Sanity check

  • Thread starter Thread starter Richard Jones
  • Start date Start date
R

Richard Jones

I'm trying to track down some persistent virus emails, and just want
to make sure I'm not missing a spoof.

Messages (mostly MyDoom) are coming direct to my SMTP server, which
attaches a single Received: line, such as ...

Received: from lucent-2.jcisd.k12.mi.us (HELO jacc-mi.net)
(204.38.111.4)
by xxx.activeservice.co.uk (62.164.xxx.xxx) with ESMTP; 04 Apr 2004
23:53:40 -0000

AFAIAW the IP of the sending machine (204.38.111.4) can't be spoofed,
although the HELO obviously always is. I.e. this is telling me either
that 204.38.111.4 (which resolves to lucent-2.etc) is the infected
machine, or more likely it's a gateway behind which the infected
machines(s) are connected.

Is there anything wrong in this assumption? I just want to be sure
before I start jumping all over these people - more than 50% of the
incoming infections are from this one address.

I'd also be interested to know how many other people are get large
volumes from this source.

TIA
Rick Jones
 
David W. Hodgins said:
Correct. Send the complaint to abuse @ msu.edu.
Click to expand...

Thanks.

In fact it's not MSU, it's Jackson County Intermediate Schools
District, MI. I've already tried making contact, but the sysadmin I've
talked appears to be of limited ability and understanding :(. It
seems to me this one installation is flooding the whole Internet,
simply because they don't seem to know how to do anti-virus
management.

Cheers
 
Richard Jones said:
I'm trying to track down some persistent virus emails, and just want
to make sure I'm not missing a spoof.

Messages (mostly MyDoom) are coming direct to my SMTP server, which
attaches a single Received: line, such as ...

Received: from lucent-2.jcisd.k12.mi.us (HELO jacc-mi.net)
(204.38.111.4)
by xxx.activeservice.co.uk (62.164.xxx.xxx) with ESMTP; 04 Apr 2004
23:53:40 -0000

AFAIAW the IP of the sending machine (204.38.111.4) can't be spoofed,
Click to expand...

I usually refer to that IP# as the connection information that
the receiving server must have to communicate. It cannot be
falsified. Inferring that it is the "sending machines" IP# is not
necessarily accurate. That would be like assuming the "Reply
To" address in an e-mail is the same as the "From" address.
although the HELO obviously always is. I.e. this is telling me either
that 204.38.111.4 (which resolves to lucent-2.etc) is the infected
machine, or more likely it's a gateway behind which the infected
machines(s) are connected.
Click to expand...

Pretty likely. It definitely means that your server logged that
IP address as being a communications channel, but does not
imply that full duplex communication was involved fully within
that IP. I have heard, but can't confirm, that there is indeed
a way of making use of this quirk to provide misleading IP#
information in a place where most would agree that spoofing
could not be accomplished. Even so, that number would have
been the "true" connection information as far as the server was
concerned, and thus not really spoofed.
 
Some claim that with asymetric routing, the sending IP can be spoofed.
http://groups.google.com/[email protected]&rnum=31
Click to expand...

While I'll agree, that it's theoretically possible to spoof the ip in an
smtp session, in reality, it's nearly impossible. In the example described
in that message, the spoofed ip has to be assigned to a computer that
is complicate in the spoofing. Sending a complaint to the isp of that
computer, would still be appropriate.

Regards, Dave Hodgins
 
Mail Man said:
Some claim that with asymetric routing, the sending IP can be spoofed.
Click to expand...

Hmmm, interesting. I don't think it applies here though, as I'm
talking about virus propagation from an infected machine. The
asymetric routing trick only makes sense for illicit spammers who have
the time to set it up.
 
Some claim that with asymetric routing, the sending IP can be spoofed.

See this post for details:

http://groups.google.com/[email protected]&rnum=31
Click to expand...

Small world, innit? :)

However, asymmetric routing requires that the spoofer has control of
*both* of the computers involved with the sending. Both the computer
sending the message and the spoofed computer receiving the responses.

If the IP address, 204.38.111.4 was spoofed, it was at least a party to
the SMTP transaction (owned by the sender or hijacked by the sending
machine) because it had to pass the SMTP responses to the true sending
machine for the SMTP transaction to work.

So report it anyway.
 
Back
Top