[63678] in North American Network Operators' Group
Re: Wired mag article on spammers playing traceroute games with trojaned
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Thu Oct 9 12:21:48 2003
Date: Thu, 09 Oct 2003 21:48:08 +0530
From: Suresh Ramasubramanian <suresh@outblaze.com>
To: Chris Boyd <cboyd@gizmopartners.com>
Cc: nanog@merit.edu
In-Reply-To: <66328A32-FA70-11D7-8A15-00039375B178@gizmopartners.com>
Errors-To: owner-nanog-outgoing@merit.edu
Chris Boyd writes on 10/9/2003 9:21 PM:
> A few minutes later, or from a different nameserver, I get
>
> Name: vano-soft.biz
> Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9
> 12.252.185.129
>
> This is a real Hydra. If everyone on the list looked up vano-soft.biz
> and removed the trojaned boxes, would we be able to kill it?
Nope - the guy would get more trojaned boxes, no shortage of unpatched
windows machines on broadband.
There are two ways to go here -
* Nullroute or bogus out in your resolvers the DNS servers for this
domain --> two problems here. One is that the spammer doesn't use
vano-soft.biz in the smtp envelope, and second, he abuses open
redirectors like yahoo's srd.yahoo.com
* "Follow the money" - find out the spammer / the guy who he spams for,
from payment information etc. Sic law enforcement on them.
srs
--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations
