Date: Sat, 8 Sep 2001 13:40:21 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Len Conrad <LConrad@Go2France.com> Cc: <Freebsd-net@freebsd.org> Subject: =?X-UNKNOWN?Q?Re=3A_tracing_an_attack_using_spoofed_ip=B4s?= Message-ID: <20010908133516.K23209-100000@achilles.silby.com> In-Reply-To: <5.1.0.14.0.20010908114909.02a00920@mail.Go2France.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 8 Sep 2001, Len Conrad wrote: > The above section of the maillog report is about 3600 lines, so are you > saying that 3600 unspoofed, different ip=B4s are doing the attack? That= =B4s > "distributed" if I ever saw one. > > I suppose one "master" PC could be relaying through all those open relays > against this one MX host. If someone's vicious enough, that doesn't sound too unbelieveable. But, regarding the possibility of tcp spoofing: What version of FreeBSD is the client running? If it's < 4.2 that is a possibility. However, given that the IPs are almost all from open relays, it seems much more likely that this has nothing to do with spoofing. What is the content of these e-mails? I wonder if it's possible that someone is spamming with an e-mail address at your client's domain. Subsequently, those being spammed at using ordb/rbl to reject the message, and the open relay is then sending your client the bounce message. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010908133516.K23209-100000>