Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Michael Tokarev (mjttls.msk.ru)
Date: Sat Mar 09 2002 - 11:52:20 CST
I'm sorry for this offtopic post. But I have a question that
I can't resolve myself, and there is noone who can do that near.
I've set up a SMTP honeypot here that currently catches a big
amount of spams from Alan Ralsky -- see for example
My real-time honeypot page is at http://www.corpit.ru/cgi-bin/h0n5yp0t
Spam is currently coming from uu.net dialups. Funny that uunet
has outgoing port 25 blocked for their dialups. It is known that
ralsky's spamaware uses IP spoofing -- some other machine sends
packets to my smtp port and claims that packets comes from a
dialup; so my machine answers to that dialup machine, but a
dialup machine is in contact with real sending machine.
Currently, dialup machine is at 22.214.171.124 (shown on my honeypot
page). Nmap reports that is is a Cisco router:
-- Interesting ports on 1Cust62.tnt25.dfw9.da.uu.net (126.96.36.199): (The 1545 ports scanned but not shown below are in state: closed) Port State Service 23/tcp open telnet 514/tcp open shell 2065/tcp open dlsrpn 2067/tcp open dlswpn
Remote operating system guess: Cisco router (IOS 12.2.1) TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) IPID Sequence Generation: All zeros
Nmap run completed -- 1 IP address (1 host up) scanned in 224 seconds -- (note that it may be machine on a busy dialup line).
Another IP address assotiated with this is -- 188.8.131.52. This is the source of all prior relay tests. This is WinME or similar machine.
I don't know if this 184.108.40.206 is related to current spam run in progress, but I suspect so. At least now, nmap output looks strange for it (not like when there was no spam run in progress):
-- Host w045.z064001121.chi-il.dsl.cnc.net (220.127.116.11) appears to be up ... good. Initiating SYN Stealth Scan against w045.z064001121.chi-il.dsl.cnc.net (18.104.22.168) Adding open port 5800/tcp Adding open port 3389/tcp Adding open port 443/tcp Adding open port 1026/tcp Adding open port 139/tcp Adding open port 5900/tcp Adding open port 1030/tcp Adding open port 135/tcp Adding open port 25/tcp Adding open port 1025/tcp adjust_timeout: packet supposedly had rtt of 9282629 microseconds. Ignoring time. Adding open port 5631/tcp Adding open port 445/tcp Adding open port 80/tcp The SYN Stealth Scan took 141 seconds to scan 1549 ports. For OSScan assuming that port 25 is open and port 1 is closed and neither are firewalled For OSScan assuming that port 25 is open and port 1 is closed and neither are firewalled Insufficient responses for TCP sequencing (2), OS detection may be less accurate WARNING: OS didn't match until the try #2 Interesting ports on w045.z064001121.chi-il.dsl.cnc.net (22.214.171.124): (The 1536 ports scanned but not shown below are in state: closed) Port State Service 25/tcp open smtp 80/tcp open http 135/tcp open loc-srv 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 1025/tcp open listen 1026/tcp open nterm 1030/tcp open iad1 3389/tcp open msrdp 5631/tcp open pcanywheredata 5800/tcp open vnc 5900/tcp open vnc
Remote OS guesses: Windows NT 5 Beta2 or Beta3, Windows Me or Windows 2000 RC1 through final release, MS Windows2000 Professional RC1/W2K Advance Server Beta3, Windows Millenium Edition v4.90.3000
Nmap run completed -- 1 IP address (1 host up) scanned in 162 seconds --
Unfortunately, I can't convince uu.net to answer me. Moreover, them filtered (!!) my emails (blackholed my IP address) at their mail router. I don't know if they are clueless or unresponsible or whatether.
I have prior tcpdumps of ralsky sessions, and obviously I can make new ones -- I expect this spam run will be in progress for several days (previous one was in progress for 4 days, and my honeypot captured mails for ~2m recipients).
The question is: is it possible to say if this two machines communicates with each other for *this* spam run? Note that it maybe impossible to answer on this question from e.g. uu.net's point of view -- if those 2 machines are one near another and communicates by internal wires (not via internet).
Previous tcpdumps are available at ftp://ftp.corpit.ru/pub/hp/ . (Spamaware uses command pipelining w/o EHLO).
Regards, Michael. - To unsubscribe, send mail to majordomopostfix.org with content (not subject): unsubscribe postfix-users