Thread: Firewalls and reporting
View Single Post
  #10   Report Post  
DoN. Nichols
 
Posts: n/a
Default Firewalls and reporting
In article ,
Old Nick wrote:
On 4 May 2004 00:15:41 -0400, (DoN. Nichols)
vaguely proposed a theory
......and in reply I say!:
remove ns from my header address to reply via email

OK. Don, you have been great, even though the flavour of what you say
does not always suit G.

:-)

I will posts my view. I am doing that to many others as well. I can
see from what you write that you take a,lot more care than most to
protect your system.

I do -- in part because I have been exposed to dealing with
classified material in the past, and sent to meetings of computer
security types to learn what could be done, and what to do to reduce the
chances. (Note -- I say *reduce*, not eliminate. The general consensus
is that the only truly *secure* system is locked in a vault, with *no*
wires of *any* sort running into the vault -- including no power. :-)

There is one irony in all of this; I get hardly ANY spam on email. I
never have had much. My crusade started only because of the newsgroup
filthyposts, with virii attached.

I see *some* of them in the traps in the
newsgroup-to-mailing-list gateway which I operate for people of a
different interest field than this one. And, I also see trapped by the
same filters, the following cancel messages sent out by those who *try*
to keep the spam and virii out of the newsgroups. As I explained
another place, this doesn't work universally, as many systems don't
honor cancels, and certainly it is too late if a cancel arrives even a
half-second after the article has automatically been forwarded to a
mailing list. :-)

I also noticed the huge no of pings
when I put in a firewall, which I installed because I saw a lot of
"extrameous activity" on the modem activity monitor.

But virtually no spam, as such.

So your spam is being filtered somewhere upstream from your
machine. A mixed blessing, as even the best of the spam filters
sometimes gets something which you would rather have received.

You (and your wife):

- are far more involved than I am in this, and for a longer time
- and are therefore way up the tree in knoweldge
- have a setup that is not just me using my PC to access the
W....Net (?)
- btw nobody has actually picked me up on that yet. I have had a
lot of nitpicking, _fomr people who have not beothered to provide as
much info_ I might add. But not that one.
- have a lot more incentive to work at this. You are running an
eservice of some sort, and all I have is my ****ty liver and
cruasder's heart. G

We are running it as a hobby -- no income at all. But I worked
as a unix system administrator for the last five years before I retired.

Yes -- but that is the only way that *works* to any extent. In
terms of e-mail spam, the most careful and detailed reporting will get
good responses from *some* ISPs, (those with a good record of coming
down hard on spammers).

I have had a good response from my ISP. But as I said, they actually
recommended MNWM to me. Not to fob me off, I believe; they still asked
me to report if I felt like it.

Great!

My wife spends hours each day tracking down the source of spam,
and reporting it.

Not so easy if that is not a major occupation/job, which it does seem
to be in be your situation.

Well ... we are both retired, and she enjoys getting spammer's
accounts killed. I ejhoy having her do it.

[ ... ]

I have had _robo-reponses_ saying they have taken action, by shutting
down, and _still_ had more results. :-

That can happen. Maybe they *did* shut the system down, it got
cleaned up, put back on the net, and immediately re-infected. Some
people just don't learn from the first -- or even the twelfth --
infection.

Most people (including you) are dependent on their ISP's mail
server, so this is not an option to them.

Yes. Precisely.

We *could* subscribe to one of the blocklists, which would take
out a small fraction of the spam, but it sometimes will take out things
which I *want* to get, too.

Ironically, there are both users and ISP bashing SpamCop, because it's
"too aggressive". SpamCop have retorted that they are not more
aggressive than they have ever been. It's just that the crap is
deeper.

The problem with SpamCop is that they toss addresses into the
blocklist with no backup information -- just based on a single
complaint, often by someone who can't read headers properly. I know
that *I've* been in the SpamCop list because of mis-reading of forged
headers. The good side of that is that the addresses don't *stay* in
there for long. The ones which we consider really *good* are spews and
spamhaus.

One solution is reporting the relevant information in
news.admin.net-abuse.email and news.admin.net-abuse.sightings, and some
of the big blocklists monitor that and will add well-researched reports
to their list. Some of my wife's reports have shown up in the evidence
files offered by some of the big blocklists.


I am having enough trouble dealing with the picky, snotty forums at a
couple of the reporting sites. When I saw the results at those abuse
forums, I ran away fast. Sorry.

Bear in mind that there are trolls in there, looking for things
to stir up those with a prickly sense of pride. You have to learn who
is worth listening to, and who is not. A good killfile in your
newsreader helps, once you learn who to avoid.

The problems I am having seem to centre around the idea that they are
doing a good thing, so get on with it and stop asking questions.

Trolls want to disrupt any progress, so they will ask questions
which don't really need to be answered. Some others may ask questions
to make clear the level of understanding of headers of someone reporting
a spam.

the news.admin.net-abuse.email is for discussion of the problem
and not for posting of entire spam e-mails. That is what you send to
news.admin.net-abuse.sightings. If you post a spam to
news.admin.net-abuse.email, edit it down to whatever makes it
interesting (particular stupidity on the part of the spammer as an
example.)

The
abuse places were just childish and rude, in the first whole page I
looked at.

Trolls, and people who don't suffer fools gladly. You have to
look at what triggered each response to figure out which is which.

I knwo that in your opinion that is silly of me, but
perhaps the place itself needs monitoring and cleaning up..

It is the target of trolls *because* it has an effect in the
control of spam. If it didn't, the spammers wouldn't bother to try to
make it unusable. The trick is to not let them succeed at making it
unusable.

..I know I
know. It would be a never ending taks, I suppose. But that's the nett
result. I ran away.

But it is where things *do* happen. And where to learn how to
make things happen on your own.

[ ... ]

I have even tried tracing stuff back, and susualy end u0p at IANA (I
am no expert in this) who immediately have a huge statement saying
"It's not us!"

Almost any one will say that -- even (or especially) if it is
them. The abuse people at many ISPs are totally clueless, and you have
to explain the evidence to them step by step.

I got the impression that IANA is not an ISP as such, but a sort of
recorder? See? I have no idea.

O.K. I've checked, and it is the overall control of the
allocation of IP addresses around the world. Yes, they would not be the
source.

And Heaven help you if
you get it wrong, as they will never forget that.

This was the trouble I was getting trying to report stuff on a couple
of the forums provided by spam and malware stoppers.

They have enough to do without dealing with bad information
which causes them to waste time on things which don't apply. They are
specialized, after all.

If MNWM and others like it are a waste of time, it looks pretty grim
from "my" side. I was hoping that there were orgs that had people far
more skilled than I am at tracing and understanding the web.

First off -- calling it "the web" displays some of the
ignorance.

Which, if the problem is to be solved, has to be ignored.

But it will cause people to look for other faults in your
report, much more closely than if you used the right terminology.

[ ... ]

The problem has to be dealt with in both directions. Sorry, but if
somebody has a problem with my terminology, and will let that affect
their treatment not of me, but my complaint, then there is a problem.

It causes them to focus more on the reports from those whos
terminology suggests that it is more likely to be useful information.
Remember -- there is always more to do than there is time (or people) to
do it, so it is reasonable for them to focus on the information which is
most likely to be useful.

This is what has been happening to me on some of the forums I visited.
Every question I asked, or suggestion I made, ended up in circles of
belittling correction and perfection which met the inevitable
fundamental end. I am not the most subservient and docile of people,
but in order to succeed "against" these people, I would have needed to
to be a complete worm, with many hours to spend learning what they
knew, their way, or get no answers.

Remember that some of the people in any newsgroup are likely to
be trolls -- intent on disrupting the newsgroup. We have had them in
rec.crafts.metalworking.

[ ... ]

If the info you get is useless or questionable, then maybe it's
because there is not enough communication between firewall makers,
MMWM and you guys?

