mailing list archives
Re: Spam from weird IP 188.8.131.52
From: Matthew Sweet <msweet () deadnet net>
Date: Mon, 16 Jun 2003 18:24:17 +0000 (GMT)
Look carefully at the headers again. I have seen a few like this running
around. The IP listed is not actually an IP, but marked as a supposed
FQDN. The ones I have seen appear to originate out of brazil for the most
part. I do not have a sample handy at the moment, but if someone wants it
(for whatever reason), just let me know.
On Mon, 16 Jun 2003, Richard D G Cox wrote:
On Mon, 16 Jun 2003 17:33:11 +0200, "Pascal Gloor" <pascal.gloor () spale com> wrote:
| Getting SPAM from 184.108.40.206 relayed by rr.com ?
| this network is not allocated, nor announced. I have been looking everywhere
| to find if it has been announced (historical bgp update databases, like RIS
| RIPE / CIDR REPORT / etc..)... I didnt found anything.... this probably mean
| rr.com is routing that network internaly.
This is very likely to be a known exploit I have been tracking. In all the
cases which we have so far confirmed, the spam was not relayed, but proxied
by a trojan executable which is able to mimic a "previous" header with such
a degree of accuracy that it is indistinguishable from the genuine article!
| If there is any rr.com guy around. Could you please check this?
Our advice would be that the server-that-connected-to-you needs to be taken
offline by the security people at its site (which you say is RoadRunner) and
they should have ALL its disk(s) imaged for forensic analysis purposes.
Our experience is that sites hit by this exploit will do basic checks on
the server and claim it is uncompromised and "cannot possibly be sending
that spam". Such a claim would be entirely incorrect. You would need to
persuade them that something is wrong, which is difficult at the best of
times. RoadRunner being involved in this case suggests this may *not* be
the "best of times".