Spam from deposed King's Friend

[yllus]

Originally posted by: Gamingphreek

You don't. If you could rely on e-mail relays to require accurate headers it would be possible, but that isn't the case. The college you think it's coming from is probably just a compromised machine acting as the starting relay for the message to be sent from somewhere else.

There's nothing you can do. If there was something that could be done, it would have been done already - spam is a costly fact of life for businesses. At last count, my company has 21 machines dedicated to the sole task of acting as e-mail relays because of how CPU intensive the anti-virus and and spam detection software is. Reactive measures is all that we can do.

So since there is a relay machine (probably 1 out of many) what prevents them from tracking the relay machines and hopping from machine to machine. For instance, since this is at this University, could someone not find the connection that is used to make the relay and trace that to the next point? If that makes any sense...

-Kevin

You absolutely could. And then that IP either leads to a Comcast IP address for a residential machine that's been compromised and is sending those messages on command, or you get the guy's actual IP in China or Nigeria or whatever.

Problem is, there are so many of these messages coming from so many IPs, with an almost always understaffed and overworked IT department that an investigation never really begins. In the short term it costs less to add another machine to your e-mail relay cluster instead of taking time away from your skilled help to deal with every spam message you receive.

The best case you can hope for is that sysadmins treat this as a wakeup call and negotiate with management to get the time and budget to update their relays to require proper authentication. And that someone contacts Comcast to tell them one of their subscribers has an infected machine. But that's pretty rare (though getting less rare lately).

 

[randay]

Originally posted by: Gamingphreek

So since there is a relay machine (probably 1 out of many) what prevents them from tracking the relay machines and hopping from machine to machine. For instance, since this is at this University, could someone not find the connection that is used to make the relay and trace that to the next point? If that makes any sense...

-Kevin

yes but its probably some 14 year old kid in nigeria. like i said, what are you gonna do about it? spend 30 seconds blacklisting the offending mail server, or a few months convincing incompetent server admins to help you trace some spammer and then buy a ticket to nigeria to go kick some child in the shins?

 

[KLin]

Originally posted by: randay

Originally posted by: Gamingphreek

So since there is a relay machine (probably 1 out of many) what prevents them from tracking the relay machines and hopping from machine to machine. For instance, since this is at this University, could someone not find the connection that is used to make the relay and trace that to the next point? If that makes any sense...

-Kevin

yes but its probably some 14 year old kid in nigeria. like i said, what are you gonna do about it? spend 30 seconds blacklisting the offending mail server, or a few months convincing incompetent server admins to help you trace some spammer and then buy a ticket to nigeria to go kick some child in the shins?

Personally I'd kick him in the family jewels.

 

[Vehemence]

Call Gary Sinise. He'll handle it.

 

[manlymatt83]

Originally posted by: Gamingphreek
So, I just got an E-Mail that made it through my university's filters.

The message is the message about some assets after some guy died (Michael from "The Office" got this E-Mail haha). After google searching, apparently, they are all coming from the same email address.

Is there any way we can trace the message and eventually get this guy? It all seems to be coming from some Puertican College based on my message headers.

-Kevin

(Edit: I am a CS major looking at the security field on graduation - so naturally this was my response to seeing this)

Take a look at how the SMTP protocol works. Then write back.

 

[Gamingphreek]

Originally posted by: yllus

Originally posted by: Gamingphreek

You don't. If you could rely on e-mail relays to require accurate headers it would be possible, but that isn't the case. The college you think it's coming from is probably just a compromised machine acting as the starting relay for the message to be sent from somewhere else.

There's nothing you can do. If there was something that could be done, it would have been done already - spam is a costly fact of life for businesses. At last count, my company has 21 machines dedicated to the sole task of acting as e-mail relays because of how CPU intensive the anti-virus and and spam detection software is. Reactive measures is all that we can do.

So since there is a relay machine (probably 1 out of many) what prevents them from tracking the relay machines and hopping from machine to machine. For instance, since this is at this University, could someone not find the connection that is used to make the relay and trace that to the next point? If that makes any sense...

