Spam from weird IP 118.189.136.119
Getting SPAM from 118.189.136.119 relayed by rr.com ? this network is not allocated, nor announced. I have been looking everywhere to find if it has been announced (historical bgp update databases, like RIS RIPE / CIDR REPORT / etc..)... I didnt found anything.... this probably mean rr.com is routing that network internaly. "Received: from [118.189.136.119] by smtp-server1.cfl.rr.com with NNFMP;" If there is any rr.com guy around. Could you please check this? Thanks, Pascal
On Mon, 16 Jun 2003, Frank Louwers wrote:
"Received: from [118.189.136.119] by smtp-server1.cfl.rr.com with NNFMP;"
^^^^^ what's the next/previous line? (The one just above it)
ditto. I think you've been fooled by forged headers. Not only is that IP in a reserved block, I've never heard of the NNFMP protocol except as referenced in poorly forged headers. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Mon, 16 Jun 2003 15:47 (UT), jlewis@lewis.org wrote: | I've never heard of the NNFMP protocol It's the latest spammer exploit the "Network Nonsense - Fools Most People" exploit. You've not been hit by that one yet, then? On Mon, 16 Jun 2003 17:47 (UT), Wayne Tucker <wtucker@donobi.com> wrote: | I have run into a considerable number of these that include headers | suggesting that they were relayed through my server, but I have verified | my logs, and the messages never even touched any of my machines. But precisely which logs are you looking at? The SMTP logs from your mail server or the machine's IP connection log? | It seems that one of the new tricks is to throw some BS headers in there | before relaying the message, just to throw a monkey wrench in the works. That is one of the older tricks in the book. The latest revision is to throw some _matching_ headers in there so that it looks entirely genuine. If you have a trojan executable on a server as well as an "authorised" mail server then any mail sent by the trojan will NOT appear in the logs of the SMTP server, but WILL appear on the next hop as coming from your server and the only way to tell the difference is by examining the connecting port as seen coming from your server by the machine at next hop. -- Richard D G Cox
On Mon, 16 Jun 2003 17:33:11 +0200, "Pascal Gloor" <pascal.gloor@spale.com> wrote: | Getting SPAM from 118.189.136.119 relayed by rr.com ? | | this network is not allocated, nor announced. I have been looking everywhere | to find if it has been announced (historical bgp update databases, like RIS | RIPE / CIDR REPORT / etc..)... I didnt found anything.... this probably mean | rr.com is routing that network internaly. This is very likely to be a known exploit I have been tracking. In all the cases which we have so far confirmed, the spam was not relayed, but proxied by a trojan executable which is able to mimic a "previous" header with such a degree of accuracy that it is indistinguishable from the genuine article! | If there is any rr.com guy around. Could you please check this? Our advice would be that the server-that-connected-to-you needs to be taken offline by the security people at its site (which you say is RoadRunner) and they should have ALL its disk(s) imaged for forensic analysis purposes. Our experience is that sites hit by this exploit will do basic checks on the server and claim it is uncompromised and "cannot possibly be sending that spam". Such a claim would be entirely incorrect. You would need to persuade them that something is wrong, which is difficult at the best of times. RoadRunner being involved in this case suggests this may *not* be the "best of times". -- Richard Cox
Look carefully at the headers again. I have seen a few like this running around. The IP listed is not actually an IP, but marked as a supposed FQDN. The ones I have seen appear to originate out of brazil for the most part. I do not have a sample handy at the moment, but if someone wants it (for whatever reason), just let me know. Matt On Mon, 16 Jun 2003, Richard D G Cox wrote:
On Mon, 16 Jun 2003 17:33:11 +0200, "Pascal Gloor" <pascal.gloor@spale.com> wrote:
| Getting SPAM from 118.189.136.119 relayed by rr.com ? | | this network is not allocated, nor announced. I have been looking everywhere | to find if it has been announced (historical bgp update databases, like RIS | RIPE / CIDR REPORT / etc..)... I didnt found anything.... this probably mean | rr.com is routing that network internaly.
This is very likely to be a known exploit I have been tracking. In all the cases which we have so far confirmed, the spam was not relayed, but proxied by a trojan executable which is able to mimic a "previous" header with such a degree of accuracy that it is indistinguishable from the genuine article!
| If there is any rr.com guy around. Could you please check this?
Our advice would be that the server-that-connected-to-you needs to be taken offline by the security people at its site (which you say is RoadRunner) and they should have ALL its disk(s) imaged for forensic analysis purposes.
Our experience is that sites hit by this exploit will do basic checks on the server and claim it is uncompromised and "cannot possibly be sending that spam". Such a claim would be entirely incorrect. You would need to persuade them that something is wrong, which is difficult at the best of times. RoadRunner being involved in this case suggests this may *not* be the "best of times".
