spf-discuss
[Top] [All Lists]

Re: Re: "extreme SPF" scenario for ISPs: AOL

2004-02-04 05:46:38
No- it sounds like 3 machines:   victim, attacker, and decoy.

Victim is, well.. the victim, or SMTP server at some random ISP.

Attacker is sitting on say a network in the Far East.

Decoy is in the AOL dialup range.

Decoy has been infected w/ a Trojan....

1. Attacker sends IP packet w/ forged header of decoy  to victim.
2. Victim responds to the packet to decoy.
3. Decoy either forwards packet to attacker, or responds itself, to establish communication.

4. Attacker proceeds to send large amounts of email via victim, while for all intents & purposes, traffic appears to come from AOL dial-up range.

5. AOL really can't see any of this, so they can't truly stop it.

The real problem is the ISP's that are allowing the attacker to send forged packets.. The only really decent place to stop that is at the edge networks, before it comes into the peering networks.

Matthew
 --------------------------------
Matthew Barr
mbarr(_at_)datalyte(_dot_)com
Managing Partner
Datalyte Consulting, LLC.
(646) 765-6878    (cell)
On Feb 4, 2004, at 3:57 AM, Alex van den Bogaerdt wrote:

On Tue, Feb 03, 2004 at 06:41:21PM -0600, Seth Goodman wrote:

Incredible it is. I suppose anyone can forge an IP address through software by using a raw socket, but I'm surprised that their network border routers would let such a packet out. I guess I'm naive as to how insecure many
networks are.

Out? And what about in?!? Why t.f. is AOL allowing their ip range as source
on the wrong side of their border routers?

For this IP triangle to work, both sides need to allow AOL's ip range to
come from the spammer.

cheers,
Alex
--
begin  sig
http://www.googlism.com/index.htm?ism=alex+van+den+bogaerdt&type=1
This message was produced without any <iframe tags

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/ To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