gmane.ietf.asrg

Re: Spam sent from compromised (web)hosts vs botnet spam

Dan Oetting — 2013-04-26T14:59:16

On Apr 26, 2013, at 3:51, Hal Murray <hmurray< at >megapathdsl.net> wrote:


Can you tell me how it is easy to forge a packet that contains the exact parameters of an existing connection?

--Dan O.

-
This is the asrg mailing list.  To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org

Re: Spam sent from compromised (web)hosts vs botnet spam

Hal Murray — 2013-04-26T09:51:30

Single packets are easily forged.  I think it spirals downhill from there.

Re: Research-y

Ian Eiloart — 2013-04-08T12:47:49

On 26 Mar 2013, at 17:15, Barry Shein <bzs< at >world.std.com> wrote:


They have. Fortunately, they were a bit more specific. They've outlawed various carcinogens. They've funded research. They've funded health care. They've promoted behavioural change. They've been somewhat successful.

Re: Speaking of spamhaus...

Ian Eiloart — 2013-04-08T12:44:44

On 27 Mar 2013, at 15:26, Barry Shein <bzs< at >world.std.com> wrote:


arstechnica has a good account of this attack:

http://arstechnica.com/security/2013/04/can-a-ddos-break-the-internet-sure-just-not-all-of-it/

Re: limitations of reputation, was Spam sent from compromised

Ian Eiloart — 2013-04-04T14:56:23

On 25 Mar 2013, at 18:06, Steve Atkins <steve< at >blighty.com> wrote:


So, you need to combine them with a reputation system. paypal.com is probably going to have a better reputation than paypa1.com (note the digit 1), for example. 

And, if you have a list of high volume (gmail.com) domains, or sensitive (eg banking) domains, then you can measure the Levenshtein* distance between the unknown domain and each domain on your list. There's a php function for it, for example, see http://www.php.net/manual/en/function.levenshtein.php. For a distance of one or two, you might want to treat the message as suspect. Of course, YMAIL.COM could yield a false positive here! And, you probably want to ignore the TLD, because for example levenshtein("bbc.com","bbc.co.uk") = 3, but then a problem arises with multiple domain registrations. Because "bbc" is registered by the British Broadcasting Corporation in more than one TLD, one can't guess whether BBC.CO belongs to them or not. I don't suppose whois results are usable here,

Re: Research-y

John Levine — 2013-03-29T00:23:11

ICANN has complex rules not just about the TLDs, but about what kinds
of non-ASCII registrations they can accept that make homograph attacks
very difficult.  You might want to familiarize yourself with them.

R's,
John
-
This is the asrg mailing list.  To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org

Re: Speaking of spamhaus...

Dave Warren — 2013-03-28T21:26:19

In more complicated network environments where your customer owns their 
own IPs, they might well use split routing techniques which generates 
traffic that isn't forged in a practical sense, but from a technical 
perspective, it's indistinguishable.

This is a solvable problem, but inertia is powerful, change is painful.

I still remember a time when I had a couple consumer/SMB grade 
connections and could route outbound packets indiscriminately between 
the two, taking advantage of my DSL provider's static subnet and my 
cable modem's faster upstream. Good times, while it lasted.

Re: Research-y

Barry Shein — 2013-03-28T19:25:48

Another aspect of the expansion of the TLD space, both generic and
non-Latin scripts, is how users will respond to them in terms of
malmail (how's that for a catch-all term?)

Spoofing is an active topic, for example using some non-Latin
character such as the Greek omicron for an 'o' in a domain name, known
as a "homograph attack".

Beyond that is trying to predict or analyze user perceptions if and
when they start seeing new TLDs and IDNs.

To some extent they are exposed to a constant stream of new TLDs now
as ccTLDs such as .ME (Montenegro), .CO (Colombia), .PW (Paulau I
believe, being sold as "professional web") try to market their TLDs
for new purposes.

But 1,000 new TLDs introduced over a year or so plus the expansion
into other scripts could change "common wisdom" about what can be
trusted and what cannot.

Particularly as marketing forces spend $BIGBUCKS to resist any
resistance and encourage acceptance.

Re: Speaking of spamhaus...

Dan Oetting — 2013-03-28T14:57:58


Why are forged source addresses tolerated?

I don't care how convoluted the network is, eventually it gets down to a few gateways into a zone with a well defined set of valid addresses. At those gateways they can implement egress filtering to keep invalid packets from getting out. In the wider network where bandwidths may be too high or routing maps too complex for real time filtering, sampling can be employed to detect probably sources of forged addresses. 

--Dan O.

-
This is the asrg mailing list.  To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org

Re: Speaking of spamhaus...

Graeme Fowler — 2013-03-28T09:51:30

Speaking very much from the cheap seats, I don't believe that matters a
jot.

