	site Search:
login · register

	All Forums		Hot Topics		Gallery

how-to block ads

Broadband Tech > Security > Security > Call for participation! Msgr Spam investigation

Share Topic

Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal

Author	All Replies
kpatz MY HEAD A SPLODE Premium join:2003-06-13 Manchester, NH	reply to NetWatchMan Re: Call for participation! Msgr Spam investigation Do we have to use Ethereal? I've used a homebrew listener on my Linux box to capture messenger spam dating back to April, I have nearly 3,000 samples comprising of approximately 200 unique messenger spam texts. They're cataloged in a MS Access 97 database. If you like I can dump this data into a format you can use and send it to you.
	to forum · permalink · 2003-09-29 14:04:30 ·
psloss Premium join:2002-02-24 Alpharetta, GA	Re: Call for participation! Msgr Spam investigatio said by kpatz: Do we have to use Ethereal? I've used a homebrew listener on my Linux box to capture messenger spam dating back to April, I have nearly 3,000 samples comprising of approximately 200 unique messenger spam texts. They're cataloged in a MS Access 97 database. If you like I can dump this data into a format you can use and send it to you. If you can capture the IP/UDP headers for each packet, I believe those are important in this case. I wasn't doing this, except as a side effect of other captures, until the last few weeks. Philip Sloss -- (Thanks, anonymous!) Feedback? e-mail: stuff@lupwa.org
	to forum · permalink · 2003-09-29 14:40:26 ·
kpatz MY HEAD A SPLODE Premium join:2003-06-13 Manchester, NH	I don't have the full (raw) UDP headers, but I do have the following information (as reported by ipchains): Date, Time, Protocol, Source IP, Source Port, Destination IP, Destination Port, Packet Length, TOS, IP ID (sequence), flags/fragmentation offset, TTL. I also have the text of the spam itself, but not the header information in the spam packet (I can pull this from the capture logs though, they just aren't in the Access DB).
	to forum · permalink · 2003-09-29 14:52:06 ·
psloss Premium join:2002-02-24 Alpharetta, GA	said by kpatz: I don't have the full (raw) UDP headers, but I do have the following information (as reported by ipchains): Date, Time, Protocol, Source IP, Source Port, Destination IP, Destination Port, Packet Length, TOS, IP ID (sequence), flags/fragmentation offset, TTL. I also have the text of the spam itself, but not the header information in the spam packet (I can pull this from the capture logs though, they just aren't in the Access DB). That sounds like a pretty good subset of the IP and UDP header information...it's up to you whether you want to contact Lawrence, of course. Philip Sloss -- Feedback? e-mail: stuff@lupwa.org
	to forum · permalink · 2003-09-29 15:15:36 ·
NetWatchMan Premium,VIP join:2001-03-13 Alpharetta, GA	reply to kpatz Re: Call for participation! Msgr Spam investigation You don't have to use Ethereal, but anything that will capture the Time-to-Live (TTL) in the packet. If you're on a Unix box than I assume you have tcpdump, so just do: tcpdump -i # -s 0 -w trace.dat "udp and (port 135 or port 1026 or port 1027 or port 1028 or port 1029)" This will save to binary trace file. Because Ethereal uses the same packet capture engine as tcpdump, its traces can be read with Ethereal. Ethereal users would need to add the above filter (no quotes) in the Ethereal capture window...yet another nicety...the capture filter syntax is identical. -- Lawrence Baldwin myNetWatchman The Internet Neighborhood Watch
	to forum · permalink · 2003-09-29 18:23:56 ·
bADbRAINs join:2000-01-11 43°n 79&	reply to psloss Re: Call for participation! Msgr Spam investigatio Count me in! Spammers target me on udp port 1026 all day everyday! I've logged 5or 6 addresses in total. I know that they hope to get a response from win2k messenger service; I always disabled the service anyway. I must have gone to a site or was redirected against my will and my ip logged for later spam abuse. I did a dig on the addresses and sent info to their ISP, s but have yet to get a response and the spammers still are at it.
	to forum · permalink · 2003-09-29 18:27:10 ·
NetWatchMan Premium,VIP join:2001-03-13 Alpharetta, GA	reply to kpatz said by kpatz: I don't have the full (raw) UDP headers, but I do have the following information ...TTL. That's all you really need then...but I'm really truely interested if you receive an Spam from a source that is close to you. Can you craft a query to your Access db that finds cases where (Powerof2 - TTL) TTL). Good luck with that one. -- Lawrence Baldwin myNetWatchman The Internet Neighborhood Watch
	to forum · permalink · 2003-09-29 18:27:34 ·
kpatz MY HEAD A SPLODE Premium join:2003-06-13 Manchester, NH	said by NetWatchMan: That's all you really need then...but I'm really truely interested if you receive an Spam from a source that is close to you. Can you craft a query to your Access db that finds cases where (Powerof2 - TTL) TTL). How close are you looking for? Within 10 hops? 5 hops? 2 hops? Let me know and I'll run a query. In the past 24 hours I've received 62 messenger spams, including one "new" one, a new variant of EasyPopupBlocker.
	to forum · permalink · 2003-09-30 08:11:51 ·

Forums > Broadband Tech > Security > Security

Sunday, 03-Jun 14:12:27

Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online © 1999-2012 dslreports.com.

Most commented news this week

Hot Topics

Thought I'd pass along this handy tip... [Home Improvement]