[SpamCop-List] Re: (Very Very OT) Tracing Terrorist E-Mail
verdy_p at wanadoo.fr
Sat Mar 13 15:50:33 EST 2004
"Redstone" <redford_stone at INVERSE_OF_COLDmail.com> a écrit dans le message
de news:Xns94AAE8FD894E3lumbercartel at 188.8.131.52...
> Petzl <nobody at spamcop.net> wrote in
> news:gon450hg7847lkf9os1c53f4nbjuhn39fs at 4ax.com:
> > I would say that *if* persons wanted to they could track the email
> > to the source as ISP's do record traffic through their servers. It
> > would just tack "manpower"
> Must be enough lines in those log files to make the task of wading
> through quite daunting.
> I'm curious how many MB log files become on an average business day for
> a regular ISP.
An ISP does not necessarily need to log ALL the IP traffic from their users.
Instead they can and should log when each of the IP they control and deliver
to their users is assigned to one of their users, so that recovering which
of their user was connected on that IP becomes possible.
The caveat is that you will be able to find which user had an open-proxy or
open-relay on their unsecured host. But the initial traffic coming to that
unsecured host and from the real spammer or hacker or terrorist will be
nearly impossible to track, because that unsecured host at the user's home
is not supposed to perform any logging of all accesses from external.
So now suppose a terrorist wants to send an email, all it has to do is to
seek for a list of unsecured hosts currently contaminated with a
open-relay/open-proxy. And then check that this host is already anonymizing
its connected source (the terrorist may need to send first a test email to
himself to ensure that the relayed email does not track the source.)
When a list of "good" open-relays or open-proxies is determined, it becomes
very easy to relay an anymized email through these proxies, located in
countries whose ISP is not supposed to perform good checking of the
open-proxy/open-relay status of the hosts they connect to the Internet.
For the case of the Melissa virus, which was sent initially from a
universitary network or a netcafe, finding the sender was possible because
both are logging their users (webcafes have a log of their customers simply
to perform billing and payments, and they often have too some video tapes
for their own security or to control what's happening in their rooms, or to
protect their payment points).
So if you know when a message was sent from a webcafe, the police will
investigate at this webcafe and will want to see the surveillance video
tapes, and their billing records, to find a list of suspects. Virus writers
are known to try their new virus several times with more or less success,
and before a dangerous and "successful" virus is finally created, there will
exist previous records of suspects, and it's just a matter of comparing
lists of suspects for several attempts to send some virus.
Also, the virus authors tend to discuss after their "exploit" with their
friends on some "hackerz" networks, so they leave lots of fingerprints which
will help determine the real sender.
On the opposite tracking a terrorist sending an email will be likely much
more difficult as they will first seek to secure a unqiue sending point to
revendicate their act. And they will be silent and will then drop all
further traces of the abused networks and hosts through which they
revendicated their act.
A single email will be sent to some newspaper email address that currently
does not reject emails from open-relays/open-proxies or dialup accesses.
More information about the SpamCop-List