Re: Mail Attack

• Previous message: Ed Wilts: "Re: Mail Attack"
• In reply to: Jessica Zhu: "Re: Mail Attack"
• Next in thread: Jessica Zhu: "Re: Mail Attack"
• Reply: Jessica Zhu: "Re: Mail Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 24 Aug 2005 10:32:39 +1200
To: General Red Hat Linux discussion list <redhat-list@redhat.com>

Jessica Zhu wrote:
> Hi Steve,
>
> Below is one. It is from mx.maria.choppy.com.cl, right? I guess I have to
> scan all the bounces. It will be really time consuming.
>
> Date: Wed, 24 Aug 2005 03:43:57 +0800 (CST)
> From: Mail Delivery Subsystem <MAILER-DAEMON@ms28.hinet.net>
> To: Jessica@mathforum.org
> Subject: Returned mail: Service unavailable
>
> The original message was received at Wed, 24 Aug 2005 03:43:52 +0800 (CST)
> from [211.106.177.167]
>
> ----- The following addresses had permanent fatal errors -----
> <chingyu7@ms28.hinet.net>
>
> ----- Transcript of session follows -----
> mail.local: /var/mail/c/chingyu7: Disc quota exceeded
> 554 <chingyu7@ms28.hinet.net>... Service unavailable
>
> ----- Original message follows -----
>
> Return-Path: <Jessica@mathforum.org>
> Received: from 168.95.5.28 ([211.106.177.167])
> by ms28.hinet.net (8.8.8/8.8.8) with SMTP id DAA01186;
> Wed, 24 Aug 2005 03:43:52 +0800 (CST)
> Received: from mx.maria.choppy.com.cl (HELO 24-138.F.dial.o-tel-o.net)
> by mx.maria.munich.com.cl (Estfix) with ESMTP id F86203BD55
> for <Jessica@mathforum.org>; Wed, 24 Aug 2005 01:38:50 +0500

These are the important lines.

It should also be noted that as spammers forge these lines the first one
is generally the only one that can be trusted, but lets follow them all
as an example.

The above says

"Mail originated from a machine that thought it was called
24-138.F.dial.o-tel-o.net but was mx.maria.choppy.com.cl and was recived
by mx.maria.munich.com.cl"

The next line reads

"Mail originated from a machine that called itself 168.95.5.28 but was
infact 211.106.177.167 and was recived by ms28.hinet.net"

 From this we can tell that either the first recived line is bogus or
somehow the message magically jumped from Chile to the USA (whic his
unlikely)

As a result, the only _real_ information we have is that the spam
originated from 211.106.177.167, which was also trying to lie about its
identity by calling itself 168.95.5.28 (which is actually the IP of
ms28.hinet.net)

211.106.177.167 is a Korean network block, and looking up via APNIC

whois 211.106.177.167@whois.apnic.net

produces..

# ENGLISH

KRNIC is not a ISP but a National Internet Registry similar to APNIC.
The followings are information of the organization that is using the
IPv4 address.

IPv4 Address : 211.106.177.0-211.106.177.255
Network Name : KORNET-INFRA000001
Connect ISP Name : KORNET
Connect Date : 20031129
Registration Date : 20031209

[ Organization Information ]
Organization ID : ORG1600
Org Name : Korea Telecom
State : GYUNGGI
Address : 206, Jungja-dong, Bundang-gu, Sungnam-ci
Zip Code : 463-711

[ Admin Contact Information]
Name : IP Administrator
Org Name : Korea Telecom
State : GYUNGGI
Address : 206, Jungja-dong, Bundang-gu, Sungnam-ci
Zip Code : 463-711
Phone : +82-2-3674-5708
Fax : +82-2-747-8701
E-Mail : ip@ns.kornet.net

[ Technical Contact Information ]
Name : IP Manager
Org Name : Korea Telecom
State : GYUNGGI
Address : 206, Jungja-dong, Bundang-gu, Sungnam-ci
Zip Code : 463-711
Phone : +82-2-3674-5708
Fax : +82-2-747-8701
E-Mail : ip@ns.kornet.net

This could potentially create problems for you unless you are versed in
korean. I would try to send an e-mail to them and hope that someone
there understands the language you compose your e-mail in. Failing this,
you may want to redirect a bunch of these messages to the admin and
technical contacts (which happen to be the same address) and hope there
is someone there that understands e-mail headers.

You should also examine the other messages however as you may find that
this box (211.106.177.167) is a comprimised machine that is being used
to relay spam and hide the real person.

In this case you are goign to have a major job tracking these people
down - if this is the case try to find an address range used that
originated in a country that you speak the language of fluently and try
calling them - they may be able to help you track down the actual
originator of these messages and you can then either persue legal
proceedings or request their real ISP to shut them down.

However, the problem can get worse, if the spam is originating from a
"spam gang" then you are pretty much out of luck and will either have to
shut down the domain or buy a bigger box to cope with the attack.
Eventually the spam will stop..

Hope this helps..

-- 
Steve.
(PS: sorry it took so long to reply, we had a fire alarm go off :-) )
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

• Previous message: Ed Wilts: "Re: Mail Attack"
• In reply to: Jessica Zhu: "Re: Mail Attack"
• Next in thread: Jessica Zhu: "Re: Mail Attack"
• Reply: Jessica Zhu: "Re: Mail Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]