Where large amounts of money are involved, whatever the methodology for
making it - people will fight to protect their methods. It's been seen
throughout history.

The point isn't whether or not that's a particularly good example. The
point is that what we (the "Internet community", for want of a better
term) are trying to do is to hurt the revenue streams of a small section
of that "community". That's never well received.

Graeme

-
This is the asrg mailing list.  To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org

Re: Speaking of spamhaus...

David Romerstein — 2013-03-27T17:45:26


As much as I agree with your sentiment, Krebs' attacker(s) in this 
instant aren't (known to be) spammers. You've chosen a poor example.

Re: Speaking of spamhaus...

Neil Schwartzman — 2013-03-27T17:41:12

On Mar 27, 2013, at 9:08 AM, Steve Atkins <steve< at >blighty.com> wrote:



oh and also FUSSUP is a mythical beast. Whatever measure the good guys take the criminals will adapt to. Close relays? They use web proxies. Close proxies, they create botnets. One of the long-standing issues initially was that far too many people dismissed spammers as 'stupid' and 'kids in their parent's  basement'. They are organized criminal gangs, make no mistake. They will fuck you up physically, and they are to be feared.

http://krebsonsecurity.com/2013/03/the-world-has-no-room-for-cowards/
http://www.cauce.org/2010/11/kidnapping-theft-and-rape-are-not-cyber-crimes.html

Re: Was Speaking of filtering, - CAUSE initiatives

Kurt M — 2013-03-27T17:11:49

Nice :-). Is CAUSE having any actions in this respect towards influential
press representatives; getting them interested to look into why nothing done
on the ISP side, why the bad guys is allowed to continue? You should have real
cases, people affected, to give them.

Again, am aware that it's not catching all, but though systems like Brighmail,
grey-filtering, Spamassassin, Spamhouse etc, we're more or less at the "same"
situation 10 years ago. Publicity could hurt some, leverage situation a bit,
since neither these ISP's nor the spammers want it.

Also, why not lobby for more national CERT-groups to do as CERT.Se does,
getting the good ISP's/trunk vendors feel some pressure to help? As CERT.Se
shows, it's not completely invisible.


On Mar 27, 2013, at 14:55 "Neil Schwartzman" <neil< at >cauce.org> wrote:
-
This is the asrg mailing list.  To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org

Re: Speaking of spamhaus...

Steve Atkins — 2013-03-27T16:08:21

On Mar 27, 2013, at 8:59 AM, Paul Smith <paul< at >pscs.co.uk> wrote:


A 300Gb/s attack that lasts well over a week tells me that spammers are criminals, ISP security desks aren't sufficiently responsive about abuse coming from their networks and that pipes are really quite big.

More on-topic, remember that any FUSSP you come up with needs to be robust against whatever behaviour it provokes your opponent to adopt.

Cheers,
  Steve



-
This is the asrg mailing list.  To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org

Re: Speaking of spamhaus...

Paul Smith — 2013-03-27T15:59:19

Yes, I saw that as well. Not really sure what can be learned from it though.

(Though I thought it was pretty cool that people like Google had jumped 
in to help Spamhaus 'absorb the traffic')

-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
-
This is the asrg mailing list.  To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org

Speaking of spamhaus...

Barry Shein — 2013-03-27T15:26:43

Possibly interesting:

Big DDoS against SpamHaus, allegedly by CyberBunker...

  http://www.bbc.co.uk/news/technology-21954636

  ...Recently, Spamhaus blocked servers maintained by Cyberbunker, a
  Dutch web host which states it will host anything with the exception
  of child pornography or terrorism-related material.

  Sven Olaf Kamphuis, who claims to be a spokesman for Cyberbunker,
  said, in a message, that Spamhaus was abusing its position, and
  should not be allowed to decide "what goes and does not go on the
  internet".

  Spamhaus has alleged that Cyberbunker, in cooperation with "criminal
  gangs" from Eastern Europe and Russia, is behind the attack...

      ...

  "If you aimed this at Downing Street they would be down
  instantly," he said. "They would be completely off the internet."

  He added: "These attacks are peaking at 300 gb/s (gigabits per
  second).

  "Normally when there are attacks against major banks, we're talking
  about 50 gb/s."...

Re: Speaking of filtering, was Research-y (IPv6)

Neil Schwartzman — 2013-03-27T13:55:35


On Mar 27, 2013, at 6:32 AM, Kurt M <kmn.ietf< at >gmail.com> wrote:


Oh sorry, I forgot to include my .sig.



