Richard A Steenbergen wrote:
On Mon, Jul 21, 2003 at 02:37:34PM -0400, Deepak Jain wrote:
Has anyone had to deal with this in their BGP filter tables?
5 washdc5lce1-oc48.wcg.net (64.200.95.118) 4 ms 11 ms 4 ms 6 GigabitEthernet5-0.GW4.IAD8.ALTER.NET (157.130.30.245) 4 ms 4 ms 4 ms 7 0.so-1-2-0.XR2.IAD8.ALTER.NET (152.63.41.34) 3 ms 4 ms 6 ms 8 0.so-0-0-0.CL2.IAD5.ALTER.NET (152.63.38.142) 4 ms 5 ms 5 ms 9 201.at-2-0-0.XR2.DCA6.ALTER.NET (152.63.35.49) 6 ms 6 ms 6 ms 0 0.so-1-3-0.XL2.DCA6.ALTER.NET (152.63.35.118) 6 ms 6 ms 6 ms 1 POS7-0.BR4.DCA6.ALTER.NET (152.63.41.233) 8 ms 6 ms 7 ms 2 POS5-3.sl-bb22-rly.sprint.net (204.255.169.130) 8 ms 8 ms 8 ms
Is Williams getting transit to Sprint via UUNET or vice versa? Sorry if I have been out of the loop on this.
Regarding Williams, here is an excerpt of an abuse complaint I sent to them (and Edge 1 - theoretically one of their customers):
As the end result of chasing down spam originating from one of our hosts, we discovered the host was infected with the Jeem backdoor trojan. This was found "in the wild" Thursday, July 17, and examination of our PIX logs showed that the proxy source was various IPs in the 69.44.28.x netblock, registered to Edge 1 Networks, but yielding reverse DNS names in WCG.NET. The machine was removed from the network, but the proxy attempts from 69.44.28.x (and a few other addresses) continued for quite some time (logs are included below). It is quite clear from the logs that for each incoming proxy, the machine responded with an SMTP connection to the spammer's next recipient.
In the process of finding the trojan and identifying the traffic source, we placed the machine on a sniffer and reconnected to the network today (Friday, July 18). Within five minutes, the machine was again swarmed by hosts in the 69.44.28.x netblock. If you want the ethereal trace file, I can supply it, but the results are the same. It was quickly removed from the network, and the proxy attempts continued.
Jeff