Justin Mason said:
> It's quite annoying; quite a lot actually does seem to come from Africa,
> esp. South Africa, but often even Nigeria. The rest generally comes from
> the US.
Oi!!! And how exactly do you know that they come from South Africa? For
example, the spam that initiated this thread came from UUNet aka WorldCom
(which AFAIR could be South Africa, but could be a number of other places as
well.)
Talking of which, I have recently received a larger number than usual of
spam, including 419 scams. Almost without exception, they seem to originate
in Malaysia?
One interesting example was for www.brandedcigarettes.com. Out of curiosity,
I ran a port scan on their web server[1] and it turned up:
======================================
Port State Service
25/tcp open smtp
79/tcp open finger
80/tcp open http
110/tcp open pop-3
135/tcp open loc-srv
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open listen
5800/tcp open vnc
5900/tcp open vnc
8080/tcp open http-proxy
31337/tcp filtered Elite
Remote operating system guess: Windows 2000 Professional, Build 2183 (RC3)
======================================
Now either this is a classic case of a Windows admin being hopelessly
stupid, or a very obvious honeytrap. Since they are in the spamming
business, my guess would be that it is plain old stupidity. At least the web
server is not IIS but a java based server called Resin, and instead of
Exchange they are using ArGoSoft PRO[3]. Although these seem to have their
own vulnerabilities.
I also could not help wonder about the two VNC ports. Could it be that this
box is administered remotely. Or has someone already rooted the box?!?
Ah, I seem to have wandered somewhat off topic. I can only drag this thread
back kicking and screaming by saying just how wonderfully careful all us
Linux (and BSD admins) are. Now if you will excuse me, I have to find out
why my first firewall rule is "ACCEPT all all"?!?
- Matthew
[1] I realise it is not considered polite to scan another persons box. But I
figure that since they saw fit to spam me, that this is a suitable
complimentary response[2]. I have no desire to own the box. Besides, I will
no doubt be crowded out by all the other denizens of the night that are
already using it as a staging post for the next cyber-world-war...
[2] Especially since I had been "Selected from a special list". Right, like
I sooo want to give my credit card number to a dodgy foreign company so that
I can pay import duties for cigarettes I will never smoke.
[3] All right then. I admit it. I just had to find out what they were using.
Curiosity got the better of me. Maybe I should go get some sleep instead.
__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
