[Coco] source of recent spammer
Aaron Wolfe
aawolfe at gmail.com
Sun Jul 12 23:03:19 EDT 2009
TCP is extremely difficult to spoof over routed networks. Unlike UDP,
ICMP and some other protocols, TCP uses a bidirectional handshake when
establishing a connection and sequence numbers to identify packet
order. While it's trivial to send a packet with a forged source, its
near impossible to receive the response. The one exception to this is
when you are able to use ARP to spoof the physical address of a
victim's gateway, but this only works when you are on the same
broadcast network (essentially the same LAN) as the victim. Not
something you can do on the internet.
It is very likely that these HTTP connections do indeed come from the
IP addresses recorded in the logs. Not that it really helps :)
-Aaron
On Sun, Jul 12, 2009 at 7:22 PM, Sean<badfrog at gmail.com> wrote:
> I highly doubt it's actually a Google IP address or employee. (Or
> that they would even respond to someone owning a single forum being
> spammed)
> Most likely the IPs are just spoofed.
>
> On Sun, Jul 12, 2009 at 4:47 PM, Gene Heskett<gene.heskett at verizon.net> wrote:
>> On Sunday 12 July 2009, Roger Taylor wrote:
>>><http://www.ip-adress.com/ip_addresses/66.249.67.243>66.249.67.243 IP
>>>address location & more:
>>>IP address [<http://www.ip-adress.com/host/>?]: 66.249.67.243
>>><http://www.ip-adress.com/ipclipboard>Copy
>>><http://www.ip-adress.com/whois/66.249.67.243>[Whois]
>>><http://www.ip-adress.com/reverse_ip/66.249.67.243>[Reverse IP]
>>>IP country code: US
>>>IP address country:
>>>ip address flag
>>>United States
>>>IP address state: California
>>>IP address city: Mountain View
>>>IP postcode: 94043
>>>IP address latitude: 37.4192
>>>IP address longitude: -122.0574
>>>ISP of this IP [<http://www.ip-adress.com/isp>?]: Google
>>>Organization: Google
>>>Host of this IP: [<http://www.ip-adress.com/host>?]:
>>>crawl-66-249-67-243.googlebot.com<http://www.ip-adress.com/whois/crawl-66-24
>>>9-67-243.googlebot.com>[Whois]
>>> <http://www.ip-adress.com/ip_tracer/crawl-66-249-67-243.googlebot.com>[Trac
>>>e] Local time in United States: 2009-07-12 12:18
>>>
>>>
>>>One aggressive spammer has been coming in with IP ranges 66.249.*.*
>>>All traces have pulled up the above information. Why and how would a
>>>googlebot be posting porn to my forums? Could the IP addresses be
>>>fake or spoofed?
>>
>> I don't know the answer to the last question, but I sure would be advising
>> Google of it. Perhaps they need to weed the employee garden?
>>
>> --
>> Cheers, Gene
>> "There are four boxes to be used in defense of liberty:
>> soap, ballot, jury, and ammo. Please use in that order."
>> -Ed Howdershelt (Author)
>> The NRA is offering FREE Associate memberships to anyone who wants them.
>> <https://www.nrahq.org/nrabonus/accept-membership.asp>
>>
>> We are using Linux daily to UP our productivity - so UP yours!
>> (Adapted from Pat Paulsen by Joe Sloan)
>>
>>
>> --
>> Coco mailing list
>> Coco at maltedmedia.com
>> http://five.pairlist.net/mailman/listinfo/coco
>>
>
> --
> Coco mailing list
> Coco at maltedmedia.com
> http://five.pairlist.net/mailman/listinfo/coco
>
More information about the Coco
mailing list