Firewalls and reporting
In article ,
Old Nick wrote: On Sat, 01 May 2004 14:14:25 GMT, "Carli Groven" vaguely proposed a theory ......and in reply I say!: remove ns from my header address to reply via email Wha??? Well at least you weren't rude anout it. It's fairly simple actually. There are sites that allow you report spam, not just block it and hope it goes away. They then report to the Source ISPs and ins some cases the stuff gets stopped. I feel we should support them. ************************************************* *** The Met Bureau is LOVE! I believe you were talking about MyNe****chman specificly. I wouldn't bother with them. As one of those on the "source ISP" end of things, we get notices from them often and they are useless. They report that someone with foo address tried to make a connection to baz address on this date. There isn't enough information in the reports to determine what was happening and why, so it gets ignored. Requests for more information from MyNe****chman were also never answered. MyNe****chman doesn't seem to have any standards for how the firewalls it allows to report problems are configured. People just put them into ultra paranoid/delusioinal mode and report away. In this situation, a single mistyped address results in a flurry of reports back to the source ISP. I doubt any ISP takes these guys seriously. I wouldn't waste my money on them. -- Joe -- Joseph M. Krzeszewski Network Operations Jack of All Trades, Master of None... Yet |
Firewalls and reporting
|
Firewalls and reporting
In article ,
Bruce L. Bergman wrote: On 2 May 2004 11:10:12 -0400, wrote: I believe you were talking about MyNe****chman specificly. I wouldn't bother with them. As one of those on the "source ISP" end of things, we get notices from them often and they are useless. They report that someone with foo address tried to make a connection to baz address on this date. There isn't enough information in the reports to determine what was happening and why, so it gets ignored. Requests for more information from MyNe****chman were also never answered. So what would you recommend as an effective method of reporting spammers, scammers & skript kiddies poking at your system ports for vulnerabilities, that the BOFH ;-) Sysop community will actually listen to? If you can find the email addresses for the people who really run the networks, they are usually very interested in cleaning their own sandbox. The helpdesk and abuse people usually don't seem to know what to do or care. Unfortunately you are largely on your own out there just like everyone else. The best thing to do about spammers is press the delete key and put in a good filter to press the delete key for you next time. If you use the "click here to remove your address" they like to send in the email all you do is let the spamers know that you are a live address. Complaints to usually get dumped on the floor along with all the spam they get. Most of the spam you get out there is from compromised computers that have been pressed into service by the spamers. Not that much comes sources that are easy to terminate. Reporting hacking attempts will usually get more action, if it is from somewhere in the US or Canada, unless it is owned by a cable or phone company. Nothing but a lawsuit seems to get them moving. I've been doing this from the user end for FAR too long (IBM 360 mark-sense card runs in Junior High, TI 99/4A, PC-XT...) and don't want to spend too much time tracerouting the idiots and chasing down foreign WHOIS sites, etc. - but if a neat little program can point me to the moron's true origins, I'll gladly drop a dime on his ass so you can terminate the account "with extreme prejudice". ;-) Unfortunately, there are so many poorly run networks out there that it is easy to cover your tracks. You trace the moron to some netblock in Siberia and then can't even get the owners of the network to answer your email. Moron is now safe and you are out of luck. Best you can do is lock down your own systems (turn off everything and deny access to all. Start turning on the stuff you use and find doesn't work anymore) and watch your logs. Attempts get shrugged off. Strange stuff originating from your own network gets shut down and investigated immediately. The Internet is supposed to be self-policing. Give us the tools and we'll help. -- Bruce -- The days of the self-policing internet seem to have died long ago (about the time that all the commercial enterprises entered the arena, it seems) but there is hope. Our security guy has been hanging around with the security guys from dozens of other networks (both educational and commercial). Now there are mailing lists and the word of mouth pipeline that have many, many networks all looking out for each other. For example, we know the admins that own the net block just above ours. Preiodicaly, they give us a call and tell us which of our machines have started scanning their netspace. Some viruses will just keep working their way up the addresses looking for more machines to infect. If we don't catch it, then it walks into his space and he notices it. We shut it down and fix it. I guess it is self-policing, but not everyone is in the same game. -- Joe -- Joseph M. Krzeszewski Mechanical Engineering and stuff Jack of All Trades, Master of None... Yet |
Firewalls and reporting
On Sun, 02 May 2004 20:54:47 GMT, Bruce L. Bergman
vaguely proposed a theory .......and in reply I say!: remove ns from my header address to reply via email So what would you recommend as an effective method of reporting spammers, scammers & skript kiddies poking at your system ports for vulnerabilities, that the BOFH ;-) Sysop community will actually listen to? Bruce. Sorry. But .....a voice in the dark! Finally! If I missed a post from you in my other "rantings" about this, then I apologise! I had little other support. I've been doing this from the user end for FAR too long (IBM 360 mark-sense card runs in Junior High, TI 99/4A, PC-XT...) and don't want to spend too much time tracerouting the idiots and chasing down foreign WHOIS sites, etc. - but if a neat little program can point me to the moron's true origins, I'll gladly drop a dime on his ass so you can terminate the account "with extreme prejudice". ;-) The Internet is supposed to be self-policing. Give us the tools and we'll help. -- Bruce -- ************************************************** ** The Met Bureau is LOVE! |
Firewalls and reporting
|
Firewalls and reporting
|
Firewalls and reporting
In article ,
Old Nick wrote: On 2 May 2004 11:10:12 -0400, vaguely proposed a theory ......and in reply I say!: remove ns from my header address to reply via email I believe you were talking about MyNe****chman specificly. Not exactly. I did ask for alternatives. Are there any? When you do it yourself, email by email, hit by hit, newsgroups post by ng post, it is simply time-consuming and disheartening. Yes -- but that is the only way that *works* to any extent. In terms of e-mail spam, the most careful and detailed reporting will get good responses from *some* ISPs, (those with a good record of coming down hard on spammers). My wife spends hours each day tracking down the source of spam, and reporting it. From a very few sites, she gets back reports that they have killed the spammer's account. From a lot of others, there is only a robo-response "We have received your report and are acting on it". No more information ever heard. (And often the spammers just keep sending form that source. So -- for those, since we run our own mail server, those IPs get added to our private blocklist, so *no* e-mail from there gets through. We also check recently-arrived spam against a collection of blocklists, and the more that it is on, the more likely the site is to be IP-blocked here. Most people (including you) are dependent on their ISP's mail server, so this is not an option to them. We refuse hundreds of connection attempts per day. I hate to think what the spam situation would be like without our blocklist, and the time we put into maintaining it. We *could* subscribe to one of the blocklists, which would take out a small fraction of the spam, but it sometimes will take out things which I *want* to get, too. And most of the spam comes from (through) somebody's Windows box who has been compromised by a virus and turned into yet another relay station for spam. The spammers feed it a message, and a list of addresses, pat it on its back, and move on to the next compromised machine. One solution is reporting the relevant information in news.admin.net-abuse.email and news.admin.net-abuse.sightings, and some of the big blocklists monitor that and will add well-researched reports to their list. Some of my wife's reports have shown up in the evidence files offered by some of the big blocklists. And the "reward" for that is to be put on some spammer's sh*t-list so they forge a big run of spam to appear to come from *our* domain. And -- for a week, we are pretty much out of communications with the world. I have even tried tracing stuff back, and susualy end u0p at IANA (I am no expert in this) who immediately have a huge statement saying "It's not us!" Almost any one will say that -- even (or especially) if it is them. The abuse people at many ISPs are totally clueless, and you have to explain the evidence to them step by step. And Heaven help you if you get it wrong, as they will never forget that. It helps to know which headers you can trust (e.g. those added by my own mail server, which is particularly good at reporting what really happened. Most of the rest of the headers are forged at the convenience of the spammer, to create problems for someone, or to keep them away from themselves. If MNWM and others like it are a waste of time, it looks pretty grim from "my" side. I was hoping that there were orgs that had people far more skilled than I am at tracing and understanding the web. First off -- calling it "the web" displays some of the ignorance. The web is only one of the many services using the Internet (with a capital 'I'), not to be confused with *an* internet, which can be local only, or interconnected to be a part of *the* Internet. Calling the whole thing "the web" is going to get as much respect as calling Science Fiction "Sci-Fi" at a Science Fiction Con(vention). If you have to be short, call it "S.F." "Sci-Fi" is used by media people who know nothing about what they are reporting on, and it quickly becomes obvious. Most of the abuse desks are manned by people who are given the job as a punishment. And most are not given the resources to do the job right. My ISP had a very good abuse desk, and I have gotten entire subnets shut down while they were cleaned because they were provably attacking me with the CodeRed worm. (And not getting anywhere, because there were no Windows boxen on my part of the net.) And I fear that my ISP is not going to be that good in the future, They have just been merged with a larger ISP whose abuse record is not nearly as good -- and their top abuse man has just left. So -- I remain having to make sure that my own defenses are good. And I *know* how to do that with unix flavors. There is so much hidden in Windows that I *know* that I am bound to miss a lot, so I just don't let them anywhere near the outside net. While I am willing to put in a lot of effort, I was fully aware of my ignorance of the finers points, or anything like them. Interestingly, my ISP, with whom I had developed quite a good rapport, have said "Go ahead and USE MNWM, and wee will get the reports gladly". They recommend them. I wouldn't bother with them. As one of those on the "source ISP" end of things, we get notices from them often and they are useless. They report that someone with foo address tried to make a connection to baz address on this date. There isn't enough information in the reports to determine what was happening and why, so it gets ignored. Requests for more information from MyNe****chman were also never answered. hmmmm. That is a problem. From my side, when I tried to send the full, unparsed firewall report, I was told it was "not in the right format for auto investigation" and I was ignored. Both my ISP and their backbone recommended that I use MNWM, or DSHIELD. The worst ISPs are the ones with gazillions (highly technical meaningless number) of DSL accounts, or dialups, or cable accounts, with a Windows box plopped on almost all of the connections, with totally clueless people "running" them (e.g. turning them on and off, and calling for help (maybe) if they happen to notice something wrong.) Since these have gazillions of abuse reports flooding in, and (at best) one or two people to deal with them, anything which requires thought gets ignored. The same with anything which requires work. One of the major ones has been getting SMTP (mail) connections refused by an increasingly large number of other systems, simply because they never do anything about their infected users. Their response to the increasing blocking? Get new IP blocks allocated, because they are "running out". Of course, those blocks get blocked as well. I am set up so that one can only get e-mail to me from their *known* mail servers. (Spammers normally bypass the mail servers, so people can't see what is happening and stop it.) One exceptions was a recent virus, which actually relayed through the ISP's mail server, and as a result, I continually get a few "neutered" virii per day or per week, evidence that *some* IPSs filter virii passing through their mail servers. The *proper* solution is to turn off the routing of the SMTP port (port 25) to and from those systems en-mass, and only turn them on for those who have demonstrated a need, and the competence to secure their private mail servers against relaying. The normal user would never even notice this, because the normal user uses POP to forward e-mail to the ISP's server, and that takes care of sending things on. The same for incoming e-mail. MyNe****chman doesn't seem to have any standards for how the firewalls it allows to report problems are configured. People just put them into ultra paranoid/delusioinal mode and report away. In this situation, a single mistyped address results in a flurry of reports back to the source ISP. I doubt any ISP takes these guys seriously. I wouldn't waste my money on them. I haven't. They are free. G. I admit they ask for donations. OK. What they do provide is a feeling that _somebody_ is doing something. I can assure you that it's easy to NOT feel that, as a Net user. Apply pressure to your ISP to act strongly and quickly against infected systems hosted on their own net. Hope that everybody else does the same. And protect yourself, since, even with the best will, they can't do it perfectly. There is alway a lag between the time a system gets infected and starting sending out junk of whatever sort and when the reports get to the ISP, so they *can* (if they will bother) shut it down. Your reply to Bruce, laying out actions you are taking, is interesting. Perhaps more of that needs to be said publicly? But then of course if there is not an instant improvement, people will say "Yeah Yeah". This is the sort of thing discussed in news.admin.net-abuse.email, to which I pointed you before. (Yes, there is other stuff going on there, as it is a target because of its anti-spam stance.) But it is where things are discussed. The really serious ones get onto private mailing lists to continue discussions without (hopefully) giving away what is being done to the spammers and the virus-writers. But at the moment the feeling that ISPs need a kick in the butt is easy to build, justified or not, because there is a feeling of no reaction at all, either to private attempts, or to reporting sites like MNWM. Your job -- drain the swamp by yourself. Oh yes, note that the swamp is about 25% alligators (or crocodiles for your area). How much progress do you think you would make. If everyone were willing to pay more for an ISP who maintains a properly-staffed abuse desk, and who will stand behind such an abuse person, when said abuse person terminates a lucrative account, then *maybe* things would get better. As long as everyone is after the cheapest net service that they can get, they get what they asked for. As a user, who wants to protect themselves, I have _absolutely_ no idea, if I get a hit (and I have my firewall set to medium in most cases) what damage it does, and do not have the time or the interest to understand it all. I do have to admit that I have only had firewalls for maybe a month, and before that I had noticed constant activity, in littel bits, on my Net activity monitor. Nothing much ever happened. I wouold run a malware checker over the machine every day, and pick up a few funnies and kill them. But of course I had no idea what they had deon in the meantime. One of them did bite, and it was a right royal PITA. If the info you get is useless or questionable, then maybe it's because there is not enough communication between firewall makers, MMWM and you guys? A lot of the information isn't available *from* even the best firewall. It has to be dug out of the headers (in e-mail spam), and dut out of the encrypted URLs in the spams. It is *work*. (There are web-based tools to help with a lot of this -- which you will find discussed on news.admin.net-abuse.email. I say that because again, Users are going to be the most numerous, capricious, lazy and hardest to teach. G?? I have no idea HOW you filter a typo from a genuine problem, but I can assure you that when I start getting 300 hits from one ISP each day, I KNOW that's not typos. But it *might* be something totally harmless, which is a reaction to something which you are doing. As an example, I got a call (about a year and a half ago) from a new firewall user who was asking why I was *attacking* his system. After some discussion, it turned out to be that he was seeing my web server asking to set cookies. It is an old version of Apache. I never asked it to ask for cookies, and I can't find a place to turn them off. My web server does nothing *with* the cookies. It displays no problems if you turn off cookies. But he was seeing the requests in his firewall software (Zonealarm, IIRC), and it wasn't bothering to say what the connection attempts were, just reporting them to him for him to allow or deny. If it is an ICMP connection -- that is a "ping", used to see whether a system is there or not. Some web servers use them to verify that a connecting system is still there. It also *could* be someone looking for systems to infect. You just don't know. You have to learn what to look for. Or -- use an OS which is not the common (and easy) target of every wannabe-cracker. If that monolithic market of Microsoft's were broken up into lots of smaller markets, each with its own OS, there would not be the giant target sitting out there, and a successful exploit would only hit a small percentage of the machines, and not have the impact that it does with Windows. And the *latest* Windows worm doesn't even require someone to receive e-mail -- just to be connected to the Internet with a system lacking the necessary patches. Once -- computers at home were quite rare, and everyone who had one *knew* them deeply. They weren't appliances which you could just plug in and turn on. The Commodore PET and the Apple-II change all of that, and then IBM weighed in with the PC, which was the start of the Microsoft monolith. Before that, Microsoft was one of the many writers of BASIC interpreters for home computers, with something vaguely resembling an OS wrapped into the BASIC. No separate editors, just the ability to load programs and save programs from/to punched tape, then audio cassette tapes, and later floppy discs. Note that I have been mostly focusing on only one of the multiple problems -- the spam e-mail -- because that is the one which I *see*. I don't see the virii -- at the expense of refusing anything large enough to be a virus, which also means most images. The usenet viri are (mostly) filtered out before they get to me, somewhere upstream, not by me. (The spams are still there, of course.) The Met Bureau is LOVE! You've gotten your bite on this one -- isn't it time to change? Enjoy, DoN. -- Email: | Voice (all times): (703) 938-4564 (too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html --- Black Holes are where God is dividing by zero --- |
Firewalls and reporting
Very interesting comments, Don. Unfortunately the Justice Department
didn't (doesn't) have what it takes to deal with M$. I was under the impression that the US and Canada had effective anti-monopoly laws. Clearly I am wrong on this. Regretably I can only think of two things that would make a serious dent in the spam/virii/... problem: People refusing to buy _anything_ from a spammer. People refusing to run Windoze. This apparently isn't going to happen anytime soon. Ted |
Firewalls and reporting
|
Firewalls and reporting
In article ,
Old Nick wrote: On 4 May 2004 00:15:41 -0400, (DoN. Nichols) vaguely proposed a theory ......and in reply I say!: remove ns from my header address to reply via email OK. Don, you have been great, even though the flavour of what you say does not always suit G. :-) I will posts my view. I am doing that to many others as well. I can see from what you write that you take a,lot more care than most to protect your system. I do -- in part because I have been exposed to dealing with classified material in the past, and sent to meetings of computer security types to learn what could be done, and what to do to reduce the chances. (Note -- I say *reduce*, not eliminate. The general consensus is that the only truly *secure* system is locked in a vault, with *no* wires of *any* sort running into the vault -- including no power. :-) There is one irony in all of this; I get hardly ANY spam on email. I never have had much. My crusade started only because of the newsgroup filthyposts, with virii attached. I see *some* of them in the traps in the newsgroup-to-mailing-list gateway which I operate for people of a different interest field than this one. And, I also see trapped by the same filters, the following cancel messages sent out by those who *try* to keep the spam and virii out of the newsgroups. As I explained another place, this doesn't work universally, as many systems don't honor cancels, and certainly it is too late if a cancel arrives even a half-second after the article has automatically been forwarded to a mailing list. :-) I also noticed the huge no of pings when I put in a firewall, which I installed because I saw a lot of "extrameous activity" on the modem activity monitor. But virtually no spam, as such. So your spam is being filtered somewhere upstream from your machine. A mixed blessing, as even the best of the spam filters sometimes gets something which you would rather have received. You (and your wife): - are far more involved than I am in this, and for a longer time - and are therefore way up the tree in knoweldge - have a setup that is not just me using my PC to access the W....Net (?) - btw nobody has actually picked me up on that yet. I have had a lot of nitpicking, _fomr people who have not beothered to provide as much info_ I might add. But not that one. - have a lot more incentive to work at this. You are running an eservice of some sort, and all I have is my ****ty liver and cruasder's heart. G We are running it as a hobby -- no income at all. But I worked as a unix system administrator for the last five years before I retired. Yes -- but that is the only way that *works* to any extent. In terms of e-mail spam, the most careful and detailed reporting will get good responses from *some* ISPs, (those with a good record of coming down hard on spammers). I have had a good response from my ISP. But as I said, they actually recommended MNWM to me. Not to fob me off, I believe; they still asked me to report if I felt like it. Great! My wife spends hours each day tracking down the source of spam, and reporting it. Not so easy if that is not a major occupation/job, which it does seem to be in be your situation. Well ... we are both retired, and she enjoys getting spammer's accounts killed. I ejhoy having her do it. [ ... ] I have had _robo-reponses_ saying they have taken action, by shutting down, and _still_ had more results. :- That can happen. Maybe they *did* shut the system down, it got cleaned up, put back on the net, and immediately re-infected. Some people just don't learn from the first -- or even the twelfth -- infection. Most people (including you) are dependent on their ISP's mail server, so this is not an option to them. Yes. Precisely. We *could* subscribe to one of the blocklists, which would take out a small fraction of the spam, but it sometimes will take out things which I *want* to get, too. Ironically, there are both users and ISP bashing SpamCop, because it's "too aggressive". SpamCop have retorted that they are not more aggressive than they have ever been. It's just that the crap is deeper. The problem with SpamCop is that they toss addresses into the blocklist with no backup information -- just based on a single complaint, often by someone who can't read headers properly. I know that *I've* been in the SpamCop list because of mis-reading of forged headers. The good side of that is that the addresses don't *stay* in there for long. The ones which we consider really *good* are spews and spamhaus. One solution is reporting the relevant information in news.admin.net-abuse.email and news.admin.net-abuse.sightings, and some of the big blocklists monitor that and will add well-researched reports to their list. Some of my wife's reports have shown up in the evidence files offered by some of the big blocklists. I am having enough trouble dealing with the picky, snotty forums at a couple of the reporting sites. When I saw the results at those abuse forums, I ran away fast. Sorry. Bear in mind that there are trolls in there, looking for things to stir up those with a prickly sense of pride. You have to learn who is worth listening to, and who is not. A good killfile in your newsreader helps, once you learn who to avoid. The problems I am having seem to centre around the idea that they are doing a good thing, so get on with it and stop asking questions. Trolls want to disrupt any progress, so they will ask questions which don't really need to be answered. Some others may ask questions to make clear the level of understanding of headers of someone reporting a spam. the news.admin.net-abuse.email is for discussion of the problem and not for posting of entire spam e-mails. That is what you send to news.admin.net-abuse.sightings. If you post a spam to news.admin.net-abuse.email, edit it down to whatever makes it interesting (particular stupidity on the part of the spammer as an example.) The abuse places were just childish and rude, in the first whole page I looked at. Trolls, and people who don't suffer fools gladly. You have to look at what triggered each response to figure out which is which. I knwo that in your opinion that is silly of me, but perhaps the place itself needs monitoring and cleaning up.. It is the target of trolls *because* it has an effect in the control of spam. If it didn't, the spammers wouldn't bother to try to make it unusable. The trick is to not let them succeed at making it unusable. ..I know I know. It would be a never ending taks, I suppose. But that's the nett result. I ran away. But it is where things *do* happen. And where to learn how to make things happen on your own. [ ... ] I have even tried tracing stuff back, and susualy end u0p at IANA (I am no expert in this) who immediately have a huge statement saying "It's not us!" Almost any one will say that -- even (or especially) if it is them. The abuse people at many ISPs are totally clueless, and you have to explain the evidence to them step by step. I got the impression that IANA is not an ISP as such, but a sort of recorder? See? I have no idea. O.K. I've checked, and it is the overall control of the allocation of IP addresses around the world. Yes, they would not be the source. And Heaven help you if you get it wrong, as they will never forget that. This was the trouble I was getting trying to report stuff on a couple of the forums provided by spam and malware stoppers. They have enough to do without dealing with bad information which causes them to waste time on things which don't apply. They are specialized, after all. If MNWM and others like it are a waste of time, it looks pretty grim from "my" side. I was hoping that there were orgs that had people far more skilled than I am at tracing and understanding the web. First off -- calling it "the web" displays some of the ignorance. Which, if the problem is to be solved, has to be ignored. But it will cause people to look for other faults in your report, much more closely than if you used the right terminology. [ ... ] The problem has to be dealt with in both directions. Sorry, but if somebody has a problem with my terminology, and will let that affect their treatment not of me, but my complaint, then there is a problem. It causes them to focus more on the reports from those whos terminology suggests that it is more likely to be useful information. Remember -- there is always more to do than there is time (or people) to do it, so it is reasonable for them to focus on the information which is most likely to be useful. This is what has been happening to me on some of the forums I visited. Every question I asked, or suggestion I made, ended up in circles of belittling correction and perfection which met the inevitable fundamental end. I am not the most subservient and docile of people, but in order to succeed "against" these people, I would have needed to to be a complete worm, with many hours to spend learning what they knew, their way, or get no answers. Remember that some of the people in any newsgroup are likely to be trolls -- intent on disrupting the newsgroup. We have had them in rec.crafts.metalworking. [ ... ] If the info you get is useless or questionable, then maybe it's because there is not enough communication between firewall makers, MMWM and you guys? A lot of the information isn't available *from* even the best firewall. It has to be dug out of the headers (in e-mail spam), and dug out of the encrypted URLs in the spams. It is *work*. (There are web-based tools to help with a lot of this -- which you will find discussed on news.admin.net-abuse.email. But then why are the ISPs not using these? Who says that they are not? Or using the equivalent unix commands. In many cases, the web-based tools are to allow people who don't have the commands on their systems to still do the investigation. Or why is MNWM (good reponses from them) not using them, Again -- who says that they are not? The problem is that these tests take *time*, so they can't be run on every spam report, and thus it is reasonable to focus on the ones which have the most promise. or SpamCop (arrogant and nitpicking)? My point is that if you get 1000 users all trying to get it right, they won;t, and they will use 2000 times as much time one knowledgeable person would. How many knowledgeable people are there available in any given organization? Remember -- most of the people being paid have to do work to keep things running, and only a very few are paid (full-time or more likely part-time) to handle abuse reports. But it *might* be something totally harmless, which is a reaction to something which you are doing. Well, what I am getting is hundreds of pings, apparently from about 30 different dial-up addresses, all from the same ISP. It seemed a bit strange. Hmm ... note that someone tracing a virus or a spam is likely to use traceroute as one of the tools. This gives a report of how packets get from here to there, by using a series of pings with various time-to-live values, to get the names of intermediate systems. As an example, your headers show you posted this from IP address 203.220.103.37 (though that may change each time you log in). A run of traceroute from here shows: ================================================== ==================== izalco:dnichols 17:34 traceroute 203.220.103.37 traceroute to 203.220.103.37 (203.220.103.37), 30 hops max, 40 byte packets 1 SkinnyBox (204.91.85.1) 2 ms 1 ms 1 ms 2 209.116.196.213 (209.116.196.213) 7 ms 4 ms 4 ms 3 165.117.192.198 (165.117.192.198) 4 ms 4 ms 4 ms 4 165.117.175.129 (165.117.175.129) 4 ms 4 ms 4 ms 5 165.117.67.62 (165.117.67.62) 5 ms 5 ms 5 ms 6 165.117.64.9 (165.117.64.9) 5 ms 5 ms 5 ms 7 sl-st1-ash-2-3.sprintlink.net (144.223.246.89) 64 ms 112 ms 216 ms 8 sl-bb23-rly-5-0.sprintlink.net (144.232.20.153) 6 ms 6 ms 7 ms 9 sl-bb21-rly-9-0.sprintlink.net (144.232.14.133) 13 ms 7 ms 6 ms 10 sl-bb22-rly-13-0.sprintlink.net (144.232.7.254) 7 ms 7 ms 6 ms 11 sl-bb22-sj-10-0.sprintlink.net (144.232.20.186) 81 ms 80 ms 80 ms 12 sl-bb23-tac-14-0.sprintlink.net (144.232.20.9) 102 ms 105 ms 102 ms 13 sl-bb21-tac-1-0.sprintlink.net (144.232.17.177) 102 ms 102 ms 102 ms 14 sl-gw6-tac-10-0.sprintlink.net (144.232.17.1) 102 ms 102 ms 102 ms 15 sl-splkc2-1-0.sprintlink.net (160.81.229.146) 104 ms 104 ms 104 ms 16 203.194.0.157 (203.194.0.157) 91 ms 91 ms 91 ms 17 pos3-0.155.cor01-broo-scn.comindico.net (203.194.0.189) 295 ms 298 ms 295 ms 18 pos5-2.155.cor01-kent-syd.comindico.net.au (203.194.0.181) 295 ms 295 ms 296 ms 19 pos1-1.cor01-kent-syd.comindico.com.au (203.194.25.53) 297 ms 296 ms 295 ms 20 pos9-0-0.cor01-stge-pth.comindico.com.au (203.194.25.74) 296 ms 297 ms 301 ms 21 ge1-0.dis01-stge-pth.comindico.com.au (203.194.58.194) 298 ms 307 ms 298 ms 22 fe0-0.acc03-stge-pth.comindico.com.au (203.194.58.3) 301 ms 296 ms 296 ms 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * ^C ================================================== ==================== With "Skinnybox" being the name of my router. I interrupted it after several repeats of the "* * *" report, which is probably where your firewall would be stopping them. If I hadn't stopped it then, it would have continued trying until line 40. Also -- with sites which are slow to connect, I set up scripts to ping the site first, so the IP lookup is complete, so I don't time out waiting for the nslookup to work. (of course, I ususually run a nslookup directly). Now -- if a bunch of spam was sent out to a given IP block, and it included your IP address in the spam -- perhaps as the URL -- you would see a lot of connect attempts on the HTML port (port 80), and maybe some pings as well. If your system was infected for a short while, it is quite probable that the spammers installed a web server to redirect connections to your system to go to their real web server, or actually put a copy of their web page on your system, along with a web server. So -- *most* people who open that spam (with a HTML-capable mail program) will likely automatically try to connect to your IP address. Or -- if your IP address changes with each login, then there is a good chance that someone else who had the same IP address previously had a web server installed by a virus and backdoor, and this was being advertised in spam to a single block of IP addresses. That sort of thing could account for a lot of connections. Or it could be a bunch of infected machines trying to connect to yours and infect it. And the *latest* Windows worm doesn't even require someone to receive e-mail -- just to be connected to the Internet with a system lacking the necessary patches. Which is why people set up firewalls in paranoid mode.... Unfortunately, not enough of them do so. If they *all* did, the virii would not spread. Note that "paranoid mode" is a term used most often by software firewalls -- the kind which can be silently turned off by a virus, if you open the wrong e-mail. (Probably also by the firewalls included in wireless ethernet hubs.) Standalone firewalls are usually configured on a lower level -- turn off everything, and then turn on the things that you *know* you need. If something else which you need to use doesn't work. look at the logs to determine what else to turn on. Note that I have been mostly focusing on only one of the multiple problems -- the spam e-mail -- because that is the one which I *see*. I don't see the virii -- at the expense of refusing anything large enough to be a virus, which also means most images. The usenet viri are (mostly) filtered out before they get to me, somewhere upstream, not by me. (The spams are still there, of course.) Well I just had a response from Ad-Aware (more self-righteousness and fundamental circling), after about 15 emails, saying that since the attachment that I had submitted was a virus, they were not interested. Buy a virus checker. Just like that. Duck-shove. They specialize in the programs like spybots installed by e-mail or web pages -- or sometimes by installing software packages. I have pointed out that - since the attachment, when operational, kept phoning out of my system, it was behaving suspiciously like malware as well - maybe they needed to get real and start looking at the broader field. It is too big a field for any one company to handle all the parts well. Better (IMHO) to have each company specialize, and do that *well*. I do not even expect a reply. IMO, Ad-Aware picks up a lot of stuff that is not at all important and may be ignoring real problems, for all that it's the #1 with many people. The Met Bureau is LOVE! You've gotten your bite on this one -- isn't it time to change? Fooh. Somebody is really _reading_ this stuff! G Well, there was another one.. I *saw* the other one, hence my comment that you had gotten your bite. I was not asking for the explanation -- just suggesting that it was time to do something else. (Says he who has used the same .sig quote since about 1982 or so. :-) I think that I will drop out of this discussion, as it takes a good part of an afternoon to type all of this, and we don't seem to be getting anywhere. I've been on the other side of things -- as a unix network admin at a Government lab -- and we (even with a small workforce/userbase) have had to shut down an account or two for abuse -- before spam really got its start with Cantor and Siegal's "Green Card spam". So I know what it is like to be expected to do lots of things with not enough people. Enjoy, DoN. -- Email: | Voice (all times): (703) 938-4564 (too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html --- Black Holes are where God is dividing by zero --- |
All times are GMT +1. The time now is 04:12 PM. |
Powered by vBulletin® Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004 - 2014 DIYbanter