A lot of the information isn't available *from* even the best
firewall. It has to be dug out of the headers (in e-mail spam), and dug
out of the encrypted URLs in the spams. It is *work*. (There are
web-based tools to help with a lot of this -- which you will find
discussed on news.admin.net-abuse.email.

But then why are the ISPs not using these?

Who says that they are not? Or using the equivalent unix
commands. In many cases, the web-based tools are to allow people who
don't have the commands on their systems to still do the investigation.

Or why is MNWM (good
reponses from them) not using them,

Again -- who says that they are not? The problem is that these
tests take *time*, so they can't be run on every spam report, and thus
it is reasonable to focus on the ones which have the most promise.

or SpamCop (arrogant and
nitpicking)? My point is that if you get 1000 users all trying to get
it right, they won;t, and they will use 2000 times as much time one
knowledgeable person would.

How many knowledgeable people are there available in any given
organization? Remember -- most of the people being paid have to do work
to keep things running, and only a very few are paid (full-time or more
likely part-time) to handle abuse reports.

But it *might* be something totally harmless, which is a
reaction to something which you are doing.

Well, what I am getting is hundreds of pings, apparently from about 30
different dial-up addresses, all from the same ISP. It seemed a bit
strange.

Hmm ... note that someone tracing a virus or a spam is likely to
use traceroute as one of the tools. This gives a report of how packets
get from here to there, by using a series of pings with various
time-to-live values, to get the names of intermediate systems.

As an example, your headers show you posted this from IP address
203.220.103.37 (though that may change each time you log in). A run of
traceroute from here shows:

================================================== ====================
izalco:dnichols 17:34 traceroute 203.220.103.37
traceroute to 203.220.103.37 (203.220.103.37), 30 hops max, 40 byte packets
1 SkinnyBox (204.91.85.1) 2 ms 1 ms 1 ms
2 209.116.196.213 (209.116.196.213) 7 ms 4 ms 4 ms
3 165.117.192.198 (165.117.192.198) 4 ms 4 ms 4 ms
4 165.117.175.129 (165.117.175.129) 4 ms 4 ms 4 ms
5 165.117.67.62 (165.117.67.62) 5 ms 5 ms 5 ms
6 165.117.64.9 (165.117.64.9) 5 ms 5 ms 5 ms
7 sl-st1-ash-2-3.sprintlink.net (144.223.246.89) 64 ms 112 ms 216 ms
8 sl-bb23-rly-5-0.sprintlink.net (144.232.20.153) 6 ms 6 ms 7 ms
9 sl-bb21-rly-9-0.sprintlink.net (144.232.14.133) 13 ms 7 ms 6 ms
10 sl-bb22-rly-13-0.sprintlink.net (144.232.7.254) 7 ms 7 ms 6 ms
11 sl-bb22-sj-10-0.sprintlink.net (144.232.20.186) 81 ms 80 ms 80 ms
12 sl-bb23-tac-14-0.sprintlink.net (144.232.20.9) 102 ms 105 ms 102 ms
13 sl-bb21-tac-1-0.sprintlink.net (144.232.17.177) 102 ms 102 ms 102 ms
14 sl-gw6-tac-10-0.sprintlink.net (144.232.17.1) 102 ms 102 ms 102 ms
15 sl-splkc2-1-0.sprintlink.net (160.81.229.146) 104 ms 104 ms 104 ms
16 203.194.0.157 (203.194.0.157) 91 ms 91 ms 91 ms
17 pos3-0.155.cor01-broo-scn.comindico.net (203.194.0.189) 295 ms 298 ms 295 ms
18 pos5-2.155.cor01-kent-syd.comindico.net.au (203.194.0.181) 295 ms 295 ms 296 ms
19 pos1-1.cor01-kent-syd.comindico.com.au (203.194.25.53) 297 ms 296 ms 295 ms
20 pos9-0-0.cor01-stge-pth.comindico.com.au (203.194.25.74) 296 ms 297 ms 301 ms
21 ge1-0.dis01-stge-pth.comindico.com.au (203.194.58.194) 298 ms 307 ms 298 ms
22 fe0-0.acc03-stge-pth.comindico.com.au (203.194.58.3) 301 ms 296 ms 296 ms
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
^C
================================================== ====================

With "Skinnybox" being the name of my router. I interrupted it
after several repeats of the "* * *" report, which is probably where
your firewall would be stopping them. If I hadn't stopped it then, it
would have continued trying until line 40.

Also -- with sites which are slow to connect, I set up scripts
to ping the site first, so the IP lookup is complete, so I don't time
out waiting for the nslookup to work. (of course, I ususually run a
nslookup directly).

Now -- if a bunch of spam was sent out to a given IP block, and
it included your IP address in the spam -- perhaps as the URL -- you
would see a lot of connect attempts on the HTML port (port 80), and
maybe some pings as well. If your system was infected for a short
while, it is quite probable that the spammers installed a web server to
redirect connections to your system to go to their real web server, or
actually put a copy of their web page on your system, along with a web
server. So -- *most* people who open that spam (with a HTML-capable
mail program) will likely automatically try to connect to your IP
address.

Or -- if your IP address changes with each login, then there is
a good chance that someone else who had the same IP address previously
had a web server installed by a virus and backdoor, and this was being
advertised in spam to a single block of IP addresses. That sort of
thing could account for a lot of connections. Or it could be a bunch of
infected machines trying to connect to yours and infect it.

And the *latest* Windows worm doesn't even require someone to
receive e-mail -- just to be connected to the Internet with a system
lacking the necessary patches.

Which is why people set up firewalls in paranoid mode....

Unfortunately, not enough of them do so. If they *all* did, the
virii would not spread.

Note that "paranoid mode" is a term used most often by software
firewalls -- the kind which can be silently turned off by a virus, if
you open the wrong e-mail. (Probably also by the firewalls included in
wireless ethernet hubs.)

Standalone firewalls are usually configured on a lower level --
turn off everything, and then turn on the things that you *know* you
need. If something else which you need to use doesn't work. look at the
logs to determine what else to turn on.

Note that I have been mostly focusing on only one of the
multiple problems -- the spam e-mail -- because that is the one which I
*see*. I don't see the virii -- at the expense of refusing anything
large enough to be a virus, which also means most images. The usenet
viri are (mostly) filtered out before they get to me, somewhere
upstream, not by me. (The spams are still there, of course.)

Well I just had a response from Ad-Aware (more self-righteousness and
fundamental circling), after about 15 emails, saying that since the
attachment that I had submitted was a virus, they were not interested.
Buy a virus checker. Just like that. Duck-shove.

They specialize in the programs like spybots installed by e-mail
or web pages -- or sometimes by installing software packages.

I have pointed out that
- since the attachment, when operational, kept phoning out of my
system, it was behaving suspiciously like malware as well
- maybe they needed to get real and start looking at the broader
field.

It is too big a field for any one company to handle all the
parts well. Better (IMHO) to have each company specialize, and do that
*well*.

I do not even expect a reply. IMO, Ad-Aware picks up a lot of stuff
that is not at all important and may be ignoring real problems, for
all that it's the #1 with many people.


The Met Bureau is LOVE!

You've gotten your bite on this one -- isn't it time to change?

Fooh. Somebody is really _reading_ this stuff! G Well, there was
another one..

I *saw* the other one, hence my comment that you had gotten your
bite. I was not asking for the explanation -- just suggesting that it
was time to do something else. (Says he who has used the same .sig
quote since about 1982 or so. :-)

I think that I will drop out of this discussion, as it takes a
good part of an afternoon to type all of this, and we don't seem to be
getting anywhere.

I've been on the other side of things -- as a unix network admin
at a Government lab -- and we (even with a small workforce/userbase)
have had to shut down an account or two for abuse -- before spam really
got its start with Cantor and Siegal's "Green Card spam". So I know
what it is like to be expected to do lots of things with not enough
people.

Enjoy,
DoN.

--
Email: | Voice (all times): (703) 938-4564
(too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
--- Black Holes are where God is dividing by zero ---
Reply With QuoteReply With Quote