Do Netsky & Bagle viruses spoof originating IPs?

  • Thread starter Thread starter Atreyu
  • Start date Start date
A

Atreyu

I was under the impression they didn't or couldn't, but another source said
they can, and do! Thanks to anyone who takes the time to respond to my
request.
 
Atreyu said:
I was under the impression they didn't or couldn't, but another source said
they can, and do! Thanks to anyone who takes the time to respond to my
request.
Click to expand...

Due to sequence numbers, it would be difficult for an email worm or DCOM
/ LSASS worm to spoof IP addresses. Spoofing was more common when
machines used IP addresses for trust relationships, and when sequence
numbers were more predictable. You generally need raw sockets to spoof
as well.

It's still easy to spoof in some cases e.g. port scanning and session
hijacking.

michael
 
Thanks, Michael, for your answer. Since I have dial-up, and therefore my
IP changes each time I connect to the internet via my ISP, would that make a
difference? I have been getting unsolicited emails with infected
attachments according to my AV software (both Netsky & Bagle variations
apparently) over the past few months... sometimes none a day and up to 6 per
day. My computer, however, is not infected per my AV software. I've done
an IP search for the "offending" ones using guidelines I gathered from
research, and I've notified each of them via their abuse office/department,
but nothing has helped. Can you suggest anything short of changing my email
address, the purchase of some kind of filtering software, or changing my ISP
in order to stop these from reaching me? Is there an agency that deals
specifically with such occurrences? Any help, Michael, or anyone for that
matter, would be greatly appreciated. For your information, it was a tech
support person at my ISP who told me that originating IP addresses could be
spoofed. I gather from what you said that was partially correct info with
certain caveats. My ISP *does* sell a filtering service, so it may be that
they are not particularly interested in dispensing helpful info, huh?
 
Atreyu said:
For your information, it was a tech
support person at my ISP who told me that originating IP addresses could be
spoofed. I gather from what you said that was partially correct info with
certain caveats.
Click to expand...

Beware of low-level ISP techs, they are often misinformed. IP address
spoofing and email header spoofing are two different things. Your
dynamic IP address on dialup will have little to do with the IP address
of the ISP mail server.

Some ISP's like AOL block dynamic or residential IP addresses. This
means that many spam zombies (infected computers) send emails that are
rejected by the AOL mail server.

Somehow your email addy has been harvested, probably from an infected
computer's address book, Usenet, etc. In some cases email addresses can
be dictionary attacked directly off the ISP mail server. There have
even been cases of rogue ISP employees selling large blocks of addresses.

The approach I've used is to have 3 addresses ranging from public to
private. Spam Assasin is the only software I use, but I wouldn't
recommend it.

michael
 
Thank you so much, Michael.

xmp said:
Beware of low-level ISP techs, they are often misinformed. IP address
spoofing and email header spoofing are two different things. Your
dynamic IP address on dialup will have little to do with the IP address
of the ISP mail server.

Some ISP's like AOL block dynamic or residential IP addresses. This
means that many spam zombies (infected computers) send emails that are
rejected by the AOL mail server.

Somehow your email addy has been harvested, probably from an infected
computer's address book, Usenet, etc. In some cases email addresses can
be dictionary attacked directly off the ISP mail server. There have
even been cases of rogue ISP employees selling large blocks of addresses.

The approach I've used is to have 3 addresses ranging from public to
private. Spam Assasin is the only software I use, but I wouldn't
recommend it.

michael
Click to expand...
 
Back
Top