|
Boost : |
From: Dan W. (danw_at_[hidden])
Date: 2004-02-14 00:07:27
David Abrahams wrote:
> Here's what the IU sysadmin says:
> We looked into this, and here's a few results:
>
> 1. The mail was definitely sent through lists.boost.org (HOG); Larry
> looked in the logs and found the relevant entries.
>
> 2. As a best guess, this is simple forgery. This is fairly common
> activity for viruses these days; viruses send out to addresses that they
> find in your inbox and in your addressbook. They also masquerade who they
> came from, so we don't really know where it came from, other that the IP
> address (202.103.247.70, which doesn't resolve to a name).
>
>
>>It looks as if my normal boost digest emails come through indiana
>>university, in fact.
>
>
> Correct.
>
>
>>So, my first guess was probably right as well, that
>>the SMTP server for the boost mailing list doesn't scan outgoing emails
>>for viruses
>
>
> Correct.
>
>
>> --if it isn't altogether hacked...
>
>
> Not as far as we know.
>
>
>>And now that I remember, I'd had this email address for a whole year and
>>hadn't received any spam until I joined the mailing list. About an hour
>>later I got my first 3 spams, and it's been downhill since.
>
>
> Sorry. Not the fault of hosting it at IU, though.
Well, IU's admins could have set up the server to...
A) Record the sender's IP (I appreciate the 202.103.247.70 revelation,
now, but I'd appreciate it even more as part of the email header..), and
not to do so is to invite spammers and hackers to route through it.
B) Scan for viruses, at least a real-quick and dirty scan for the top
hall of infamy top 10: Blaster, MyDoom, and 8 more picks.. ;-)
Anyways, I wasn't intending to file a complaint, rather to help try and
catch/punish the perpetrators. The sys admin there should download
Spade. It's free, and very useful. (search for Sam Spade.)
202.103.247.70 is served from where bird flu viruses originate:
-----------------------------------------------------------
02/13/04 23:11:39 whois 202.103.247.70_at_[hidden]
whois -h whois.apnic.net 202.103.247.70 ...
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 202.103.192.0 - 202.103.255.255
netname: CHINANET-GX
descr: CHINANET Guangxi province network
descr: Data Communication Division
descr: China Telecom
country: CN
admin-c: CH93-AP
tech-c: CR766-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINANET-GX
changed: hostmaster_at_[hidden] 20000101
status: ALLOCATED NON-PORTABLE
source: APNIC
role: CHINANET GUANGXI
address: No.35,Minzhu Road,Nanning 530015
country: CN
phone: +86-771-2815987
fax-no: +86-771-2839278
e-mail: hostmaster_at_[hidden]
trouble: send spam reports to hostmaster_at_[hidden]
trouble: send abuse reports to hostmaster_at_[hidden]
trouble: times in GMT+8
admin-c: CR76-AP
tech-c: BD37-AP
nic-hdl: CR766-AP
remarks: http://www.gx.cninfo.net
notify: hostmaster_at_[hidden]
mnt-by: MAINT-CHINANET-GX
changed: hostmaster_at_[hidden] 20021024
source: APNIC
person: Chinanet Hostmaster
address: No.31 ,jingrong street,beijing
address: 100032
country: CN
phone: +86-10-66027112
fax-no: +86-10-58501144
e-mail: hostmaster_at_[hidden]
e-mail: anti-spam_at_[hidden]
nic-hdl: CH93-AP
mnt-by: MAINT-CHINANET
changed: hostmaster_at_[hidden] 20021016
remarks: hostmaster is not for spam complaint,please send spam
complaint to anti-spam_at_[hidden]
source: APNIC
-----------------------------------------------------------
Not to be deceived by their anti-spam stance; --China is probably the
biggest spam gateway, with India and Pakistan some way behind.
The machine doesn't return ping, browsing to it times-out, and a
traceroute looks like this:
-----------------------------------------------------------
02/13/04 22:03:53 Fast traceroute 202.103.247.70
Trace 202.103.247.70 ...
1 67.68.200.5 13ms 13ms 12ms TTL: 0
(Toronto-HSE-ppp3774662.sympatico.ca ok)
2 64.230.254.253 16ms 20ms 19ms TTL: 0 (No rDNS)
3 64.230.227.213 14ms 14ms 15ms TTL: 0
(dis3-montrealak-Vlan101.in.bellnexxia.net ok)
4 64.230.240.69 15ms 14ms 14ms TTL: 0 (No rDNS)
5 64.230.240.9 14ms 13ms 14ms TTL: 0 (No rDNS)
6 64.230.240.18 24ms 23ms 24ms TTL: 0 (No rDNS)
7 64.230.242.206 25ms 24ms 23ms TTL: 0 (No rDNS)
8 64.230.242.201 24ms 22ms 23ms TTL: 0 (No rDNS)
9 206.108.101.182 80ms 79ms 80ms TTL: 0
(core2-vancouver-pos10-2.in.bellnexxia.net ok)
10 206.108.102.209 84ms 85ms 83ms TTL: 0
(core2-seattle-pos12-0.in.bellnexxia.net ok)
11 206.108.108.150 122ms 120ms 121ms TTL: 0
(core1-paloalto01-pos1-0.in.bellnexxia.net ok)
12 206.108.102.250 122ms 121ms 120ms TTL: 0
(bx1-paloalto01-srp2-0.in.bellnexxia.net ok)
13 206.108.108.174 616ms 597ms 581ms TTL: 0 (No rDNS)
14 202.97.51.193 977ms 907ms 872ms TTL: 0 (No rDNS)
15 202.97.33.149 973ms 908ms 892ms TTL: 0
(p-15-0-r2-c-gdgz-1.cn.net bogus rDNS: host not found [authoritative])
16 202.97.40.198 1095ms 1021ms 1028ms TTL: 0 (No rDNS)
17 202.97.21.158 1112ms 1056ms 1065ms TTL: 0 (No rDNS)
18 218.65.132.59 1110ms 1044ms 1063ms TTL: 0 (No rDNS)
19 No Response * * *
20 No Response * * *
21 No Response * * *
22 No Response * * *
23 No Response * * *
24 No Response * * *
25 No Response * * *
26 No Response * * *
27 No Response * * *
28 No Response * * *
29 No Response * * *
-----------------------------------------------------------
The last IP, before the gas nebula begins, belongs to the same people:
-----------------------------------------------------------
whois -h whois.apnic.net 218.65.132.59 ...
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 218.65.128.0 - 218.65.255.255
netname: CHINANET-GX
descr: CHINANET Guangxi province network
descr: China Telecom
................................
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINANET-GX
changed: hostmaster_at_[hidden] 20010731
................................
role: CHINANET GUANGXI
address: No.35,Minzhu Road,Nanning 530015
country: CN
phone: +86-771-2815987
fax-no: +86-771-2839278
e-mail: hostmaster_at_[hidden]
................................
-----------------------------------------------------------
And so are all four IP's before it, 202.97.xxx.xxx
Which means that they make their dubious packets run in circles for a
while, within the building, to try and look innocent... If I had a full
url, I'd probably be able to verify that the machine at our IP address
is used for hosting the types of shady biz that advertise via spam in
the first place.
206.108.108.174 is in North America, BTW, part of the Bell system.
Cheers!
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk