Bronek - Do you have the supposed Spam plus the headers? alot of these Spam clowns are using peoples email addresses in the from line and then that person gets nailed with all the complaints a quick look at the headers reveals the originating MTA and client that sent it..... It's happened to me and some clients so this is becoming a popular way to Spam people... Hope this helps.... As far as IRC goes as far as I know unless you have some real wild configuration I would say its not possible to send via IRC there are some IRC services that allow the sending of email but I don't believe they are widely used for this very reason... Best regards, Bill Chief Security Officer CyberBase7 Security Services METRO-SOC WWW:http://mss.cyberbase7.com PH: 972-782-6595 cell:469.766.9692 -----Original Message----- From: Bronek Kozicki [mailto:brokat_private] Sent: Sunday, March 02, 2003 6:36 AM To: incidentsat_private Subject: sending out spam through IRC server ? Hi guys Recently I received some complains on spam apparently sent from one of my servers (Win2K + SP3 + recent hotfixes). The problem is that: - this server is firewalled and accepting only HTTP, HTTPS (IIS5) and IRC (Faerion IRC Daemon) connections - firewall is not an open proxy - firewall is not allowing incoming SMTP connections - firewall is allowing outgoing SMTP connections - local SMTP is used by CDO components in number of web sites runining on this server, and well, you could problably stop reading here and tell me to check SMTP logs and/or search for some "leaky" web form for sending spam. I did. Actually crawling through SMTP logs and ASP code was the first thing I did after receiving first complain. I'm 100% sure that spam was *not* sent using SMTP in IIS5 . I have 2 reasons to believe so: 1. IIS5 SMTPSVC has to accept message and create suitable "Received:" header before sending anything out. This might be "mail pickup" or actual incoming SMTP connections. Complains I have received do not have such header. 2. SMTP is logging all outgoing communication, and I do not have any traces in logs that could be connected with this spam. Of course, I have other traces of outgoing messages, all are verified to be valid and coming from CDO. The other thing one could ask me for, would be to check if my IIS was not compromised. That would fairly difficult even for motivated hacker - I have very strict security settings (like "hisecweb" plus extra hardening) on the server, and all recent fixes. I'm also positive that there's no open proxy on the firewall or running localy on the server. So here I'm, with spam holding my IP in lowest "Received:" header and no traces. There are only two things I can think of: 1. some leaky web form NOT using CDO/CDONT to send out messages (and something else instead) 2. Faerion IRC daemon ver. 1.17.6 . I installed it and configured for handling only local chat sessions (not connected to any IRC network) What I'm asking you for, is to tell me if it is possible to use IRC daemon for sending out spam ? I do not know much about configuring IRC daemon so there might be some settings that I left default=unsecure . Any thoughts ? TIA B. ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A> ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Wed Mar 05 2003 - 08:33:11 PST