i was exploited...now i want payback!

sneakyimp

so i goofed. i wrote a contact form handler that was vulnerable to exploit and now folks have been using my site as spam relay.

i can alter my script and collect all the IP addresses that come to visit. I can collect the forwarded-by ip if they are using a proxy.

but what then? i want PAYBACK :mad: ...or, at the very least, i would like to try and report these ip access to somebody -- either as hackers or compromised machines at the very least.

can anyone recommend something that will at least make me feel better?

dalecosp

sneakyimp wrote:
can anyone recommend something that will at least make me feel better?

Death by chocolate?? 😃

I'm not sure how to answer it, but it's intriguing. "echo $BADGUY_IP >> /etc/hosts.deny" ??

Piranha

I thinik that some ISPs close down the Internet account if people are acting like idiots on the Internet. I would collect the IP and the time, and then contact the ISPs of the persons, then hopefully they will cause trouble for the persons that spam.

stolzyboy

not a good idea to "retaliate" persay... i'd just use the info you have to secure yourself even better...

it's a lesson learned, a hard one although...

i doubt an ISP would do something about relaying through a form, but you can give it a whirl

stolzyboy

sneakyimp

I've already had two computers shut down by find the appropriate contacts through ARIN lookup. ISPs seem grateful when you clue them into botnet participants on their network.

I'm guessing that's futile, however. the botnet is just so....HUGE.

dalecosp

sneakyimp wrote:
I've already had two computers shut down by find the appropriate contacts through ARIN lookup. ISPs seem grateful when you clue them into botnet participants on their network.

I'm guessing that's futile, however. the botnet is just so....HUGE.

And so dynamic.

Of late, I've got the IP of every machine that sends me spam and have a set of scripts that allow me to write it to "hosts.allow" as DENIED on both my MTA's. I also have a lil' script that tells me if anyone with actual reverse DNS is on that class C, and, if not, I block the entire subnet.

So, there's only 16 million possibilities. I figure if I can ban 1283 subnets a day, I'll be totally protected from spam by the time I'm 75 years old!!! Wahoo! :rolleyes:

sneakyimp

wow! that sounds handy. any chance you wanna share :-D

sneakyimp

THANKS brad....that is kind of what I'm looking for -- however, it asks for the name and address of the person who exploited me. Truth be told, I have no idea who that is.

Does anybody remember the 'Can Spam Act?' It was U.S. Congress' effort to stop unsolicited bulk email - and is obviously failing.

dougal85

sneakyimp wrote:
Does anybody remember the 'Can Spam Act?' It was U.S. Congress' effort to stop unsolicited bulk email - and is obviously failing.

Do you know if they are from the US?

stolzyboy

most spammers are out of the US jurisdiction... ie nigeria, any *akia country, etc... the US authorities can do nothing about them

dougal85

stolzyboy wrote:
most spammers are out of the US jurisdiction... ie nigeria, any *akia country, etc... the US authorities can do nothing about them

agree'd, exactly what i was getting at. They would even have a hard time doing anything about somebody european etc. despite having contacts.

The only way i could see spamming ending is if the internet was censored... but imagine that...

sneakyimp

i'm fully aware of the international thing. that's why i asked about payback instead of legal help. interestingly, about half of the IPs that were capitalizing on my exploit were US addresses.

and it's not so much the spam that bothers me...i can ignore junk snail mail just fine. it's the botnet...hijacking people's computers, forging addresses, that sort of dishonest thing. surely there is some way to solve this problem.

dalecosp

Does anybody remember the 'Can Spam Act?' It was U.S. Congress' effort to stop unsolicited bulk email - and is obviously failing.

Nah, "CAN SPAM" act was just that. Now you 'can spam' all you want.

surely there is some way to solve this problem.

Force everyone to run a Linux or a BSD?

any chance you wanna share :-D

Np, 'tis attached. Hit 'em in the nuts with this if you like. However, it can hit you sometimes, too.

Keep in mind I'm a hacker, not a Real Programmer. This is not quite Ready for Prime Time, but it works for what I'm doing; flat-out rejection of suspected spam servers. Currently we're rejecting from 800 to 1600 server connections per day with this, per MTA (average volume is 1.5-2.5K mails/day). However, it would be better to run a "learning" filter if you really just want to get rid of spam more quickly, and train it often. I've got SpamAssassin running on the box behind the MTA's that actually does local delivery (but lately I've been forgetting to train Spamassassin since I've been working with this stuff).

The thought is that if it doesn't get delivered, it hurts the spammer. Maybe we can argue about that next....

Also, keep in mind that people whose MTA's reverse DNS isn't assigned properly may have trouble when you start blocking ".ded.swbell.net", ".adsl.gulftel.net", ".static.qwest.net", etc. That's been this past week's headache with one of our bigger clients.

dalecosp

Bah! I'd forget my noggin.....

Versions for 'Nix and DOS endlines. Scripts are in the "spamstuff" file.

How to use: 1. Put the scripts in your $PATH.

View the source of your spam messages and determine the IP of the originating server.
Call "spammer foo" where 'foo' is that IP address, network number or CIDR notation, domain name or portion thereof, per hosts_access(5).
If you have blocked ".somedomain.com", but want their listed MX agents to still be able to call, use "goodhost mx.legit.somedomain.com" (note that "goodhosts" is listed first in /etc/hosts.allow).
If you wish to block an entire class C but don't know if there are any legit servers, call "findhosts aaa.bbb.C" and watch or script the output for legit in-addr.arpa entries.
Don't forget the crontab entries or other means for propagating the information to the server (unless you're already ON the server). 😃

Note that it's also quite likely I'm reinventing the wheel* (for example, I've never looked at the "denyhosts" BSD port, or anything else of the like).

*and rather crudely, at that...