Jump to content

Spoofed IP Address


scottd

Recommended Posts

What do I do? I'm an ISP and I am pretty aggressive in my reporting of spam to SpamCop. But today, I got two different reports from SpamCop users reporting spam from my network.

The thing is, it was reported both times as having come from 67.131.122.3. At the moment, the entire 67.131.122.0/24 (class C) is not in use by us. There are no hosts on that network at all. Thus, I'm convinced that it did not actually come from our network at all.

But...we all know that after 'x' reports, the block of IP addresses gets blacklisted. How do I keep this from happening? I'm desperately trying to be one of the good guys, but I fear if this gets anymore out of hand, I'm going to wind up blacklisted.

Any suggestions and/or advice would be greatly appreciated.

Scott

Link to comment
Share on other sites

Need to see the Tracking URL that would show what was submitted, how it was parsed, etc. That said, I'm not 100% sure that an ISP complaint form actually show this as an obvious entry. So you can offer up the details here and let some SpamCop users take a crack at it in the short-term .. or you can submit what you've got to Deputies <at> admin.spamcop.net and wait until they dig down far enough in their e-mail to get to yours.

Currently, http://www.spamcop.net/w3m?action=checkblock&ip=67.131.122.3 shows this IP as being listed.

Causes of listing

SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

DNS error: 67.131.122.3 has no reverse dns

Listing History

It has been listed for less than 24 hours.

There is a mathematical formula for listing / de-listing .. spam reported, traffic "seen" , spamtrap hits, and time ... There is no mention of the heavily-weighted spamtrap hits, so one would be going that the minimal reports have tipped the scales based on the self-admitted "not-in-use" status, thus there'd be no traffic "seen" from that IP. So, yes, I'd agree that you have an issue, and I've no doubt that Julian would want to see the evidence quick to find out what went wrong .... He has been working code this last week and there was also database issue earlier this evening. Whether there's a connection there, I don't know, but something like this isn't acceptable.

Link to comment
Share on other sites

Read the report carefully.

Spamcop reports go to the ISP or it's upstream for both the I.P. address that the spam originated from and to the ISP for any URLs being advertised.

You could be receiving reports because a spammer has put a URL for one of your I.P. addresses in their spew.

Sometimes this is done because they are operating a spam site on your network either by purchasing access through you, or by hosting it on one of your customer's boxes that they have taken over by some means.

The spammers have also been putting their DNS servers on such compromised machines.

Sometimes they just put such URLs in to cause spamcop.net to send you reports.

Spammers are also apparently registering I.P. addresses in others names to avoid being prosecuted.

You may find that you now are the owner of that I.P. block or the spamvertised domain. If you are, take immediate control of it and NULL route it. The last time I saw that happen, it took the spammer at least 72 hours to recover from that and it knocked out quite a few of their domains.

At the present time spamvertised URLs do not feed the spamcop.net blocking list in spite of rumors to the contrary.

But if a spammer has registered a domain or an I.P. address with your contact information, other DNSbls and local lists may not realize this and block all of your domains.

-John

Personal Opinion Only

Link to comment
Share on other sites

The thing is, it was reported both times as having come from 67.131.122.3.  At the moment, the entire 67.131.122.0/24 (class C) is not in use by us.  There are no hosts on that network at all.  Thus, I'm convinced that it did not actually come from our network at all.

But...we all know that after 'x' reports, the block of IP addresses gets blacklisted.

As a followup, spamcop.net only lists the I.P. address that it has determined that spam is coming from, not the block. Other DNSbls may be more liberal in what they list.

If you own that I.P. address, make sure that there is nothing at it that has been compromised.

I once called an ISP's toll free number to report an open relay on their network and they told me that it was not possible and tried to dismiss me until i started reading of the routing information in the headers. Then their tone changed and they referred me to their senior technician. A test machine in what should have been an isolated lab was operating as an open relay.

It also could be a parser error, as spammers are trying to find ways to defeat the spamcop.net parser and occassionally they succeed for brief periods of time. The spammer that I mentioned in the previous post was doing that until the parser got smarter.

If something is fooling the spamcop.net parser, it could be fooling others too.

The other thing that could be happening is that if you own but are not routing that I.P. range, a spammer could have found a way to hijack the routing of it to their server that is not on your network. In this case it may be interesting to see what a traceroute to the I.P. addresses that you think are not reachable are going to.

You would have to do that test from a netblock not registered to you. The http://www.samspade.org site should help.

-John

Personal Opinion Only

Link to comment
Share on other sites

Further checking .. OUCH!!!! .. for a "no hosts in the network" ... you've got some severe issues going on ... for example;

http://www.senderbase.org/?searchBy=ipaddr...ng=67.131.122.3

Volume Statistics for this IP

--------------- Magnitude --- Vol Change vs. Average

Last day ______ 4.3 _____ 12254%

Last 30 days ___3.3 _____ 1032%

Average ______ 2.2

Date of first message seen from this address 2004-06-09

Network Owner Qwest Communications

http://moensted.dk/spam/?addr=67.131.122.3&Submit=Submit shows nothing major beyond the SpamCop listing. But looking at the traffic report at SenderBase, this is just a matter of time.

