Home page logo
/

nanog logo nanog mailing list archives

Re: New SPAM DOS
From: Owen DeLong <owen () delong com>
Date: Fri, 8 Jan 2010 12:52:17 -0800

Unfortunately, I only have the spamcop report sent to me, I don't have the original message.
What spamcop sends does not include Content-Type headers or the additional parts of
the message, only the plain text portion.

Unfortunately, it's turnning things like SPAMCOP into a DOS attack against the sites
they are hoping to protect when they start treating the initial "advertised" URL as
being the "spam advertised site".

Owen

On Jan 8, 2010, at 11:39 AM, sthaug () nethelp no wrote:

I host scvrs.org on one of my servers, and, it does not have any outlook or owa
services.  For some reason, someone decided to try and send this message
out to various internet recipients:
...
Anyone seen this before?  Any good techniques for combatting it?

If you look more closely at the messages I believe you'll find that
they are multipart/alternative, and that the second part gives a
slightly modified version of the owa URL. For instance, for my own
nethelp.no domain the first part of message says

http://nethelp.no/owa/...

but the second part specifies URLs like

http://nethelp.no.ujjikx.co.im/owa/...
http://nethelp.no.ujjiks.net.im/owa/...
http://nethelp.no.ikuu8w.com/owa/...
http://nethelp.no.ikuu8e.net/owa/...

This is a very old trick, seen lots of times in connection with
phishing sites, for instance.

Steinar Haug, Nethelp consulting, sthaug () nethelp no



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]