At 10:19 AM 4/11/2003 -0500, wayne wrote:
In <4(_dot_)3(_dot_)2(_dot_)7(_dot_)2(_dot_)20030411075710(_dot_)02d3f100(_at_)mail(_dot_)tds(_dot_)net> Brad Spencer
<brad(_dot_)madison(_at_)mail(_dot_)tds(_dot_)net> writes:
> >Evading accountability
> > - forging envelope sender
> > - forging From header
>
> Very typically they HELO with a false identity.
Unless I'm missing something, aren't HELO commands optional and just
add, effectively, a comment from the sender MTA to the receiver MTA?
EHLO does provide information about the SMTP extentions that the
receiver MTA suppors, but it is still optional.
Duh. I should have said HELO or EHLO. They call themselves other than who
they are when they connect; they even do that when they connect via an open
proxy.
> There's asymmetric IP spam sending - Ralsky used that in Dallas, don't
> know if he (or anyone) does now. He had a link between a system with
> a fast internet connection and a system with a dialup line (could
> easily all be on the same system). He spoofed the dialup IP in the
> packets sent out on the fast connection. The reply packets came back
> through the dialup system.
How did he get around the three way handshake of a TCP connection and
the random sequence numbers? Did he have a back channel from the slow
system to the fast system?
Exactly. The dialup IPs had the TCP/IP characteristics of a Cisco switch,
so a switch may have been part of the scheme.
I think you could do this on a single system with both a high-speed and a
modem link (spammers: cover your eyes, stop reading.) Send (as far as the
spamware is concerned) through the dialup but patch the code in the dialup
routines after the packet is created to use the high-speed link driver
rather than the serial line driver to send. As you need a number of serial
lines to handle the return packets you might need several systems sending
on the serial line, if a single system can't support that number. Bare
lowest-end systems should suffice as a serial-line controller. Alternately
they could use a terminal server, if they could find one (aren't made any
more, are they? In truth I don't know but it would seem the main market
for those is gone forever.)
I assume the main consideration is keeping the high-speed link running at
near-saturation. I can conceive of a scheme whereby the spoofed IPs are in
another part of the country, with the return packets encapsulated in some
packet and tunneled back to the origin, where they're made to look normal
again and go back in to the appropriate driver. That's slower: the
solution is more dialups, so you can keep the high-speed link
saturated. Keeping it saturated means you're sending the maximal amount of
spam. I think you'd want an excess of dialups so that there's always a
slight backlog of responses.
> >Evasion of human caution
> > - fake DSN
>
> DNS?
Maybe, or maybe "Delivery Status Notification". That is, the expaned
SMTP error codes.
Oh.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg