Tracking the "Olga Spammer"
Tracking the Olga Spammer (or lack thereof...)
Yep-- he's at it again...
First of all, in regards to the first attack. I have been informed
that at least two states are pursuing criminal investigations against
this person.
The first time, we were able to localize him, by looking at majordomo
logs to find his request for the grouplist. Assuming that he used the
existing list, this won't work again. (I further assume that the
majordomo admin's list is verifying that he didn't send another run of
lists commands.)
The messages themselves that seem to be from byu.edu are not-- they
are being inserted by IBM mainframes running an IBM TCPIP package.
This package does not verify the information it is given on the "helo"
line, and does not log the ip address of the connection. Therefore,
the admins of these sites most likely cannot trace who is doing this.
This is clearly a serious deficiency in IBM's software. If there is
sufficient momentum behind me, I may try to have this classified by
CERT (or other agencies) as an exploited security hole. Hopefully
this will pressure IBM to offer a "fix" for this problem.
Also, if people wish to send me copies of this one, PLEASE put
"(SPAM)" in the subject, (That's caps SPAM inside parens) so that you
aren't spamming my mailbox! If you do this, please please include the
*complete* headers (with Received lines)-- the message is of no use to
me without them....
If people send me the spams, I'll compile a list of the abused sites,
and send a message to their admins, that will hopefully explain things
better than the flames I'm sure they are currently getting.
Also, although it might be possible to get IBM to plug this hole, that
does NOT solve the problem. There are far too many other ways to hide
on the net. As in all such matters on the net, security starts at
home. I can think of VERY few reasons why lists should be open to
submissions from non-members. (The problem of foo.bar.com vs.
baz.bar.com is solved by the majordomo "mungedomain" setting.)
As always, I'll keep updates as they happen on my home page,
http://www.panix.com/~lan
--L