RE: *Ty / Dylan* eMule suspicious activity?

From: Dylan Douglas <dylan_at_mediadefender.com>
Date: Fri, 22 Jun 2007 12:06:38 -0700

eMule doesn't have built in filters. Those are requests to the server.
If the server doesn't respect them, you get back whatever the server
wants you to get.
 
-D
 
-----
Dylan Douglas
MediaDefender
 

________________________________

        From: Tabish Hasan
        Sent: Friday, June 22, 2007 12:04 PM
        To: Randy Saaf; Dylan Douglas; Ben Grodsky; qa
        Subject: RE: *Ty / Dylan* eMule suspicious activity?
        
        

        I know this has been put on the FAR back-burner...but just
wanted to point out a new observation...and hopefully refresh this topic
so we can eventually implement this.

         

        Whoever is doing this is bypassing eMule's built-in filters. For
example, I put a min file size limit of 50MB, but they were still able
to return all their spam/spyware files that are under 1MB. This is the
case for the other filters I tried as well. They still get their files
through. (I don't know if that's impressive, but I thought it was pretty
cool they can do that)

         

        -TH

         

         

         

        -----Original Message-----
        From: Randy Saaf
        Sent: Monday, February 26, 2007 4:43 PM
        To: Tabish Hasan; Dylan Douglas; Ben Grodsky; qa
        Subject: RE: *Ty / Dylan* eMule suspicious activity?

         

        Good call. Ben can test this to see if we get any website
traffic from it for our ad deals.

         

         

        -----Original Message-----

        From: Tabish Hasan

        Sent: Monday, February 26, 2007 3:30 PM

        To: Randy Saaf; Dylan Douglas; Ben Grodsky; qa

        Subject: RE: *Ty / Dylan* eMule suspicious activity?

         

        Once things calm down from the move related issues, I think we
should revisit this. Since our servers are down today and based on the
spoof hits I'm seeing, this definitely has potential.

         

        (Just wanted to resurrect this thread in case it gets forgotten)

         

        -TH

         

        -----Original Message-----

        From: Randy Saaf

        Sent: Tuesday, January 30, 2007 6:30 PM

        To: Dylan Douglas; Ben Grodsky; qa

        Subject: Re: *Ty / Dylan* eMule suspicious activity?

         

        Agreed, but emule doesn't have a history of changing their code
to deal w us. In fact emule has never rolled out a counter-counter
measurle.

         

         

        ----- Original Message -----

        From: Dylan Douglas

        To: Randy Saaf; Ben Grodsky; qa

        Sent: Tue Jan 30 11:07:07 2007

        Subject: RE: *Ty / Dylan* eMule suspicious activity?

         

        Yeah, but I could quickly see eMule patching this kind of
exploit very quickly, since it wouldn't take more than a couple lines of
code to do it. And, they seem to roll-out a new version every month or
less.

         

        -D

         

>-----Original Message-----

>From: Randy Saaf

>Sent: Tuesday, January 30, 2007 11:04 AM

>To: Dylan Douglas; Ben Grodsky; qa

>Subject: Re: *Ty / Dylan* eMule suspicious activity?

>

>This could be very interesting for us.

>

>

>

>----- Original Message -----

>From: Dylan Douglas

>To: Randy Saaf; Ben Grodsky; qa

>Sent: Tue Jan 30 10:51:39 2007

>Subject: RE: *Ty / Dylan* eMule suspicious activity?

>

>It depends. If I remember correctly, selecting the search type
is a

>request to the server. I don't think the client does anything
with

>regards to filtering. So they might still come through if this
is being

>fedup by a non-server.

>

>-----Original Message-----

>From: "Randy Saaf" <randy_at_mediadefender.com>

>To: "Ben Grodsky" <grodsky_at_mediadefender.com>; "qa"

><qa_at_mediadefender.com>

>Sent: 1/30/07 10:26 AM

>Subject: Re: *Ty / Dylan* eMule suspicious activity?

>

>I can't immagine a lot of people would click on those??? They
would

>get filtered in an audio only search, correct?

>

>

>----- Original Message -----

>From: Ben Grodsky

>To: qa

>Sent: Tue Jan 30 10:22:23 2007

>Subject: RE: *Ty / Dylan* eMule suspicious activity?

>

>The HTML fake is an empty file just opening and closing web
page tags.

>

>These are the contents:

>

><META HTTP-EQUIV="Content-Type" CONTENT="text/html;
charset=us-ascii">

><html> <head>

>

></head>

></html>

>

>

>________________________________

>

>From: Tabish Hasan

>Sent: Tue 30-Jan-07 10:07

>To: Randy Saaf; Dylan Douglas; qa

>Subject: RE: *Ty / Dylan* eMule suspicious activity?

>

>

>

>No, they're exe, zip, and html extensions. The HTML file takes
you to a

>webpage, which in turn attempts to install some sort of spyware
from

>zango. I've attached the file in case anyone wants to see
themselves.

>

>To recreate my search results, search for "pharrell keep it
playa

>instrumental" as a global all type search. Eventually you
should get

>hit with decoys with extremely high #s.

>

>-TH

>

>-----Original Message-----

>From: Randy Saaf

>Sent: Tuesday, January 30, 2007 3:25 AM

>To: Dylan Douglas; Tabish Hasan; qa

>Subject: Re: *Ty / Dylan* eMule suspicious activity?

>

>Is it installing executables with files that have mp3
extensions?

>

>

>----- Original Message -----

>From: Dylan Douglas

>To: Tabish Hasan; qa

>Sent: Mon Jan 29 17:41:56 2007

>Subject: RE: *Ty / Dylan* eMule suspicious activity?

>

>T-

>

>Not really. Stuff like this has been out there for a while
now. It's

>just something in your server list that is returning results
using your

>search string. You can usually find them for zips/exe
searches, like

>you'll search for "Windows XP iso crack" and get a bunch of
150kB exes

>called "Windows XP iso crack.exe" that will install spyware.
I've

>never seen them showing up for music searches. But, whatever,
maybe

>they are getting more desperate.

>

>-D

>

>

>________________________________

>

> From: Tabish Hasan

> Sent: Monday, January 29, 2007 5:32 PM

> To: qa

> Subject: *Ty / Dylan* eMule suspicious activity?

>

>

>

> Ty / Dylan,

>

>

>

> Take a look at my eMule screnshot below.

>

> It seems like suspicious results returned. I was
searching for

>an instrumental, and after a few minutes when nothing returned,
these

>files got returned. Notice the availability #'s returned for
these fake

>files. Also notice that my search string got copied exactly,
but it was

>a decoy

>

image001.jpg
Received on Fri Sep 14 2007 - 10:56:17 BST

This archive was generated by hypermail 2.2.0 : Sun Sep 16 2007 - 22:19:49 BST