-- Richard Cox
It would be useful if this exploit could be named and documented at least for one known instance - Regards, Lars Higham -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Richard D G Cox Sent: Monday, June 16, 2003 9:32 PM To: nanog@nanog.org Subject: Re: Spam from weird IP 118.189.136.119 On Mon, 16 Jun 2003 17:33:11 +0200, "Pascal Gloor" <pascal.gloor@spale.com> wrote: | Getting SPAM from 118.189.136.119 relayed by rr.com ? | | this network is not allocated, nor announced. I have been looking | everywhere to find if it has been announced (historical bgp update | databases, like RIS RIPE / CIDR REPORT / etc..)... I didnt found | anything.... this probably mean rr.com is routing that network | internaly. This is very likely to be a known exploit I have been tracking. In all the cases which we have so far confirmed, the spam was not relayed, but proxied by a trojan executable which is able to mimic a "previous" header with such a degree of accuracy that it is indistinguishable from the genuine article! | If there is any rr.com guy around. Could you please check this? Our advice would be that the server-that-connected-to-you needs to be taken offline by the security people at its site (which you say is RoadRunner) and they should have ALL its disk(s) imaged for forensic analysis purposes. Our experience is that sites hit by this exploit will do basic checks on the server and claim it is uncompromised and "cannot possibly be sending that spam". Such a claim would be entirely incorrect. You would need to persuade them that something is wrong, which is difficult at the best of times. RoadRunner being involved in this case suggests this may *not* be the "best of times". -- Richard Cox
I name this Weird-118rr On Tue, Jun 17, 2003 at 09:48:07AM +0530, Lars Higham wrote:
It would be useful if this exploit could be named and documented at least for one known instance -
Regards, Lars Higham
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Richard D G Cox Sent: Monday, June 16, 2003 9:32 PM To: nanog@nanog.org Subject: Re: Spam from weird IP 118.189.136.119
On Mon, 16 Jun 2003 17:33:11 +0200, "Pascal Gloor" <pascal.gloor@spale.com> wrote:
| Getting SPAM from 118.189.136.119 relayed by rr.com ? | | this network is not allocated, nor announced. I have been looking | everywhere to find if it has been announced (historical bgp update | databases, like RIS RIPE / CIDR REPORT / etc..)... I didnt found | anything.... this probably mean rr.com is routing that network | internaly.
This is very likely to be a known exploit I have been tracking. In all the cases which we have so far confirmed, the spam was not relayed, but proxied by a trojan executable which is able to mimic a "previous" header with such a degree of accuracy that it is indistinguishable from the genuine article!
| If there is any rr.com guy around. Could you please check this?
Our advice would be that the server-that-connected-to-you needs to be taken offline by the security people at its site (which you say is RoadRunner) and they should have ALL its disk(s) imaged for forensic analysis purposes.
Our experience is that sites hit by this exploit will do basic checks on the server and claim it is uncompromised and "cannot possibly be sending that spam". Such a claim would be entirely incorrect. You would need to persuade them that something is wrong, which is difficult at the best of times. RoadRunner being involved in this case suggests this may *not* be the "best of times".
-- Richard Cox
Okay, but what's the trojan signature look like? How should people be checking to see if they're compromised? -----Original Message----- From: John Brown [mailto:jmbrown@chagresventures.com] Sent: Tuesday, June 17, 2003 10:12 AM To: Lars Higham Cc: nanog@nanog.org Subject: Re: Spam from weird IP 118.189.136.119 I name this Weird-118rr On Tue, Jun 17, 2003 at 09:48:07AM +0530, Lars Higham wrote:
It would be useful if this exploit could be named and documented at least for one known instance -
Regards, Lars Higham
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Richard D G Cox Sent: Monday, June 16, 2003 9:32 PM To: nanog@nanog.org Subject: Re: Spam from weird IP 118.189.136.119
On Mon, 16 Jun 2003 17:33:11 +0200, "Pascal Gloor" <pascal.gloor@spale.com> wrote:
| Getting SPAM from 118.189.136.119 relayed by rr.com ? | | this network is not allocated, nor announced. I have been looking | everywhere to find if it has been announced (historical bgp update | databases, like RIS RIPE / CIDR REPORT / etc..)... I didnt found | anything.... this probably mean rr.com is routing that network | internaly.
This is very likely to be a known exploit I have been tracking. In all the cases which we have so far confirmed, the spam was not relayed, but proxied by a trojan executable which is able to mimic a "previous" header with such a degree of accuracy that it is indistinguishable from the genuine article!
| If there is any rr.com guy around. Could you please check this?
Our advice would be that the server-that-connected-to-you needs to be taken offline by the security people at its site (which you say is RoadRunner) and they should have ALL its disk(s) imaged for forensic analysis purposes.
Our experience is that sites hit by this exploit will do basic checks on the server and claim it is uncompromised and "cannot possibly be sending that spam". Such a claim would be entirely incorrect. You would need to persuade them that something is wrong, which is difficult at the best of times. RoadRunner being involved in this case suggests this may *not* be the "best of times".
-- Richard Cox
participants (7)
-
Frank Louwers -
jlewis@lewis.org -
John Brown -
Lars Higham -
Matthew Sweet -
Pascal Gloor -
Richard D G Cox