cannot find spy

[peter krom]

In article <ivqr5197medheeslh0q5ea152hgcfa92bo@4ax.com>,
bakesph@comcast.net says...

COMCAST.NET???? this domain is in the blacklist of my mailserver for
spamming....

> What's the difference between "sending a SYN" and "trying to open a
> socket"?

Both are connections you don't want in this case simply because your
privacy has been invaded. I know: the safest way to have a computer is
NOT to hook it up to the internet, but morallity states that ones
privacy should not be invaded... This shouldn't be an issue IMHO

Peter


---
avast! Antivirus: Uitgaande bericht is niet besmet.
Virus Gegevensbestand (VPS): 0515-1, 2005-04-12
Getest op: 14-4-2005 9:56:30
avast! auteursrecht (c) 1988-2004 ALWIL Software.
http://www.avast.com

[Paul Vader]

peter krom <jonhy@rook.com> writes:
>Thank you all for thinking with me (or against...) Now e have another
>aplication to put on the blacklist: the wizz rss-reader

Understand, I wasn't directly accusing the wizz reader of doing anything
nasty - just noting that it had weird vibes about it.

If you feel brave, plese try installing the reader again and see if the odd
connection attempts come back. If it does, you have your smoking gun, and I
think the mozilla team would be VERY interested. A number of mozilla fans,
myself included, have been expecting a piece of spyware to be released in
the form of a mozilla extension. *
--
* PV something like badgers--something like lizards--and something
like corkscrews.

[Paul Vader]

dplatt@radagast.org (Dave Platt) writes:
>Unfortunately, it's truly not possible to say for certain that this
>was the case unless you've done a physical inspection of whatever
>hardware may be routed at that address. It's quite possible to write
>
>How one might write such a piece of spoofing server malware is left as
>an exercise for the reader... no sense making it easier for the bad
>guys.

In one of my more paranoid moments, I wondered whether it was possible to
sneak data to a server via connection attempts, when then appears to
reject them. Thinking about it again after I saw your message, it should be
possible, and not even all that difficult. Fortunately, I think it would
only work in one direction, unless ... OK, I'm stopping now. *
--
* PV something like badgers--something like lizards--and something
like corkscrews.

[Paul Vader]

Steve Baker <bakesph@comcast.net> writes:
>>- There's no host there, and the net's router is responding with a
>> "no such host" ICMP response, or
>
> How's that work, got a reference handy? I didn't know that routers
>commented on the state of Internet hosts.

"No route to host" is probably what he was thinking of. *
--
* PV something like badgers--something like lizards--and something
like corkscrews.

[Paul Vader]

Steve Baker <bakesph@comcast.net> writes:
>>It's not sending a syn by itself - more likely it's trying to open a socket,
>>and you see 'SYN SENT' in netstat because the other end isn't up.
>
> What's the difference between "sending a SYN" and "trying to open a
>socket"?

You can do the first without any intention of ever doing the second. See
'syn flooding' for example. When you see "SYN SENT" on a netstat, unless it
appears and disappears, it's almost certainly because a process is trying to
open a socket, and the TCP stack is waiting for an SYN ACK before returning
a socket pointer to the process. *
--
* PV something like badgers--something like lizards--and something
like corkscrews.

[Steve Baker]

On Thu, 14 Apr 2005 15:04:54 -0000, pv+usenet@pobox.com (Paul Vader)
wrote:

>Steve Baker <bakesph@comcast.net> writes:
>>>It's not sending a syn by itself - more likely it's trying to open a socket,
>>>and you see 'SYN SENT' in netstat because the other end isn't up.
>>
>> What's the difference between "sending a SYN" and "trying to open a
>>socket"?
>
>You can do the first without any intention of ever doing the second. See
>'syn flooding' for example. When you see "SYN SENT" on a netstat, unless it
>appears and disappears, it's almost certainly because a process is trying to
>open a socket, and the TCP stack is waiting for an SYN ACK before returning
>a socket pointer to the process. *

I see what you mean now. I was misunderstanding the "syn by itself"
part, thinking that the "by itself" part referred to the browser, not
the packet.

Steve Baker

[Steve Baker]

On Thu, 14 Apr 2005 15:01:49 -0000, pv+usenet@pobox.com (Paul Vader)
wrote:

>Steve Baker <bakesph@comcast.net> writes:
>>>- There's no host there, and the net's router is responding with a
>>> "no such host" ICMP response, or
>>
>> How's that work, got a reference handy? I didn't know that routers
>>commented on the state of Internet hosts.
>
>"No route to host" is probably what he was thinking of. *

Jeez. I sometimes get a bad case of tunnel vision as a result of
taking things way too literally. Thanks.

Steve Baker

[Seth Breidbart]

In article <115t1cdk5p2u146@news.supernews.com>,
Paul Vader <pv+usenet@pobox.com> wrote:

>In one of my more paranoid moments, I wondered whether it was possible to
>sneak data to a server via connection attempts, when then appears to
>reject them. Thinking about it again after I saw your message, it should be
>possible, and not even all that difficult. Fortunately, I think it would
>only work in one direction, unless ... OK, I'm stopping now. *

Spammers already know about portknocking.

Seth