On Tue, Aug 12, 2003 at 12:32:08AM +0200, Brad Knowles wrote:
How do you determine if you get a "spam" from a particular IP
address? Is this done in any automated way, or just any time a user
complains?
It's mainly done on spam email we receive ourselves. It's done
semiautomatic from logfiles catching addresses like
hostmasteraaun(_at_)space(_dot_)net
hostmasterakwh(_at_)space(_dot_)net
hostmasteranki(_at_)space(_dot_)net
hostmasterbfmn(_at_)space(_dot_)net
[ ... ]
Strategy: Do port scans for hosts listening on port 25. Make a list of
all those IP Addresses.
Now use a tool that abuses 0wned hosts and do distributed sumbissions
of these IP's to the various DNSBLs for testing.
You mean like <http://www.ordb.org/faq/#test_no_list> or
<http://dsbl.org/programs>?
Not exactly. I think most DNSBLs check submissions and if there are
some 100 submissions for the same subnet from the same IP they might
block it. So use a proxy on 0wned hosts and distribute the submissions
over a wider range of hosts.
Here's another idea. Take the list of the sort you mention
above, then front that with a DNS-based load-balancing program. When
a spammer looks up the address to spam through, they get re-directed
to one of millions of vulnerable machines, then drop that connection
after sending a small number of messages, and start the process all
over again.
I have the impression if they start to abuse a host they stick to it
as long as possible, because after they start to abuse the host chances are
high that the server might get fixed and they have to go for a new one.
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg