[nsp-sec] ACK AS8419 [DDoS - City of New York]

Tue Aug 23 11:44:14 EDT 2011

Well spoofed FROM addresses shouldn't get bounced back but when they spoof some of the received headers it makes it harder to automate it so the rejection doesn't get sent:(

From:
http://garwarner.blogspot.com/2011/08/new-york-city-uniform-traffic-ticket.html

" The email contains several falsified header indicators, including at the most basic level that it claims to come from "@nyc.gov". In addition to this, however, there has been a "Received:" tag added to make it appear to have originated from a legitimate New York City IP address:

Received: from nyc.gov ([167.153.240.51]) by xx.xx.xx.xx; Wed, 03 Aug 2011 12:20:46 +0530 "

But other than trying to make sure your email system doesn't just automatically send bounces based solely on the FROM address there isn't too much anyone can do about this traffic.

Ignorance is Bliss. "Bliss (Basic Language for Implementation of System Software) was a
systems programming language originally for the PDP-10 and DECsystem-20 written at CMU." Kevin Oberman RTD
Donald.Smith at CenturyLink.com

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Zoe O'Connell
> Sent: Tuesday, August 23, 2011 4:56 AM
> To: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] ACK AS8419 [DDoS - City of New York]
>
> ----------- nsp-security Confidential --------
>
> On 22/08/11 19:23, Joel Rosenblatt wrote:
> > Hi,
> >
> > File attached re-sorted by ASN for the comfort of the reader :-)
> >
> > Also, ack for ASN 14
> >
> > Thanks,
> > Joel
>
> ACK AS8419, although this is a known mail server so looks like it's
> just
> blowback - not sure there's much we can do in this instance.
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
> security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.