Broadband Tech > Security > Security > Call for participation! Msgr Spam investigation

reply to exocet_cm

Re: Call for participation! Msgr Spam investigation

said by NetWatchMan:

---

Unfortunately, I'm also convinced that this joker is sending the traffic using a *forged* IP address from two different locations...I'm pretty sure they are both in the US or Canada.

When I receive this traffic I note that he ending TTL (time-to-live) in the packets are 48 and 53. Assuming a starting TTL of 64, that would mean the spammer is only 16 and 11 hops away from me, respectively. Thus, my conclusion that this traffic is NOT actually coming from China, but much more local.

This is a good opportunity to test an idea that I've had for backtracing the source of spoofed traffic...I call it "TTL Triangulation" ... it works much like a GPS receiver...by collecting spam packets from various locations and comparing the TTLs we should be able to hone in where the actually source of this traffic is.

So I ask anyone here that wants to participate and has the ability to take full packet captures of inbound Messenger spam to capture packets from this IP and email them to me.

My guide to setting up Ethereal is here:
»www.mynetwatchman.com/pckidiot

You'll want to enter the following string in the 'Filter' box on the Capture screen:

[edit for new filter]
(port 135 or port 1026 or port 1027 or port 1028 or port 1029)

Feel free to email or phone me, I'll be happy to give some one-on-one help if you're not clear on how to set this up.

+1.678.624.0924
support (at) mynetwatchman . com

Note the TTL value in the example packet...the closer your value is to 64 the closer YOU are to the spammer...if I can at least identify which ISP he's using I can nab him.
--
Lawrence Baldwin

myNetWatchman

The Internet Neighborhood Watch
[text was edited by author 2003-09-20 10:01:51]

---