[tlug] Interesting info on Korean spam

Date: Sat, 25 Jan 2003 11:50:07 +0100
From: Godwin Stewart <gstewart@example.com>
Subject: [tlug] Interesting info on Korean spam
Organization: Nope, none here, it's a mess ;o)

Hi,

What the subject doesnt say is that, from what I can see, it's the ISP
itself (kornet) doing the spamming, not a subscriber.

I use this script to filter out my mail logs and format lines which are
logged when someone tries to use me as an open relay:

#!/usr/bin/perl -w

while ( <> ) {

  next unless ( m/elaying/ );
  chomp;
  ( my $WHEN   = $_ ) =~ s/^(.+?)\s\w+\ssendmail.*/$1/;
  ( my $IPADDY = $_ ) =~ s/.*relay=.*?\[([\d\.]+)\].*/$1/;
  ( my $REASON = $_ ) =~ s/.*(.elaying.*? denied.*)$/$1/;
  print "$WHEN - " . sprintf("%15s",$IPADDY) . " - $REASON\n";

}

This, when run on /var/log/messages gives me an output like this:

Jan 11 21:57:34 -  68.159.162.202 - Relaying denied. IP name lookup failed [68.159.162.202]
Jan 11 21:57:35 -  68.159.162.202 - Relaying denied. IP name lookup failed [68.159.162.202]
Jan 16 01:28:19 - 218.152.120.211 - Relaying denied. IP name lookup failed [218.152.120.211]
Jan 16 19:11:15 - 211.194.117.163 - Relaying denied. IP name lookup failed [211.194.117.163]
Jan 24 08:53:09 - 216.206.112.135 - Relaying denied. IP name lookup failed [216.206.112.135]
Jan 24 21:09:11 -     65.90.97.46 - Relaying denied. IP name possibly forged [65.90.97.46]
Jan 24 21:09:12 -     65.90.97.46 - Relaying denied. IP name possibly forged [65.90.97.46]

While analysing these addresses I found out that the one on the 5th line was
part of the as yet unassigned IPV4 space for Asia and put it down as a
spoofed address. Today, running "whois 211.194.117.163" gives (among much
crap in Korean) this - look at the "connect" and "registration" dates:

IP Address         : 211.194.117.160-211.194.117.191
Network Name       : KORNET-LLINE-DAEJEON-ENJOYLIFE
Connect ISP Name   : KORNET
Connect Date       : 20030122
Registration Date  : 20030122

So, what conclusions do you draw?

Whas the IP address indeed spoofed - in which case, why did sendmail not
tell me that the IP name was possibly forged - or is there someone inside
Kornet doing the spamming?

-- 
G. Stewart   --   gstewart@example.com
                  gstewart@example.com
Registered Linux user #284683

GnuPG key  : BA3D01C6 (pgp.mit.edu)
Fingerprint: C3DF C686 6572 6E59 E3E4  0F40 2B9A 2218 BA3D 01C6
---------------------------------------------------------------
Recorded message on an answerphone: "This is not an answering
machine, this is a telepathic thought-recording device. After
the tone, think about your name, your number, and your reason
for calling.... and I'll think about returning your call."

Attachment: pgp00087.pgp
Description: PGP signature

Follow-Ups:
- [tlug] Re: Interesting info on Korean spam
  - From: Godwin Stewart
- Re: [tlug] Interesting info on Korean spam (OT)
  - From: Guy W

Prev by Date: [tlug] Impressed!
Next by Date: [tlug] Re: Interesting info on Korean spam
Previous by thread: [tlug] Impressed!
Next by thread: [tlug] Re: Interesting info on Korean spam
Index(es):
- Date
- Thread

Home | Main Index | Thread Index