Re: phishing attacks -- where to look first?

On Fri, 11 Apr 2008 03:17:50 GMT,
Jason Bourne <j_bourne_treadstone@xxxxxxxxxxx> wrote:
[snip]
I suspect that this is very likely as well. But the question asked
was "where to look first?" Me, I'd start at the very beginning and work my
way through it. But that is my method, start at the beginning and tug on
the thread a little at a time until the entire carpet comes apart. It just
seems to me the starting point is the ISP who declared this a phish box.
Find out what he knows, or doesn't know, as the case may be.

Sure. But mind that the OP was asking for help. Having been in such a
situation[1], I expect that it would be more helpful to start asking
when you know very precisely what, if anything, is wrong on your end.
Nevermind that the situation with the usual ISP biz is what it is there
is very little information to be had in the first place.


Understanding how it happened will be valuable when it comes time to rebuild
the box anew with FreeBSD 7. I do agree with your points entirely, but what
I was trying to get across is not to begin the process with the arbitrary
making of assumptions without all the facts.

Of course. In security related cases, however, it is probably more
prudent to make sure your side is as clean as you can make it, first,
for another reason as well: Imagine you are the ISP and you suspect it
may be possible you're dealing with a spammer, as opposed to a driveby
victim. Then it suddenly doesn't help to give him all the information,
but to gather enough evidence and see if he'll hang himself (IE breach
the TOS so you can boot him). So, ``hammering them for information'' may
not be the wisest course of action.


[1] A redhat $smallnum box under my responsibily got rooted and so I got
to clean up the mess. This involved convincing the network people to
give me back some connectivity so I could get at the patches.
Afterward I replaced redhat for netbsd anyway and it ran lots better.

--
j p d (at) d s b (dot) t u d e l f t (dot) n l .
This message was originally posted on Usenet in plain text.
Any other representation, additions, or changes do not have my
consent and may be a violation of international copyright law.
.

Relevant Pages

  • Re: mail server send mail to yahoo bulk folder
    ... weenies to clean up their pc's.. ... and *NOT* Microsoft support, M$ cause the probems, THEY should employ the ... You'd be suprised at the number of people in thisc ountry who seem to think every ISP is required to do it, they soon get a shock when we tell them its not our responability, we do tho give them M$ support phone number;) ... Whats scary is a few people we've helped, are in fact runnig as root because " oh X wont start properly" or "but we can start pppoe unless we are root" ... ...
    (Fedora)
  • Re: Can I configure Exchange to ONLY accept email from my ISP ??
    ... I find the problem with 3rd party laundering to be that they lose my socks, ... Who is your 'small' ISP ... ISP will scan the email "Clean" mail will be sent to our IP ... Mail delivered to your ISP, you collect via pop3, SBS pop3 not ...
    (microsoft.public.windows.server.sbs)
  • Re: Can I configure Exchange to ONLY accept email from my ISP ??
    ... O O now we're learning about SG's undies. ... Who is your 'small' ISP ... ISP will scan the email "Clean" mail will be sent to our IP ... Mail delivered to your ISP, you collect via pop3, SBS pop3 not ...
    (microsoft.public.windows.server.sbs)
  • Re: Some information
    ... >> it would be honest to tell him in order for him to clean his machine ... > too busy to deal with it, then they need more people or to be more ... expect an ISP to filter? ...
    (comp.os.linux.security)