* A spamware daemon is installed on the dedicated server, to keep
the network interface in promiscuous mode
* The daemon determines which IP addresses on the local subnet are
not in use. It also determines the addresses of the network routers.
One or more unused IP addresses are commandeered for use by the
* The perp server sends unrequested ARP responses to only the
gateway routers, so that the routers never have to ask for a layer-3
to layer-2 association -- it's alway in the ARP cache of the routers.
Nobody else sees this traffic in an EtherSwitch fabric, so ARPWATCH
and its kin are defeated. Pings and traceroutes also fail with "host
unreachable.". The daemon then only has to watch on the NIC, in
promiscuous mode, for TCP packets to the hijacked address on port 80,
and pass them down the tunnel to the remote Web server.
* Finally, GRE and IPIP tunneling is used to connect the stolen IP
addresses to the spammer's real servers hosted elsewhere.
The end result is that the spammer has created a server at an IP
address which not even the owners of the network are aware of.
And if one went to http://www.senderbase.org/ and monitored their own IP block, wouldn't the spammer appear there? Or just plain monitoring spikes in outgoing port 25 traffic should alert someone that something is amiss.