[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: spoofed mail

To: <misc@openbsd.org>
Subject: Re: spoofed mail
From: "Per Engelbrecht" <per@xterm.dk>
Date: Mon, 2 Aug 2004 14:24:52 +0200 (CEST)

The /20 is announced by a upstream carrier and yes, the IP is heading
back to the carriers router and then 'dissapear' (* * *)
I'm announcing a /18 myself and would like to be able to stop this
(better yet, find the server[s]) before the problem spreads.
Filtering by bgp is only a temporary solution.

I've asked the carrier to deny traffic to/from the IP whenever I get a
spam-registration, just to learn another IP is being used shortly
after. Every time it's an 'empty' IP that's being used.

Off topic:
I build a multihomed fbsd+zebra box a while back (working beyond
expectations!) and I'm now building an obsd 3.5 (stable) box as a
second/redundant bgp-router. Do you by any chance (or anybody else
reading this thread) has experience with obsd+bgp (bgp, ibgp and ebgp)
in a production environment ?

respectfully
/per
per@xterm.dk

> Are you (BGP) advertising the /20 yourself or is it advertised by
> the ISP on your behalf?  Either way, you might wish to check a
> public route server or looking glass site (start at
> www.traceroute.org) and make sure those IPs are _really_ heading
> back to you.
>
> -Steve S.
>
> Per Engelbrecht wrote:
>> Hi misc@
>>
>> Lately I've recived spam-complaints on our 'abuse@' on
>> ip-addresses from within one of our ranges/allocations (an old
>> deprecating /20) The 'funny' part is that these ip-addresses are
>> not in use i.e. don't have a nic attached to it.
>>
>> We have all the serveres in a large datacenter (my "domain") where
>> I use obsd for a lot of tasks.  One of these tasks is a
>> obsd-watchdog-box on each networksegment (switched network)
>> running a small piece of c code to detect hosts going into
>> promiscuous mode and ettercap+ethereal for network analyzies.
>> Don't have any pf between the gateway and the customers servers,
>> hence the approach with the watchdogs.
>>
>> The problem is that I can't find the shit-head[s] doing it!
>> Any help is appreciated. Thank you.
>>
>> respectfully
>> /per
>> per@xterm.dk
>>
>> [demime 0.98d removed an attachment of type
>> application/octet-stream]

[demime 0.98d removed an attachment of type application/octet-stream]

Prev by Date: GOOD DAY
Next by Date: Re: isakmpd again: Renegotiate-on-HUP requires PPID?
Prev by thread: Re: spoofed mail
Next by thread: Re: spoofed mail
Index(es):
- Date
- Thread