![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SpamCop-List] Re: spam getting through spamcop
Mike Easter
MikeE at ster.invalid
Sat Mar 6 10:56:27 EST 2004
White Eagle wrote:
> I'm fighting SPAM since I'm on the Internet, which is since the
> Internet became open to the public.
>
> Is there any way for me (a power user) to the ultimate source of the
> SPAM when it's 'smtp injected' in an abused proxy or trojan box?
No. There is no trail. The smtp source chaining leads you to the
abused box. Even the abused box has no record, unless the abused box
were 'rigged' [proxy pot] to be abused and logged.
That's another angle for advanced spamfighting, honeypots and proxypots.
> Would reporting to the abused proxy do any good?
Well, it should if the provider were responsive. The provider should be
as unhappy about being listed as a spamsource for abused proxies or
trojans as anything else.
That is a Yes [probably].
> Any suggestion as to how to start learning the way to follow
> redirections and finding the upstream provider?
You're a Win user. I like to use the SamSpade for Win shell for a
variety of spamfighting measures. That shell has a 'Browse web'
function that I prefer to use over going to a website, which is rarely
necessary to find redirects. The GET function will derive what is on
the page without using a browser, then when there's a redirection in
there, 'clicking' on it will get the next GET, and so on.
Most of the time you can find the ultimate destination like that.
Rarely you have to let a tough link situation with heavy obfuscated
javascripting exercise a browser, so you should be securely configured
to do that. Sometimes you won't be able to figure out where you've been
because of cleverness of the spamsite, so you have to use some other 3rd
party, like Zone Alarm's logger to tell you what/where the payload was.
Upstream provider determinations are 'best' or easiest done with AS
upstream adjacencies. I usually 'look at' an ICMP tracert from me, and
a UDP traceroute from somewhere else, if an online tools is available [I
don't have a UDP traceroute tool] for a quick glance - but I get the
most information from using the tools at openrbl for AS numbers and the
routing tools available there.
Some people like to 'abuse' or jigger with sites if they can find an
insecurity. I don't want to get into that cracking game, and I don't
have any accounts I would want to throw away for any kinds of security
probing misbehaviors.
--
Mike Easter
More information about the SpamCop-List
mailing list