Link to comment
Share on other sites

13 kcm-edge-09.inet.qwest.net (205.171.29.82) 39 ms 39 ms 39 ms

14 65.123.132.138 (65.123.132.138) 49 ms 49 ms 50 ms

15 67.131.122.254 (67.131.122.254) 87 ms 87 ms 88 ms

16 * * *

The subnet has a router, nothing is visible by traceroute after the router.

It would take a deputy to determine if there has been a parser error as I can not find any spam samples anywhere.

In the event that the parser is correct, if nothing is supposed to be on that subnet, to check the incoming stats on your router, and to set it to actually block that subnet.

Can you post the headers of the spam that is alleged to come from your subnet from the spamcop.net reports that you have?

-John

Personal Opinion Only

Link to comment
Share on other sites

Here are the two headers I got from Spamcop:

[ SpamCop V1.330 ]

This message is brief for your comfort. Please use links below for details.

Email from 67.131.122.3 / 10 Jun 2004 16:11:46 -0000 http://www.spamcop.net/w3m?i=z1064169684ze...7ef055dc099a80z

[ Offending message ]

"From yczmatqazefmns[at]yahoo.com Thu Jun 10 15:15:50 2004

Return-Path: <yczmatqazefmns[at]yahoo.com>

Delivered-To: x

Received: (qmail 796 invoked from network); 10 Jun 2004 16:11:46 -0000

Received: from unknown (HELO 69.0.205.41) (67.131.122.3)

by worshipradio.com with SMTP; 10 Jun 2004 16:11:46 -0000

Return-Path: <yczmatqazefmns[at]yahoo.com>

Received: from smtp4.nix.paypal.com (smtp6.nix.paypal.com [67.131.122.3])

by yahoo.com (8.12.10/8.18.10) with ESMTP id i4M1AVjw010312

for <x>; %CURRENT_DATE_TIME

Received: from notify1.nix.paypal.com (notify8.nix.paypal.com [53.220.240.152])

by smtp6.nix.paypal.com (Postfix) with SMTP id E0B568EF09

for <x>; %CURRENT_DATE_TIME

Received: (qmail 18817 invoked by uid 087); Thu, 10 Jun 2004 23:11:32 +0600

Message-Id: <1081________8648[at]paypal.com>

X-country: US

X-language: en_US

MIME-Version: 1.0

Content-Type: multipart/related;

boundary="----=_NextPart_000_00MK_05D5063TY_01R.551U00I0"

X-Mailer: Microsoft Office Outlook, Build 11.0.5510

From: "Refinance" <yczmatqazefmns[at]yahoo.com>

To: Info<x>

Subject: Hundreds of lenders

X-spam-Checker-Version: SpamAssassin 2.60-spambr_20030926a on

yahoo.com

X-spam-Level:

X-spam-Status: No, hits=-5.9 required=5.0 tests=AWL,NO_REAL_NAME autolearn=no

version=2.60-spambr_20030926a

X-UIDL: fB[at]"!)+h"!#+""!Y$m!!

[ SpamCop V1.328 ]

This message is brief for your comfort. Please use links below for details.

Email from 67.131.122.3 / Wed, 9 Jun 2004 19:37:07 +0000 http://www.spamcop.net/w3m?i=z1063321451zb...a99277693bedefz

[ Offending message ]

Return-Path: <zbfwteph[at]hotmail.com>

Received: from [203.2.192.76] ([67.131.122.3]) by smta03.mail.ozemail.net

with SMTP

id <20040609193707.CESB11826.smta03.mail.ozemail.net[at][203.2.192.76]>;

Wed, 9 Jun 2004 19:37:07 +0000

Return-Path: <zbfwteph[at]hotmail.com>

Received: from smtp1.nix.paypal.com (smtp4.nix.paypal.com [67.131.122.3])

by yahoo.com (8.19.10/8.15.10) with ESMTP id i4M1AVjw010633

for <x>; %CURRENT_DATE_TIME

Received: from notify3.nix.paypal.com (notify1.nix.paypal.com [40.84.219.171])

by smtp2.nix.paypal.com (Postfix) with SMTP id E0B863EF91

for <x>; %CURRENT_DATE_TIME

Received: (qmail 18850 invoked by uid 612); Wed, 09 Jun 2004 23:35:19 +0300

Message-Id: <1082________3115[at]paypal.com>

X-country: US

X-language: en_US

MIME-Version: 1.0

Content-Type: multipart/related;

boundary="----=_NextPart_000_00XV_00I0212NC_07T.181U85J0"

X-Mailer: Microsoft Office Outlook, Build 11.0.5510

From: "Lenders Compete" <zbfwteph[at]hotmail.com>

To: x

Subject: Refinance {CD237D06-25FA-4E68-B7D2-EB4DD6F8DF11}

X-spam-Checker-Version: SpamAssassin 2.60-spambr_20030926a on

yahoo.com

X-spam-Level:

X-spam-Status: No, hits=-5.9 required=5.0 tests=AWL,NO_REAL_NAME autolearn=no

version=2.60-spambr_20030926a

X-UIDL: fB[at]"!)+h"!#+""!Y$m!!

