IP masking?

Blitzkrieger

A mate of mine has been having a problem with malicious email attacks. About evey month or so he gets a few thousand emails from a different address each time each with a virus attached. He's not stupid enough to open the emails or even view them but when this happens he can't receive any email. We contacted his ISP (Eircom) and asked them to look into it. They returned with the helpful "We could not locate the source of the attack. The individual involved is probably using an IP masking system".

Is there someone else we should be reporting this to? Does anyone know of any way to track who's doing it? What is an IP masking system anyway?

MiCr0

can u get one of the headers from the email and post it here, it might be some help

MiCr0

Blitzkrieger

They're always different too. Usually something like "this is soooo funny". If he didn't send 3,000 with the same subject someone migh fall for it.

Lump

HE HE, Yea, you might be able to trace it though the servers on the header, But I would asume he would have bounced it off a couple of hundred and back again.


John

SantaHoe

I pitty da fool, just get a new email addy

ButcherOfNog

not the subject, the header !

Stephen

If possible, you could telnet into the mail server and delete the emails before downloading.

_CreeD_

Admittedly I don't know much about this, but methinks Eircom have been a wee bit lazy.
They should at least have been able to track the mails one stage up the line, ie. tell which router sent all the packets their way, then ask that system operator to trace them and so on.
IP masking should just stop someone resolving the users domain name in an easy manner, not actually tracing the packets as they were routed.
Now, all that could be complete poo, so feel free to blast me out of the water if you actually have a clue about TCP/IP routing and such stuff (as opposed to me....)

PJ Hunt

Apologies to anyone working for a hosting company here, but it seems to me that the only thing they are concerned with are getting their sub's every month.

I recently had a major prob similiar to this...the reply I got was " due to time zone differences we could not etc etc "

**** ... **** ... ****

I've been with the same isp for a year till I dumped em for being absolutly THICK!! Damn tech support couldnt tell me what the TCP/IP numbers were for the dial up after I deleted them !!

Several down times were attributed to " software problems "

But I tell ya what...the software runnin the pc which prints the bills every month never went down... oh no...

---

‡PJ‡

Lord Khan

Originally posted by Blitzkrieger:
A mate of mine has been having a problem with malicious email attacks. About evey month or so he gets a few thousand emails from a different address each time each with a virus attached. He's not stupid enough to open the emails or even view them but when this happens he can't receive any email. We contacted his ISP (Eircom) and asked them to look into it. They returned with the helpful "We could not locate the source of the attack. The individual involved is probably using an IP masking system".

Is there someone else we should be reporting this to? Does anyone know of any way to track who's doing it? What is an IP masking system anyway?

Just means eircom is too lazy to do anything about it actually most ISP can't be arsed that way. there is no real defence to mailbombing unless you just use very strict rule system and only receive email from trusted addresses but this is a ***** as you have to add new rules for everybody you know.

sam

my brother does that.

and "tracing" email is pointless, you could bounce it off any smtp server on the net, and i dont think mail.geocities.com (for example) will look over its logs to see what ip mailed where at what time, etc.

Sev

Well.. The IP of the guy that is sending u the email, should be in the email header. Then what u would need to do.. or what eircome would need to do.. is trace the ip addy, contact his ip, ask who was on at this time using this IP addy, and then their isp would ban them or something. Of course if he was smart he would be doing this through a proxy, or blind ip spoofing which is **** difficult over the internet if not impossible. So if you were to retreve his ip from the IP header.. it would be the wrong one neways

MiCr0

even if the mail was bounced off a couple of mail server's the originating ip address is still in the header
in the example below is 206.180.234.71
should be easy from there


Return-path: <a1pyrat@tdl.com>
Envelope-to: dmeagher@eircom.net
Delivery-date: Wed, 27 Sep 2000 01:09:12 +0100
Received: from orca.ucd.ie ([137.43.4.16])
by kodos.tinet.ie with smtp (Exim 2.05 #23)
id 13e4me-0006NH-00
for dmeagher@eircom.net; Wed, 27 Sep 2000 01:09:12 +0100
Received: (qmail 22218 invoked by uid 7200); 27 Sep 2000 00:09:11 -0000
Delivered-To: dmeagher@orca.ucd.ie
Received: (qmail 22214 invoked from network); 27 Sep 2000 00:09:11 -0000
Received: from tdl.com (root@206.180.224.3)
by orca.ucd.ie with SMTP; 27 Sep 2000 00:09:11 -0000
Received: from ward.tdl.com (pm5-71.tdl.com [206.180.234.71])
by tdl.com (8.9.3/8.9.3) with SMTP id PAA07708;
Tue, 26 Sep 2000 15:23:18 -0700
Message-Id: .0.3.32.20000926152016.0109b88c@tdl.com>
X-Sender: a1pyrat@tdl.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Tue, 26 Sep 2000 15:20:16 -0700
To: A1pyrat@tdl.com
From: Chris Ward <a1pyrat@tdl.com>
Subject: A businessman on his deathbed
Mime-Version: 1.0
Content-Type: text/enriched; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Blitzkrieger

I've just read about a commercial product called iNet Privacy which is supposed to do just that They block people from tracing traffic through their network. What else would it be used for except for illegal purposes. This sort of thing would make it impossible to trace without forcing iNet to allow access to their records wouldn't it?

He's decided to change his email but reckons he'll miss out on a load of email because of it with people not updating his address.

sam

MiCr0 if you want, i will send you an email and you can knock yourself out trying to get my correct IP address.