[121044] in North American Network Operators' Group
Re: New SPAM DOS
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Jan 8 16:00:32 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <20100108.203954.85380276.sthaug@nethelp.no>
Date: Fri, 8 Jan 2010 12:52:17 -0800
To: sthaug@nethelp.no
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Unfortunately, I only have the spamcop report sent to me, I don't have =
the original message.
What spamcop sends does not include Content-Type headers or the =
additional parts of
the message, only the plain text portion.
Unfortunately, it's turnning things like SPAMCOP into a DOS attack =
against the sites
they are hoping to protect when they start treating the initial =
"advertised" URL as
being the "spam advertised site".
Owen
On Jan 8, 2010, at 11:39 AM, sthaug@nethelp.no wrote:
>> I host scvrs.org on one of my servers, and, it does not have any =
outlook or owa
>> services. For some reason, someone decided to try and send this =
message
>> out to various internet recipients:
> ...
>> Anyone seen this before? Any good techniques for combatting it?
>=20
> If you look more closely at the messages I believe you'll find that
> they are multipart/alternative, and that the second part gives a
> slightly modified version of the owa URL. For instance, for my own
> nethelp.no domain the first part of message says
>=20
> http://nethelp.no/owa/...
>=20
> but the second part specifies URLs like
>=20
> http://nethelp.no.ujjikx.co.im/owa/...
> http://nethelp.no.ujjiks.net.im/owa/...
> http://nethelp.no.ikuu8w.com/owa/...
> http://nethelp.no.ikuu8e.net/owa/...
>=20
> This is a very old trick, seen lots of times in connection with
> phishing sites, for instance.
>=20
> Steinar Haug, Nethelp consulting, sthaug@nethelp.no
