Subject: NANOG Spam? Date: Wed, 5 Jul 2006 12:56:19 -0500 From: "Joe Johnson" <joe@sendjoeanemail.com> To: <nanog@merit.edu>
Am I the only one to get this email? Headers say merit.edu sent it. I have NANOG whitelisted, though, so it came to my mailbox.
[...snip spam...] No, I got it as well but Postini caught it for me. So I hadn't seen it... Just a "joe-job" though. The headers are forged. See the IP address in thi FIRST "Received-by:" header. Came from Spain. [...snip later headers...] Received: from trapdoor.merit.edu (unknown [84.232.124.32]) by trapdoor.merit.edu (Postfix) with SMTP id AD0CF91265 for <nanog@trapdoor.merit.edu>; Wed, 5 Jul 2006 13:39:15 -0400 (EDT) From: "nanog@enterzone.net" <nanog@enterzone.net> To: nanog@trapdoor.merit.edu Content-type: text/html; Charset=Windows-1251 ------------------------------- % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html % Information related to '84.232.124.0 - 84.232.125.255' inetnum: 84.232.124.0 - 84.232.125.255 netname: TELELEPE-NET descr: Television Por Cable descr: Hermanos Ponce Garcia S.L. descr: Local TV and ISP Provider country: es admin-c: GPP18-RIPE tech-c: GPP18-RIPE status: ASSIGNED PA mnt-by: SERVIHOSTING-MNT source: RIPE changed: ripe@servihosting.es 20060126 person: Gregorio Ponce Pozuelo address: C/Niña, 31 address: 21440 Lepe (Huelva) SPAIN phone: +34 959645086 fax-no: +34 959158409 e-mail: cablehnosponcegarcia@hotmail.com nic-hdl: GPP18-RIPE notify: ripe@servihosting.es mnt-by: SERVIHOSTING-MNT changed: ripe@servihosting.es 20060126 source: RIPE % Information related to '84.232.0.0/17AS29119' route: 84.232.0.0/17 descr: ServiHosting Networks S.L. descr: First Allocation remarks: ********************************************** remarks: | For ABUSE/SPAM/SCANS issues | remarks: | send mail to abuse@servihosting.es | remarks: | or Fax at number +34.966982510 | remarks: ********************************************** origin: AS29119 mnt-by: SERVIHOSTING-MNT notify: m.tecles@servihosting.es changed: ripe@servihosting.es 20060113 source: RIPE Regards, Gregory Hicks --------------------------------------------------------------------- Gregory Hicks | Principal Systems Engineer Cadence Design Systems | Direct: 408.576.3609 555 River Oaks Pkwy M/S 9B1 San Jose, CA 95134 I am perfectly capable of learning from my mistakes. I will surely learn a great deal today. "A democracy is a sheep and two wolves deciding on what to have for lunch. Freedom is a well armed sheep contesting the results of the decision." - Benjamin Franklin "The best we can hope for concerning the people at large is that they be properly armed." --Alexander Hamilton
On 7/5/06, Gregory Hicks <ghicks@cadence.com> wrote:
Subject: NANOG Spam? Date: Wed, 5 Jul 2006 12:56:19 -0500 From: "Joe Johnson" <joe@sendjoeanemail.com> To: <nanog@merit.edu>
<snip> Just my .02, emails to abuse@schlund.de (HA! like i'll get a response!) and abuse@servihosting.es (not expecting a response from this one either) have been sent. Anybody else feel like telling these folks that they've got spammers on their networks? Allen Parker
Allen Parker wrote:
Just my .02, emails to abuse@schlund.de (HA! like i'll get a response!) and abuse@servihosting.es (not expecting a response from this one either) have been sent. Anybody else feel like telling these folks that they've got spammers on their networks?
