Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: I think I need IP Spoofing

  1. #11
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    So if you use the domain name for the mail servers your getting the wrong ip now?


    If thats the case, you might double check your DNS settings etc...make sure the A records and what not are correct.
    =

  2. #12
    Junior Member
    Join Date
    Oct 2006
    Posts
    9
    thanks for chiping in

    no, that is not what´s happening

    If I traceroute from Company-A to mailserver-ISP-B, the trace goes beyond the IP where most of the other traces finish (209.99.224.205) and shows back those 3 additional IPs.

    This seems to happen only from Company-A, using two DNS settings, the usual Company-A DNS settings and an "alternative" one from another provider.

    AFAIK, 209.99.224.5 / 6 are ISP-B´s DNSs that have their MX record pointing to them, and I assume connections are forwarded to their mailserver´s IP. But this is grasped from a non very helpful ISP-B admin.

    I never discarded some DNS problem, like DNS posoning, but if I do get to that .205 IP, that is, maybe, a firewall(?) wouldn´t it mean the problem is internal routing at their end?
    Last edited by siko9; October 19th, 2006 at 05:23 PM.

  3. #13
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    It seems very odd to me that you can see the hops on their private network. Normally private addresses (RFC 1918) aren't able to be traced over the internet. Are you also on a 10.x.x.x subnet?

    When I trace that address from where I am, 209.99.224.205 is the last hop.

    Like you, I also assume that 209.99.224.205 is the mail server on a public address, or 209.99.224.205 is a router or firewall which NATs/forwards the appropriate ports to the internal mail server.

    Seeing that the hop before it times out, I'd assume that the hop before is the router and 209.99.224.205 is actually a public mail server and it is not natted out. This is just a guess.

    Have you called ISP-B with the additional info?

    Try to escelate it (request to speak with supervisor or manager) or get another tech who is more willing to help you.

    Is it possible that your mailserver is on some sort of spam blocklist?

    In the meantime, if you have access to some other network, you could always setup a mail relay to get mail to its desitnation until you figure out what the real problem is.
    Last edited by phishphreek; October 19th, 2006 at 06:15 PM.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #14
    Junior Member
    Join Date
    Oct 2006
    Posts
    9
    So I guess that being able to reach those IPs is closely related to the problem, wherever it is.
    Is there any explanatio for this??

    We are not using a similar IP range for public nor private addresses, and we are not in any spam database that is commonly known. ISP-B said he had confirmed we weren´t in the one they use.

    Unfortuantely, I don´t have the resources to set up a mail relay.

    And as to contact a supervisor... well, I´ve resorted to packet sniffing and thought it could be useful to spoof IPs to see if I could at least get an error message or anything, that gives you an idea of how useless contacting ISP-B has been so far

    Maybe I should do it with this 10.x.x.x IPs, but I don´t really have hopes about. Company-B is about to cancel ISP-B´s service because of this and they still don´t care about it...

  5. #15
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Some places just don't care about loosing customers. A person said before that spoofing IPs would be difficult. That is correct. Spoofing UDP is much easier than TCP because TCP requires constant syn/ack back and forth. You have to predict everything the dest. would be sending back to you.

    It sounds like you have a grasp on the basics of TCP/IP. Do some reading on packet crafting and packet spoofing. It is easy to do in theory, but difficult in practice. You can use something like hping to craft packets but you're going to have to predict how the remote machine is going to act/respond to your packet. You'll never see the response. It will be routed to wherever you crafted the src address.

    If you are are demanding and persistant you can get someone to help you. I do it all the time. Most of the time, the first reps you get are just there to weed out the basic every day problems. They know next to nothing and they are most likely in their entry level job right out of college or high school. You have to have them pass it on to someone higher up in the chain.

    If the ISP is unwilling to work with you on an issue... find a new ISP. There are plenty out there. Speak with your account rep and write a letter of complaint.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #16
    Junior Member
    Join Date
    Oct 2006
    Posts
    9
    phishphreek, thanks for your comments. Packet manipulation seems too complex for the time I have available, most interesting though.

    Anyway, I am delving in the trace of the packet and found some very interesting things,
    I did about 30 tracerouts from different onlines sites around the globe...

    Which IPs and how many times they were reported as last hops:

    209.99.224.205 - 7 times - (note that this IP is similar to the aledged mailserver, 209.99.224.6)

    200.69.129.146 - 22 times - (resolved as 200.69.129.146.static.techtelnet.net)

    And here is turns interesting...

    This single site mentioned the "expected" IP as last hop:
    http://www.supporttechnique.net/trace.ihtml
    200.69.129.146 > 209.99.224.6


    These two sites reported private IPs as I am seeing in Company-A´s traceroutes
    (last relevant IPs are listed)

    http://tools.telpin.com.ar/cgi-bin/traceroute
    200.55.13.150 > 10.40.11.11 > 10.40.70.1 > 10.40.5.129
    (location: Argentine)

    http://www.zilos.com/conozcanos/traceroute.html
    209.99.224.205 > 10.40.70.4
    (location: Spain)



    Additionaly, as I mentioned earlier there are 3 domains hosted by this ISP-B that we have troubles with.acerouting to them from Comp-A shows this:

    Traza a la direcci¢n mail.domain1.com [209.99.224.6]

    5 3 ms 2 ms 3 ms 209.99.224.205
    6 3 ms 3 ms 4 ms 10.40.11.11
    7 6 ms 6 ms 5 ms 10.40.70.1
    8 5 ms 4 ms 4 ms 10.40.5.129

    Traza a la direcci¢n mail.domain2.com [209.99.224.6]

    5 3 ms 2 ms 3 ms 209.99.224.205
    6 3 ms 3 ms 4 ms 10.40.11.11
    7 6 ms 6 ms 5 ms 10.40.70.1
    8 5 ms 4 ms 4 ms 10.40.5.129

    Traza a la direcci¢n mail.ISP-B.com [209.99.224.21]
    5 3 ms 2 ms 3 ms 209.99.224.205
    6 5 ms 4 ms 4 ms 10.40.11.9
    7 5 ms 5 ms 6 ms 10.40.5.129
    Notice the patern in the private IPs... I can´t help it but thinking of a internal routing problem at their end... the originating mailserver can´t be making up those addresses for 3 domains just like that... and even if it could, how does it explain the finding on the last online traces I got ????
    Spam trap perhaps?

    At least now I Know I´m not seeing ghosts in my internal tracerouts. o_O

    Regards.

    EDIT:
    on further thinking, isn´t each IP provided by the previous hop?
    Then those private IPs must be being provided by 209.99.224.205 and thus the problem is not at Company-A, since the issue is experienced from 3rd party locations too, but rather at ISP-B given the similar addresses.

    Is it right to asume then that the point of failure is probably at that particular IP??
    Last edited by siko9; October 20th, 2006 at 03:37 AM. Reason: further thinking...

  7. #17
    Junior Member
    Join Date
    Oct 2006
    Posts
    9
    EDIT:
    on further thinking, isn´t each IP provided by the previous hop?
    Then those private IPs must be being provided by 209.99.224.205 and thus the problem is not at Company-A, since the issue is experienced from 3rd party locations too, but rather at ISP-B given the similar addresses.

    Is it right to asume then that the point of failure is probably at that particular IP??
    *bump*
    Anyone can throw some light in this?

    Thanks in advance.

  8. #18
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Read up on how traceroute works..

    It basicly means a host sends an ICMP Echo Request with TTL=1, TTL=2, TTL=3 etc..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •