IETF Logo Mail Archive

Re: not spoofing, was IP-based reputation services vs. DNSBL

John Levine <johnl@iecc.com> Wed, 12 November 2008 21:34 UTC

Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 26F9D3A67F5; Wed, 12 Nov 2008 13:34:42 -0800 (PST)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AAAB628C17B for <ietf@core3.amsl.com>; Wed, 12 Nov 2008 13:34:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.899
X-Spam-Level:
X-Spam-Status: No, score=-14.899 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_BSP_TRUSTED=-4.3, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JtGaTUI68mil for <ietf@core3.amsl.com>; Wed, 12 Nov 2008 13:34:39 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [208.31.42.53]) by core3.amsl.com (Postfix) with ESMTP id 64F9E3A657C for <ietf@ietf.org>; Wed, 12 Nov 2008 13:34:39 -0800 (PST)
Received: (qmail 63450 invoked from network); 12 Nov 2008 21:34:38 -0000
Received: from mail1.iecc.com (208.31.42.56) by mail1.iecc.com with QMQP; 12 Nov 2008 21:34:38 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:cc:mime-version:content-type:content-transfer-encoding; s=t1108; i=johnl@user.iecc.com; bh=lbKXxbz7DZWJEysCkWoHElj1qUM1IiLVlcd8BkOjZx0=; b=aWXyiNOV+pGvRyZcq4tJGF3mFcBIuwbVR4wLlnMeIrkW/xpVQa7+WKU+VTko+jZuTsxl74PWF6p97qD70PowYsKts8Lg7u9TnzH2T9oSN7mf/CCByct2qOhdICjmM6Ml
Date: Wed, 12 Nov 2008 21:34:37 -0000
Message-ID: <20081112213437.92614.qmail@simone.iecc.com>
From: John Levine <johnl@iecc.com>
To: ietf@ietf.org
Subject: Re: not spoofing, was IP-based reputation services vs. DNSBL
In-Reply-To: <2788466ED3E31C418E9ACC5C316615572FFB38@mou1wnexmb09.vcorp.ad.vrsn.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

>What some spammers used to do when dialup connections were still
>common and broadband rare is that they would use a dialup session as
>the purported source of the packets but really send the bulk of the
>message from a high speed connection. The dialup connection telling
>the high speed connection which sequence numbers to employ.

Spammers used to do that, but it didn't involve any address spoofing,
just routing games.

The bad guy had a T1 and a dialup into the same box.  It used the IP
of the dialup its traffic but sent outbound packets over the T1,
getting return packets via the dialup.  Since spamming involves a lot
more outbound than inbound traffic, this still let them use most of
the T1.  When the dialup ISP noticed and cancelled the dialup account,
they'd just switch to another one, typically using a stack of free
trial AOL disks.

Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"More Wiener schnitzel, please", said Tom, revealingly.
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

v2.46.0 | Report a Bug | By Email | System Status