------------------------------------
Phone +972-523-790466, ICQ 13349191 |AlGoreithm, n: Repeating a calculation
http://nadav.harel.org.il           |until a prior desired result is produced.

More information about the Linux-il mailing list