OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: *Hobbit* (hobbitavian.org)
Date: Sun Mar 10 2002 - 16:05:39 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    This could be done with two dialup lines and a minor routing hack. A
    machine dialed up to UUnet can have a uunet address, but its default route
    set to point to a second machine on a local net that is also dialed up to
    a different provider. The second machine is set up to forward IP traffic.
    So the UUnet-addressed machine sends you the SYN, but it winds up going
    out through the different provider's infrastructure [where it doesn't get
    blocked or anti-spoofed]. Your ACKSYN, and other packets you send back,
    go back through UUnet's infrastructure to his original sending machine,
    which reach you because UUnet doesn't block traffic the other way that happens
    to have TCP *source* port 25. The connection *looks* to you like it's from a
    UUnet dialup, and it sort of is, but not via the path that you or UUnet
    would expect. Does this sound like a plausible guess as to what might be
    going on, without the spammer having to resort to sequence-guessing games?

    A couple of failings would be present here: The second provider is not doing
    proper ingress filtering, allowing traffic with a UUnet-dialup source IP to
    enter via one of its dialup lines. UUnet possibly isn't careful enough about
    filtering SMTP traffic, but they probably weren't interested in or thinking
    about the reverse direction back *to* their dialup pools when doing the rules.

    However, you likely still have the real UUnet dialup address. The spammer is
    probably making a full TCP connection to your mailer and will receive return
    ACKs as part of the session stream. The spammer probably thinks he can deny
    everything by simply arguing "but UUnet filters SMTP, so it couldn't have been
    me!" If you can get UUnet to believe this alternate scenario and actually
    do some investigation and maybe some monitoring, you may find that your little
    pesky friend really is there pushing spam down your throat, and if you can
    escalate to the right NOCster at UUnet and have them actually catch the little
    shit in the act you might have a stronger case.

    Alternatively, you can just block *all* of uunet's dialup blocks at your
    perimeter and be done with it. 63.0.0.0/10, or anything with .da.uu.net
    in the PTR record, for starters; they may have other blocks too.

    _H*
    -
    To unsubscribe, send mail to majordomopostfix.org with content
    (not subject): unsubscribe postfix-users