Re: Call for participation! Msgr Spam investigatio

Author	All Replies
psloss Premium join:2002-02-24 Alpharetta, GA	reply to kpatz Re: Call for participation! Msgr Spam investigatio said by kpatz: Do we have to use Ethereal? I've used a homebrew listener on my Linux box to capture messenger spam dating back to April, I have nearly 3,000 samples comprising of approximately 200 unique messenger spam texts. They're cataloged in a MS Access 97 database. If you like I can dump this data into a format you can use and send it to you. If you can capture the IP/UDP headers for each packet, I believe those are important in this case. I wasn't doing this, except as a side effect of other captures, until the last few weeks. Philip Sloss -- (Thanks, anonymous!) Feedback? e-mail: stuff@lupwa.org
	to forum · permalink · 2003-09-29 14:40:26 ·
kpatz MY HEAD A SPLODE Premium join:2003-06-13 Manchester, NH	I don't have the full (raw) UDP headers, but I do have the following information (as reported by ipchains): Date, Time, Protocol, Source IP, Source Port, Destination IP, Destination Port, Packet Length, TOS, IP ID (sequence), flags/fragmentation offset, TTL. I also have the text of the spam itself, but not the header information in the spam packet (I can pull this from the capture logs though, they just aren't in the Access DB).
	to forum · permalink · 2003-09-29 14:52:06 ·
psloss Premium join:2002-02-24 Alpharetta, GA	said by kpatz: I don't have the full (raw) UDP headers, but I do have the following information (as reported by ipchains): Date, Time, Protocol, Source IP, Source Port, Destination IP, Destination Port, Packet Length, TOS, IP ID (sequence), flags/fragmentation offset, TTL. I also have the text of the spam itself, but not the header information in the spam packet (I can pull this from the capture logs though, they just aren't in the Access DB). That sounds like a pretty good subset of the IP and UDP header information...it's up to you whether you want to contact Lawrence, of course. Philip Sloss -- Feedback? e-mail: stuff@lupwa.org
	to forum · permalink · 2003-09-29 15:15:36 ·
bADbRAINs join:2000-01-11 43°n 79&	Count me in! Spammers target me on udp port 1026 all day everyday! I've logged 5or 6 addresses in total. I know that they hope to get a response from win2k messenger service; I always disabled the service anyway. I must have gone to a site or was redirected against my will and my ip logged for later spam abuse. I did a dig on the addresses and sent info to their ISP, s but have yet to get a response and the spammers still are at it.
	to forum · permalink · 2003-09-29 18:27:10 ·
NetWatchMan Premium,VIP join:2001-03-13 Alpharetta, GA	reply to kpatz said by kpatz: I don't have the full (raw) UDP headers, but I do have the following information ...TTL. That's all you really need then...but I'm really truely interested if you receive an Spam from a source that is close to you. Can you craft a query to your Access db that finds cases where (Powerof2 - TTL) TTL). Good luck with that one. -- Lawrence Baldwin myNetWatchman The Internet Neighborhood Watch
	to forum · permalink · 2003-09-29 18:27:34 ·

kpatz MY HEAD A SPLODE Premium join:2003-06-13 Manchester, NH	said by NetWatchMan: That's all you really need then...but I'm really truely interested if you receive an Spam from a source that is close to you. Can you craft a query to your Access db that finds cases where (Powerof2 - TTL) TTL). How close are you looking for? Within 10 hops? 5 hops? 2 hops? Let me know and I'll run a query. In the past 24 hours I've received 62 messenger spams, including one "new" one, a new variant of EasyPopupBlocker.
	to forum · permalink · 2003-09-30 08:11:51 ·

Broadband Tech > Security > Security > Call for participation! Msgr Spam investigation