Getting SPAM from 118.189.136.119 relayed by rr.com ?
this network is not allocated, nor announced. I have been looking everywhere
to find if it has been announced (historical bgp update databases, like RIS
RIPE / CIDR REPORT / etc..)... I didnt found anything.... this probably mean
rr.com is routing that network internaly.
"Received: from [118.189.136.119] by smtp-server1.cfl.rr.com with NNFMP;"
If there is any rr.com guy around. Could you please check this?
Thanks,
Pascal
"Received: from [118.189.136.119] by smtp-server1.cfl.rr.com with NNFMP;"
what's the next/previous line? (The one just above it)
Kind Regards,
Frank Louwers
ditto. I think you've been fooled by forged headers. Not only is that IP
in a reserved block, I've never heard of the NNFMP protocol except as
referenced in poorly forged headers.
Getting SPAM from 118.189.136.119 relayed by rr.com ?
this network is not allocated, nor announced. I have been looking everywhere
to find if it has been announced (historical bgp update databases, like RIS
RIPE / CIDR REPORT / etc..)... I didnt found anything.... this probably mean
rr.com is routing that network internaly.
This is very likely to be a known exploit I have been tracking. In all the
cases which we have so far confirmed, the spam was not relayed, but proxied
by a trojan executable which is able to mimic a "previous" header with such
a degree of accuracy that it is indistinguishable from the genuine article!
If there is any rr.com guy around. Could you please check this?
Our advice would be that the server-that-connected-to-you needs to be taken
offline by the security people at its site (which you say is RoadRunner) and
they should have ALL its disk(s) imaged for forensic analysis purposes.
Our experience is that sites hit by this exploit will do basic checks on
the server and claim it is uncompromised and "cannot possibly be sending
that spam". Such a claim would be entirely incorrect. You would need to
persuade them that something is wrong, which is difficult at the best of
times. RoadRunner being involved in this case suggests this may *not* be
the "best of times".
Look carefully at the headers again. I have seen a few like this running
around. The IP listed is not actually an IP, but marked as a supposed
FQDN. The ones I have seen appear to originate out of brazil for the most
part. I do not have a sample handy at the moment, but if someone wants it
(for whatever reason), just let me know.
Matt
I've never heard of the NNFMP protocol
It's the latest spammer exploit the "Network Nonsense - Fools Most People"
exploit. You've not been hit by that one yet, then?
I have run into a considerable number of these that include headers
suggesting that they were relayed through my server, but I have verified
my logs, and the messages never even touched any of my machines.
But precisely which logs are you looking at?
The SMTP logs from your mail server or the machine's IP connection log?
It seems that one of the new tricks is to throw some BS headers in there
before relaying the message, just to throw a monkey wrench in the works.
That is one of the older tricks in the book. The latest revision is to
throw some _matching_ headers in there so that it looks entirely genuine.
If you have a trojan executable on a server as well as an "authorised" mail
server then any mail sent by the trojan will NOT appear in the logs of the
SMTP server, but WILL appear on the next hop as coming from your server and
the only way to tell the difference is by examining the connecting port as
seen coming from your server by the machine at next hop.
It would be useful if this exploit could be named and documented at
least for one known instance -
Regards,
Lars Higham
I name this
Weird-118rr
Okay, but what's the trojan signature look like?
How should people be checking to see if they're compromised?