Mail Attack
Jessica Zhu
jessica at mathforum.org
Wed Aug 24 13:36:33 UTC 2005
On Wed, 24 Aug 2005, Steve Phillips wrote:
> Jessica Zhu wrote:
> > Hi Steve,
> >
> > Below is one. It is from mx.maria.choppy.com.cl, right? I guess I have to
> > scan all the bounces. It will be really time consuming.
> >
> > Date: Wed, 24 Aug 2005 03:43:57 +0800 (CST)
> > From: Mail Delivery Subsystem <MAILER-DAEMON at ms28.hinet.net>
> > To: Jessica at mathforum.org
> > Subject: Returned mail: Service unavailable
> >
> > The original message was received at Wed, 24 Aug 2005 03:43:52 +0800 (CST)
> > from [211.106.177.167]
> >
> > ----- The following addresses had permanent fatal errors -----
> > <chingyu7 at ms28.hinet.net>
> >
> > ----- Transcript of session follows -----
> > mail.local: /var/mail/c/chingyu7: Disc quota exceeded
> > 554 <chingyu7 at ms28.hinet.net>... Service unavailable
> >
> > ----- Original message follows -----
> >
> > Return-Path: <Jessica at mathforum.org>
> > Received: from 168.95.5.28 ([211.106.177.167])
> > by ms28.hinet.net (8.8.8/8.8.8) with SMTP id DAA01186;
> > Wed, 24 Aug 2005 03:43:52 +0800 (CST)
> > Received: from mx.maria.choppy.com.cl (HELO 24-138.F.dial.o-tel-o.net)
> > by mx.maria.munich.com.cl (Estfix) with ESMTP id F86203BD55
> > for <Jessica at mathforum.org>; Wed, 24 Aug 2005 01:38:50 +0500
>
> These are the important lines.
>
> It should also be noted that as spammers forge these lines the first one
> is generally the only one that can be trusted, but lets follow them all
> as an example.
>
> The above says
>
> "Mail originated from a machine that thought it was called
> 24-138.F.dial.o-tel-o.net but was mx.maria.choppy.com.cl and was recived
> by mx.maria.munich.com.cl"
>
> The next line reads
>
> "Mail originated from a machine that called itself 168.95.5.28 but was
> infact 211.106.177.167 and was recived by ms28.hinet.net"
>
> From this we can tell that either the first recived line is bogus or
> somehow the message magically jumped from Chile to the USA (whic his
> unlikely)
>
> As a result, the only _real_ information we have is that the spam
> originated from 211.106.177.167, which was also trying to lie about its
> identity by calling itself 168.95.5.28 (which is actually the IP of
> ms28.hinet.net)
>
> 211.106.177.167 is a Korean network block, and looking up via APNIC
>
> whois 211.106.177.167 at whois.apnic.net
>
> produces..
>
> # ENGLISH
>
> KRNIC is not a ISP but a National Internet Registry similar to APNIC.
> The followings are information of the organization that is using the
> IPv4 address.
>
> IPv4 Address : 211.106.177.0-211.106.177.255
> Network Name : KORNET-INFRA000001
> Connect ISP Name : KORNET
> Connect Date : 20031129
> Registration Date : 20031209
>
> [ Organization Information ]
> Organization ID : ORG1600
> Org Name : Korea Telecom
> State : GYUNGGI
> Address : 206, Jungja-dong, Bundang-gu, Sungnam-ci
> Zip Code : 463-711
>
> [ Admin Contact Information]
> Name : IP Administrator
> Org Name : Korea Telecom
> State : GYUNGGI
> Address : 206, Jungja-dong, Bundang-gu, Sungnam-ci
> Zip Code : 463-711
> Phone : +82-2-3674-5708
> Fax : +82-2-747-8701
> E-Mail : ip at ns.kornet.net
>
> [ Technical Contact Information ]
> Name : IP Manager
> Org Name : Korea Telecom
> State : GYUNGGI
> Address : 206, Jungja-dong, Bundang-gu, Sungnam-ci
> Zip Code : 463-711
> Phone : +82-2-3674-5708
> Fax : +82-2-747-8701
> E-Mail : ip at ns.kornet.net
>
> This could potentially create problems for you unless you are versed in
> korean. I would try to send an e-mail to them and hope that someone
> there understands the language you compose your e-mail in. Failing this,
> you may want to redirect a bunch of these messages to the admin and
> technical contacts (which happen to be the same address) and hope there
> is someone there that understands e-mail headers.
>
> You should also examine the other messages however as you may find that
> this box (211.106.177.167) is a comprimised machine that is being used
> to relay spam and hide the real person.
>
> In this case you are goign to have a major job tracking these people
> down - if this is the case try to find an address range used that
> originated in a country that you speak the language of fluently and try
> calling them - they may be able to help you track down the actual
> originator of these messages and you can then either persue legal
> proceedings or request their real ISP to shut them down.
>
> However, the problem can get worse, if the spam is originating from a
> "spam gang" then you are pretty much out of luck and will either have to
> shut down the domain or buy a bigger box to cope with the attack.
> Eventually the spam will stop..
>
Appreciate Steve.
I will try to contact them and also will consider to get another big box
if our current one cannot co-op with the situation.
If I get another one, I'd like to set up multi-layer on it to scan virus,
spam and prevent forge. Do you guys have any structure suggestion for
this?
Jessica
More information about the redhat-list
mailing list