Neil Schwartzman
Executive Director
CAUCE - the Coalition Against Unsolicited Commercial Email
Mob: (415) 361-0069
Skype: (303) 800-6345
Web: http://cauce.org
Twitter: < at >cauce



CAUCE helped develop and pass CASL, the world's toughest anti-spam law, in Canada. CASL will have deep implications for anyone sending commercial electronic messages into or out of Canada, with fines up to $10,000,000 per email.

Beyond that, we work with the FTC, FCC, FBI, OFT, OECD, OPTA, ACMA, ICPEN, LAP, CRTC, ITU, MAAWG, APWG, and politicians and bureaucrats world-wide to develop, implement and deploy anti-abuse policy. Our board members have been heavily involved in virtually all of the highly publicized take-downs of botnets over the past decade.

While John Levine is no Nader, he is CAUCE president, and has had a direct hand in sending spammers to prison.

We can now stop re-inventing this particular wheel.

Re: Speaking of filtering, was Research-y (IPv6)

Kurt M — 2013-03-27T13:32:57

Correct, what you included is the base material, but what do they tell a
journalist, making them inclined to do a piece on it? The story, making the
news?

Nader and similar researchers in other areas "marketed" such findings, they
never gave them strait out to the press; because those figures doesn't say a
thing to the them, catching their attention, digging deeper. Nader had
basically no more than such data and some real life cases, but change the
global automotive industry at its core, by taking the industry to the
cleaners.


On Mar 27, 2013, at 13:37 "Neil Schwartzman" <neil< at >cauce.org> wrote:
-
This is the asrg mailing list.  To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org

Re: Speaking of filtering, was Research-y (IPv6)

Neil Schwartzman — 2013-03-27T12:57:48

On Mar 27, 2013, at 1:30 AM, Kurt M <kmn.ietf< at >gmail.com> wrote:


What a great idea! Oh, wait.

http://www.spamhaus.org/statistics/networks/

The World's Worst Spam Support ISPs
As of 27 March 2013 the ISPs with the worst Abuse Departments and consequently the worst reputations for knowingly hosting illegal spam operations are:

1
cb3rob.netNumber of Current Known Spam Issues: 127

2
hinet.netNumber of Current Known Spam Issues: 120

3
idear4business.netNumber of Current Known Spam Issues: 77

4
ovh.netNumber of Current Known Spam Issues: 77

5
iliad.frNumber of Current Known Spam Issues: 70

6
airtel.inNumber of Current Known Spam Issues: 53

7
telefonica.com.brNumber of Current Known Spam Issues: 52

8
chinanet-gdNumber of Current Known Spam Issues: 52

9
cat.net.thNumber of Current Known Spam Issues: 50

10
uplus.co.krNumber of Current Known Spam Issues: 50


http://hostexploit.com/downloads/viewdownload/7/46.html
Abstract

As malware continues to evolve, and cybercriminals continue to learn, o

Re: Speaking of filtering, was Research-y (IPv6)

Kurt M — 2013-03-27T08:30:13

.........
........

ASRG could do as Ralph Nader did, list these ISPs' not supporting in a
"yearly" problem list, describe the problem and send it to reasonable
"neutral" global news conglomerates news desks, as well as key newspapers
around the world, pulling the ISP's pants down. Doesn't handle spammers, yes,
but involved, normal ISP's now not caring. No board nor CEO's want to lose
face publicly, it tend to hurt their bonuses in a noticeable way.

Let the news people ask the unpleasant questions, they love "killing"
corporate spokesmen, but they do not understand the issue since their
mailboxes usually is 99.8% spam free. Supply them with trustworthy data and
cases. Make it news, as Nader did.

Compile a yearly, for news people readable, "State of the Spam" and get a
Ralph Naderish spokesman. If done right, it can prove to be a real incentive
for ISP's to ID customers having spambots etc.

Can't be done?

Look at this, far from complete, but still usable map from Cert.se,
www.cert.se/megamap/ , over curre

Re: Speaking of filtering, was Research-y (IPv6)

John Levine — 2013-03-26T23:54:39

Well, here's a question.  Richard was sending mail from Demon, which a
long time ago was squeaky clean, but in recent years has sent 100%
spam to my network until a few messages he tried to send last week.
(I have logs.)

It's a wide range of spam. One recent example was some sort of
religious press release sent to an address that sorta kinda used to be
OK and was on some 1995 list of editors, but has been rejecting mail
for many years.  A lot of it is 419 spam.  But other than his
messages, it's all been spam.

So how do I tell the 100% spam sources that might turn out to be
99.98% spam sources and leak a real message or two from the 100% spam
sources that won't?

PS: One of them had this transcendant hash buster:

Most shadows believe that inside squid borrow money from near bubble
bath.Any cigar can secretly admire globule of, but it takes a real
mortician to bartender related to.When you see beyond girl scout, it
means that coward inside daydreams.Unlike so many necromancers who
have made their gratifyi