Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Firewalls and open proxies used by spammers?

0 views
Skip to first unread message

Joel Rubin

unread,
Nov 25, 2002, 1:13:21 PM11/25/02
to
I've noticed recently that quite a bit of spam seems to be coming
"from" IP's that are listening on ports 21, 389, 1002 and 1720. From a
web search I gather this is typical of the application proxy which is
part of the firewall which ships with XP.

Could someone please explain to me what is going on? How do the
spammers use these ports? How can one configure the XP and other
firewalls to stop this sort of abuse?

Two examples, one in my own experience, one taken from
news.admin.net-abuse.sightings.

61.170.139.74 in China takes connections on ports 21, 389, 1002 and
1720. The organization being promoted has phone numbers in Manhattan,
NYC.

>Return-Path: <mark...@chmailnet.com>
>Received: from shsmu.edu.cn ([61.170.139.74])
> by merlin (EarthLink SMTP Server) with ESMTP id 18fZOl4gF3NZFlq0
> for <jmr...@ix.netcom.com>; Sun, 24 Nov 2002 08:40:43 -0800 (PST)
>Received: from html (localhost [127.0.0.1])
> by shsmu.edu.cn (8.10.2+Sun/8.10.2) with SMTP id gAMM3w902218;
> Sat, 23 Nov 2002 06:03:59 +0800 (CST)
>Message-Id: <200211222203...@shsmu.edu.cn>
>From: jmr...@popd.ix.netcom.com
>Reply-To: mark...@chmailnet.com
>To: jmr...@popd.ix.netcom.com
>Subject: Email Marketing Works! Time:3:54:38 PM
>Date: Fri, 22 Nov 2002 15:54:38
>Mime-Version: 1.0
>Content-Type: text/html; charset="DEFAULT"
>
[...]
=========================================================
Example #2, suspected proxy is in Peru, chain letter fool in the
sender's position is in Calgary, Alberta, Canada. None of the future
gazillionaires are in Latin America.

>Received: from 211.163.123.51 [161.132.92.123] by mail.ev1.net
> (SMTPD32-6.06) id A79C9B3700EA; Mon, 25 Nov 2002 01:56:12 -0600
>From: Mika <mik...@hotmail.com>
>To: REDACTED
>Cc:
>Subject: PARENTS OF 15 - YEAR OLD - FIND $71,000 CASH HIDDEN IN HIS
>CLOSET!
>Sender: Mika <mik...@hotmail.com>
>Mime-Version: 1.0
>Content-Type: text/plain; charset="iso-8859-1"
>Date: Mon, 25 Nov 2002 00:53:30 -0700
>X-Mailer: Microsoft Outlook Express 5.00.2615.200
>Message-Id: <20021125015...@211.163.123.51>
>X-RCPT-TO: <REDACTED>
>X-UIDL: 1637
>Status: U
>
>

NeoSadist

unread,
Nov 25, 2002, 3:15:58 PM11/25/02
to

"Joel Rubin" <jmr...@ix.netcom.com> wrote in message
news:37p4uukoo89jpmcdp...@4ax.com...


If you can't reconfigure winxp's ICF, getting your own firewall and
disabling ICF may be the only option.


0 new messages