Mail Attack

Jessica Zhu jessica at mathforum.org
Wed Aug 24 13:36:33 UTC 2005 

On Wed, 24 Aug 2005, Steve Phillips wrote:

> Jessica Zhu wrote:
> > Hi Steve,
> > 
> > Below is one. It is from mx.maria.choppy.com.cl, right? I guess I have to 
> > scan all the bounces. It will be really time consuming.
> > 
> > Date: Wed, 24 Aug 2005 03:43:57 +0800 (CST)
> > From: Mail Delivery Subsystem <MAILER-DAEMON at ms28.hinet.net>
> > To: Jessica at mathforum.org
> > Subject: Returned mail: Service unavailable
> > 
> > The original message was received at Wed, 24 Aug 2005 03:43:52 +0800 (CST)
> > from [211.106.177.167]
> > 
> >    ----- The following addresses had permanent fatal errors -----
> > <chingyu7 at ms28.hinet.net>
> > 
> >    ----- Transcript of session follows -----
> > mail.local: /var/mail/c/chingyu7: Disc quota exceeded
> > 554 <chingyu7 at ms28.hinet.net>... Service unavailable
> > 
> >    ----- Original message follows -----
> > 
> > Return-Path: <Jessica at mathforum.org>
> > Received: from 168.95.5.28 ([211.106.177.167])
> >         by ms28.hinet.net (8.8.8/8.8.8) with SMTP id DAA01186;
> >         Wed, 24 Aug 2005 03:43:52 +0800 (CST)
> > Received: from mx.maria.choppy.com.cl (HELO 24-138.F.dial.o-tel-o.net)
> >         by mx.maria.munich.com.cl (Estfix) with ESMTP id F86203BD55
> >         for <Jessica at mathforum.org>; Wed, 24 Aug 2005 01:38:50 +0500
> 
> These are the important lines.
> 
> It should also be noted that as spammers forge these lines the first one 
> is generally the only one that can be trusted, but lets follow them all 
> as an example.
> 
> The above says
> 
> "Mail originated from a machine that thought it was called 
> 24-138.F.dial.o-tel-o.net but was mx.maria.choppy.com.cl and was recived 
> by mx.maria.munich.com.cl"
> 
> The next line reads
> 
> "Mail originated from a machine that called itself 168.95.5.28 but was 
> infact 211.106.177.167 and was recived by ms28.hinet.net"
> 
>  From this we can tell that either the first recived line is bogus or 
> somehow the message magically jumped from Chile to the USA (whic his 
> unlikely)
> 
> As a result, the only _real_ information we have is that the spam 
> originated from 211.106.177.167, which was also trying to lie about its 
> identity by calling itself 168.95.5.28 (which is actually the IP of 
> ms28.hinet.net)
> 
> 211.106.177.167 is a Korean network block, and looking up via APNIC
> 
> whois 211.106.177.167 at whois.apnic.net
> 
> produces..
> 
> # ENGLISH
> 
> KRNIC is not a ISP but a National Internet Registry similar to APNIC.
> The followings are information of the organization that is using the 
> IPv4 address.
> 
> IPv4 Address       : 211.106.177.0-211.106.177.255
> Network Name       : KORNET-INFRA000001
> Connect ISP Name   : KORNET
> Connect Date       : 20031129
> Registration Date  : 20031209
> 
> [ Organization Information ]
> Organization ID    : ORG1600
> Org Name           : Korea Telecom
> State              : GYUNGGI
> Address            : 206, Jungja-dong, Bundang-gu, Sungnam-ci
> Zip Code           : 463-711
> 
> [ Admin Contact Information]
> Name               : IP Administrator
> Org Name           : Korea Telecom
> State              : GYUNGGI
> Address            : 206, Jungja-dong, Bundang-gu, Sungnam-ci
> Zip Code           : 463-711
> Phone              : +82-2-3674-5708
> Fax                : +82-2-747-8701
> E-Mail             : ip at ns.kornet.net
> 
> [ Technical Contact Information ]
> Name               : IP Manager
> Org Name           : Korea Telecom
> State              : GYUNGGI
> Address            : 206, Jungja-dong, Bundang-gu, Sungnam-ci
> Zip Code           : 463-711
> Phone              : +82-2-3674-5708
> Fax                : +82-2-747-8701
> E-Mail             : ip at ns.kornet.net
> 
> This could potentially create problems for you unless you are versed in 
> korean. I would try to send an e-mail to them and hope that someone 
> there understands the language you compose your e-mail in. Failing this, 
> you may want to redirect a bunch of these messages to the admin and 
> technical contacts (which happen to be the same address) and hope there 
> is someone there that understands e-mail headers.
> 
> You should also examine the other messages however as you may find that 
> this box (211.106.177.167) is a comprimised machine that is being used 
> to relay spam and hide the real person.
> 
> In this case you are goign to have a major job tracking these people 
> down - if this is the case try to find an address range used that 
> originated in a country that you speak the language of fluently and try 
> calling them - they may be able to help you track down the actual 
> originator of these messages and you can then either persue legal 
> proceedings or request their real ISP to shut them down.
> 
> However, the problem can get worse, if the spam is originating from a 
> "spam gang" then you are pretty much out of luck and will either have to 
> shut down the domain or buy a bigger box to cope with the attack. 
> Eventually the spam will stop..
> 

Appreciate Steve. 

I will try to contact them and also will consider to get another big box 
if our current one cannot co-op with the situation.

If I get another one, I'd like to set up multi-layer on it to scan virus, 
spam and prevent forge. Do you guys have any structure suggestion for 
this?

Jessica

More information about the redhat-list mailing list