Date: Wed, 9 Jun 2004 19:37:26 +0000

X-Filter-Tag: {CD237D06-25FA-4E68-B7D2-EB4DD6F8DF11}

X-Filter-Result: Score: 99%, Threshold: 50%

Link to comment
Share on other sites

The thing is, it was reported both times as having come from 67.131.122.3.  At the moment, the entire 67.131.122.0/24 (class C) is not in use by us.  There are no hosts on that network at all.  Thus, I'm convinced that it did not actually come from our network at all.

A quick port scan on that range gives the following, so there is something there. All of these hosts are responding to pings. The telnets seem to be a router or routers.

IP Ports Host name

67.131.122.1 Telnet Unavailable

67.131.122.2 Unavailable

67.131.122.3 Unavailable

67.131.122.253 Telnet Unavailable

67.131.122.254 Telnet Unavailable

Link to comment
Share on other sites

The thing is, it was reported both times as having come from 67.131.122.3. At the moment, the entire 67.131.122.0/24 (class C) is not in use by us. There are no hosts on that network at all. Thus, I'm convinced that it did not actually come from our network at all.

There is something at 67.131.122.3

06/11/04 08:25:15 -0500 ping 67.131.122.3

Ping 67.131.122.3 ...

1 Addr:67.131.122.3, RTT: 105ms, TTL: 113

2 Addr:67.131.122.3, RTT: 102ms, TTL: 113

3 Addr:67.131.122.3, RTT: 103ms, TTL: 113

4 Addr:67.131.122.3, RTT: 103ms, TTL: 113

06/11/04 08:25:33 -0500 Fast traceroute 67.131.122.3

Trace 67.131.122.3 ...

[...]

16 205.171.29.82 39ms 39ms 52ms TTL: 0 (kcm-edge-09.inet.qwest.net fraudulent rDNS)

17 65.123.132.138 68ms 49ms 49ms TTL: 0 (No rDNS)

18 67.131.122.254 99ms 97ms 101ms TTL: 0 (No rDNS)

19 67.131.122.3 113ms 103ms 104ms TTL:113 (No rDNS)

Link to comment
Share on other sites

OK, in the links provided for ISP info, did you follow all the way through to the page at http://www.spamcop.net/sc?id=z515748441z45...307f0295db546az ??? this shows the parsing engine at work, also including a link to see the entire orignal spam (as submitted) .. and might I say, what a spam it is ... Forged (incompletely) header lines, GPG signed, "important" graphic included ... wow ...

But, I would suggest that there is something sitting at that IP that allowed the traffic. The question now might be simply .. is it something that you have control over?

Link to comment
Share on other sites

At the time that I posted this morning, the I.P. address used to send spam was not reachable.

Later in the day, it was reachable.

Now in the evening it is not.

If the problem has not been fixed, this is an indication that it is a compromised computer that is only turned on during office hours.

When the I.P. address is responding to the outside, the original poster should be able to find it by tracing the pings. If they can not do that, then they need to see their upstream and ask them why one of their assigned I.P. addresses is being routed outside of their network.

-John

Personal Opinion Only

Link to comment
Share on other sites

What do I do?  I'm an ISP and I am pretty aggressive in my reporting of spam to SpamCop.  But today, I got two different reports from SpamCop users reporting spam from my network.

The thing is, it was reported both times as having come from 67.131.122.3.  At the moment, the entire 67.131.122.0/24 (class C) is not in use by us.  There are no hosts on that network at all.  Thus, I'm convinced that it did not actually come from our network at all.

But...we all know that after 'x' reports, the block of IP addresses gets blacklisted.  How do I keep this from happening?  I'm desperately trying to be one of the good guys, but I fear if this gets anymore out of hand, I'm going to wind up blacklisted.

Any suggestions and/or advice would be greatly appreciated.

Scott

I have definite spam samples showing spam coming thru IP 67.131.122.3 Most of it also has forged received headers after the valid received header -- sometimes one forged header, sometimes two -- sometimes looking like this:

Received: from smtp1.nix.paypal.com (smtp4.nix.paypal.com [67.131.122.3])

by yahoo.com (8.19.10/8.15.10) with ESMTP id i4M1AVjw010633

for <x>; %CURRENT_DATE_TIME

Received: from notify3.nix.paypal.com (notify1.nix.paypal.com [40.84.219.171])

by smtp2.nix.paypal.com (Postfix) with SMTP id E0B863EF91

for <x>; %CURRENT_DATE_TIME

sometimes with an actual datestamp. Right now the IP is unreachable -- don;t know whether you took the server down or not. But this looks to me like worm/trojan infection either on the server or by a machine nat'd behind it. Some of the worm/trojans are pretty sophisticated and only turn on at certain times; others only respond to specific IPs. Whatever is infecting the server/firewall/ machine behind the server/firewall may be difficult to find and it may be more than one trojan/worm ...

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...