Mail Attack

Steve Phillips steve at focb.co.nz
Tue Aug 23 22:32:39 UTC 2005 

Jessica Zhu wrote:
> Hi Steve,
> 
> Below is one. It is from mx.maria.choppy.com.cl, right? I guess I have to 
> scan all the bounces. It will be really time consuming.
> 
> Date: Wed, 24 Aug 2005 03:43:57 +0800 (CST)
> From: Mail Delivery Subsystem <MAILER-DAEMON at ms28.hinet.net>
> To: Jessica at mathforum.org
> Subject: Returned mail: Service unavailable
> 
> The original message was received at Wed, 24 Aug 2005 03:43:52 +0800 (CST)
> from [211.106.177.167]
> 
>    ----- The following addresses had permanent fatal errors -----
> <chingyu7 at ms28.hinet.net>
> 
>    ----- Transcript of session follows -----
> mail.local: /var/mail/c/chingyu7: Disc quota exceeded
> 554 <chingyu7 at ms28.hinet.net>... Service unavailable
> 
>    ----- Original message follows -----
> 
> Return-Path: <Jessica at mathforum.org>
> Received: from 168.95.5.28 ([211.106.177.167])
>         by ms28.hinet.net (8.8.8/8.8.8) with SMTP id DAA01186;
>         Wed, 24 Aug 2005 03:43:52 +0800 (CST)
> Received: from mx.maria.choppy.com.cl (HELO 24-138.F.dial.o-tel-o.net)
>         by mx.maria.munich.com.cl (Estfix) with ESMTP id F86203BD55
>         for <Jessica at mathforum.org>; Wed, 24 Aug 2005 01:38:50 +0500

These are the important lines.

It should also be noted that as spammers forge these lines the first one 
is generally the only one that can be trusted, but lets follow them all 
as an example.

The above says

"Mail originated from a machine that thought it was called 
24-138.F.dial.o-tel-o.net but was mx.maria.choppy.com.cl and was recived 
by mx.maria.munich.com.cl"

The next line reads

"Mail originated from a machine that called itself 168.95.5.28 but was 
infact 211.106.177.167 and was recived by ms28.hinet.net"

 From this we can tell that either the first recived line is bogus or 
somehow the message magically jumped from Chile to the USA (whic his 
unlikely)

As a result, the only _real_ information we have is that the spam 
originated from 211.106.177.167, which was also trying to lie about its 
identity by calling itself 168.95.5.28 (which is actually the IP of 
ms28.hinet.net)

211.106.177.167 is a Korean network block, and looking up via APNIC

whois 211.106.177.167 at whois.apnic.net

produces..

# ENGLISH

KRNIC is not a ISP but a National Internet Registry similar to APNIC.
The followings are information of the organization that is using the 
IPv4 address.

IPv4 Address       : 211.106.177.0-211.106.177.255
Network Name       : KORNET-INFRA000001
Connect ISP Name   : KORNET
Connect Date       : 20031129
Registration Date  : 20031209

[ Organization Information ]
Organization ID    : ORG1600
Org Name           : Korea Telecom
State              : GYUNGGI
Address            : 206, Jungja-dong, Bundang-gu, Sungnam-ci
Zip Code           : 463-711

[ Admin Contact Information]
Name               : IP Administrator
Org Name           : Korea Telecom
State              : GYUNGGI
Address            : 206, Jungja-dong, Bundang-gu, Sungnam-ci
Zip Code           : 463-711
Phone              : +82-2-3674-5708
Fax                : +82-2-747-8701
E-Mail             : ip at ns.kornet.net

[ Technical Contact Information ]
Name               : IP Manager
Org Name           : Korea Telecom
State              : GYUNGGI
Address            : 206, Jungja-dong, Bundang-gu, Sungnam-ci
Zip Code           : 463-711
Phone              : +82-2-3674-5708
Fax                : +82-2-747-8701
E-Mail             : ip at ns.kornet.net

This could potentially create problems for you unless you are versed in 
korean. I would try to send an e-mail to them and hope that someone 
there understands the language you compose your e-mail in. Failing this, 
you may want to redirect a bunch of these messages to the admin and 
technical contacts (which happen to be the same address) and hope there 
is someone there that understands e-mail headers.

You should also examine the other messages however as you may find that 
this box (211.106.177.167) is a comprimised machine that is being used 
to relay spam and hide the real person.

In this case you are goign to have a major job tracking these people 
down - if this is the case try to find an address range used that 
originated in a country that you speak the language of fluently and try 
calling them - they may be able to help you track down the actual 
originator of these messages and you can then either persue legal 
proceedings or request their real ISP to shut them down.

However, the problem can get worse, if the spam is originating from a 
"spam gang" then you are pretty much out of luck and will either have to 
shut down the domain or buy a bigger box to cope with the attack. 
Eventually the spam will stop..

Hope this helps..

-- 
Steve.

(PS: sorry it took so long to reply, we had a fire alarm go off :-) )

More information about the redhat-list mailing list