SPAMMERS

Edgar Allen era at sky.net
Wed Sep 29 07:04:26 CDT 1999 

AciDSAS writes:
>Received: from back.itd.com (front.itd.com [216.212.12.146])
>Received: from aha.ru (front.itd.com [172.16.1.1])
>
>Here is some info about your spammers. Please do something.

    As you can see from the above IP address our firewall (front.itd.com)
    is not the IP you received this spam from (see below).
>
>Received: from ashs2.itd.com (fwuser@[203.102.146.41])
> by dns1.ilest.com (8.9.3/8.9.3/Debian/GNU) with ESMTP id MAA16053
> for <acidsas at mail.ilest.com>; Tue, 28 Sep 1999 12:06:55 -0500

    Server:  ns1.sky.net
    Address:  209.90.0.2
    
    Non-authoritative answer:
    Name:    www.itd.com
    Address:  208.16.30.106
    
    www.itd.com is a web server hosted on a remote ISP.
    
    Since front and www are the only machines which can reach the Net
    and we use 172.16.x.x behind the firewall what do you propose I do ?

    We had a vulnerability to relaying which was closed almost two
    weeks ago.  The spam had headers which also claimed a random eight
    character login at compuserve.com.  I suspect that the spammer is
    angry at me for locking him out so he is faking my domain as the
    source now.

    The ashs2.itd.com comes from his introducing himself to your
    sendmail with the command 'HELO ashs2.itd.com'.  Then sendmail does
    a lookup of his IP address and reports what it finds inside the
    parens().

    His connection appears to be from a firewall (fwuser@) whose IP
    address is not registered in a DNS.

    Compare that to line two where back.itd.com connected to this
    machine and correctly identified itself but because it connected
    through the masquerading box (front.itd.com) that is the IP that
    sendmail resolved.

    Line three is where your connection to front.itd.com was
    transparently forwarded to back.itd.com.  Your machine correctly
    identified itself but back saw the connection coming from the
    internal address of front (front.itd.com [172.16.1.1])

    I suggest that you might try locating the ISP which owns
    203.102.146.41 and complain to them.  They, if they are not the
    spammer, might close his account.

		Ed Allen
		era at sky.net

More information about the Kclug mailing list