-Kevin

You absolutely could. And then that IP either leads to a Comcast IP address for a residential machine that's been compromised and is sending those messages on command, or you get the guy's actual IP in China or Nigeria or whatever.

Problem is, there are so many of these messages coming from so many IPs, with an almost always understaffed and overworked IT department that an investigation never really begins. In the short term it costs less to add another machine to your e-mail relay cluster instead of taking time away from your skilled help to deal with every spam message you receive.

The best case you can hope for is that sysadmins treat this as a wakeup call and negotiate with management to get the time and budget to update their relays to require proper authentication. And that someone contacts Comcast to tell them one of their subscribers has an infected machine. But that's pretty rare (though getting less rare lately).

OH I completely understand what you are saying then. Just cost-wise it is better to just let them send the spam and scams and just focus on preventing it from getting through.

yes but its probably some 14 year old kid in nigeria. like i said, what are you gonna do about it? spend 30 seconds blacklisting the offending mail server, or a few months convincing incompetent server admins to help you trace some spammer and then buy a ticket to nigeria to go kick some child in the shins?

Well true, I understand what you are saying. So for larger more dangerous scams they might actually devote the time and money to tracing and apprehending the person in question?

Take a look at how the SMTP protocol works. Then write back.

I assume I will once I have the time to get some of my CompTIA certs out of the way. Seems to me Network+ and Security+ should go into SMTP protocols. If they don't I'm sure CISSP touches on them (Once semester is over I'll have time to focus on some of those).

-Kevin

 

[BurnItDwn]

Originally posted by: rudeguy
The lifers have spoken.

This thread is now a debate between slip on moccasins and full moccasins.

I vote for Dunham shoes.
They frickin last forever.

 

[thepd7]

Originally posted by: rudeguy

Originally posted by: drum
I think you have to go with full

I like the warmth of full, the ease of slip on....

but are they really moccasins if they aren't full?

Think about it: you need to be able to hunt a deer with moccasins. Or at least sneak up on someone.

Half "moccasins" are really just glorified house shoes.

 

[geno]

The work "moccasins" always looks like "mocc - asians" to me. It's hilarious to pronounce it so.

 

[Homerboy]

this is a classic thread....

 

[illusion88]

I SOLVED THE MYSTERY
It was pretty easy. Just had to look at the "recieved from" line in the header. You can run the whois. I'll make it easy for you and post the whole line for you.

Received: from localhost (localhost [127.0.0.1])

Have fun and good luck!

 

[geno]

Originally posted by: illusion88
I SOLVED THE MYSTERY
It was pretty easy. Just had to look at the "recieved from" line in the header. You can run the whois. I'll make it easy for you and post the whole line for you.

Received: from localhost (localhost [127.0.0.1])

Have fun and good luck!

ZOMG!! THAT'S MY COMPUTER! BUT I'M NOT IN NIGERIA!!!!

 

[Gamingphreek]

Originally posted by: illusion88
I SOLVED THE MYSTERY
It was pretty easy. Just had to look at the "recieved from" line in the header. You can run the whois. I'll make it easy for you and post the whole line for you.

Received: from localhost (localhost [127.0.0.1])

Have fun and good luck!

Isn't that the loop back address of the network adapter?

-Kevin

 

[KLin]

Originally posted by: Gamingphreek

Originally posted by: illusion88
I SOLVED THE MYSTERY
It was pretty easy. Just had to look at the "recieved from" line in the header. You can run the whois. I'll make it easy for you and post the whole line for you.

Received: from localhost (localhost [127.0.0.1])

Have fun and good luck!

Isn't that the loop back address of the network adapter?

-Kevin

Check out the big brain on Kevin!

 

[Homerboy]

Originally posted by: KLin

Originally posted by: Gamingphreek

Originally posted by: illusion88
I SOLVED THE MYSTERY
It was pretty easy. Just had to look at the "recieved from" line in the header. You can run the whois. I'll make it easy for you and post the whole line for you.

Received: from localhost (localhost [127.0.0.1])

Have fun and good luck!

Isn't that the loop back address of the network adapter?

-Kevin

Check out the big brain on Kevin!

LOl lets hope he's still in his 1st year.