Interesting new spam technique - getting a lot more popular

• Previous message (by thread): on topic?
• Next message (by thread): IPv6 Transit?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>     * A spamware daemon is installed on the dedicated server, to keep
>the network interface in promiscuous mode
>
>     * The daemon determines which IP addresses on the local subnet are
>not in use. It also determines the addresses of the network routers.
>One or more unused IP addresses are commandeered for use by the
>spammer.
>
>     * The perp server sends unrequested ARP responses to only the
>gateway routers, so that the routers never have to ask for a layer-3
>to layer-2 association -- it's alway in the ARP cache of the routers.
>Nobody else sees this traffic in an EtherSwitch fabric, so ARPWATCH
>and its kin are defeated. Pings and traceroutes also fail with "host
>unreachable.".  The daemon then only has to watch on the NIC, in
>promiscuous mode, for TCP packets to the hijacked address on port 80,
>and pass them down the tunnel to the remote Web server.
>
>     * Finally, GRE and IPIP tunneling is used to connect the stolen IP
>addresses to the spammer's real servers hosted elsewhere.
>
>The end result is that the spammer has created a server at an IP
>address which not even the owners of the network are aware of.

And if one went to http://www.senderbase.org/ and monitored their own IP 
block, wouldn't the spammer appear there?  Or just plain monitoring spikes 
in outgoing port 25 traffic should alert someone that something is amiss.

-Hank

• Previous message (by thread): on topic?
• Next message (by thread): IPv6 Transit?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]