I sent to abuse@servihosting.es about the spam source. And also to abuse@strato.de. Also tried abuse-server@strato.de. The spam beneficiary was, of course, a US entity pretending to be from Germany, with a throwaway obscured Yahoo address: Domain Name:OARWIND.INFO ... Tech Name:Audrey Pokela Tech Organization:Audrey Pokela Tech Street1:2940 115 Ave NW Tech Street2: Tech Street3: Tech City:COON RAPIDS Tech State/Province:MN Tech Postal Code:55433 Tech Country:US Tech Phone:+1.7634272392 Tech Phone Ext.: Tech FAX: Tech FAX Ext.: Tech Email:kjho6emb@yahoo.com Name Server:NS1.RENTSHELL.INFO Name Server:NS2.FORTWALK.INFO Name Server:NS1.BUSITEEN.INFO Name Server:NS2.SPOLF.INFO oarwind.info. AS | IP | Registry | AS Name 6724 | 81.169.143.178 | ripencc | STRATO Strato AG PEER_AS | IP | Registry | AS Name 1273 | 81.169.143.178 | ripencc | CW Cable _ Wireless 5430 | 81.169.143.178 | ripencc | FREENETDE freenet Cityline Gmb inetnum: 81.169.128.0 - 81.169.143.255 netname: STRATO-RZG-DED descr: Strato Rechenzentrum, Berlin country: DE admin-c: CM265-RIPE tech-c: XX1-RIPE tech-c: WB14-RIPE remarks: ****************************************************** remarks: * please report spam/abuse/attaks mailto:abuse-server@strato.de * remarks: * reports to other addresses will not be processed * remarks: * please do not report simple portscans * remarks: ****************************************************** status: ASSIGNED PA mnt-by: STRATO-RZG-MNT mnt-lower: STRATO-RZG-MNT mnt-routes: STRATO-RZG-MNT
Given that we identified the abusive hosting, and the abusive spam source, and sent messages to the abuse addresses, did anybody receive a response? I did not! Three (3) days have elapsed. It's time to clean up this particular miscreant. It's time for the upstreams to turn off service. These are recalcitrant hosters and spammers. I've included the listed abuse addresses for the peers, and expect a public response. ==== oarwind.info. AS | IP | Registry | AS Name 6724 | 81.169.143.178 | ripencc | STRATO Strato AG PEER_AS | IP | Registry | AS Name 1273 | 81.169.143.178 | ripencc | CW Cable _ Wireless abuse@cw.net <http://www.ripe.net/fcgi-bin/whois?searchtext=abuse@cw.net&form_type=simple> 5430 | 81.169.143.178 | ripencc | FREENETDE freenet Cityline Gmb abuse@pppool.de ==== spam sender: AS | IP | AS Name 29119 | 84.232.124.32 | SERVIHOSTING-AS ServiHosting N PEER_AS | IP | AS Name 6739 | 84.232.124.32 | ONO-AS Cableuropa - ONO jesus.diaz@ono.es ==== William Allen Simpson wrote:
Allen Parker wrote:
Just my .02, emails to abuse@schlund.de (HA! like i'll get a response!) and abuse@servihosting.es (not expecting a response from this one either) have been sent. Anybody else feel like telling these folks that they've got spammers on their networks?
I sent to abuse@servihosting.es about the spam source.
And also to abuse@strato.de. Also tried abuse-server@strato.de.
The spam beneficiary was, of course, a US entity pretending to be from Germany, with a throwaway obscured Yahoo address:
Domain Name:OARWIND.INFO ... Tech Name:Audrey Pokela Tech Organization:Audrey Pokela Tech Street1:2940 115 Ave NW Tech Street2: Tech Street3: Tech City:COON RAPIDS Tech State/Province:MN Tech Postal Code:55433 Tech Country:US Tech Phone:+1.7634272392 Tech Phone Ext.: Tech FAX: Tech FAX Ext.: Tech Email:kjho6emb@yahoo.com Name Server:NS1.RENTSHELL.INFO Name Server:NS2.FORTWALK.INFO Name Server:NS1.BUSITEEN.INFO Name Server:NS2.SPOLF.INFO
oarwind.info. AS | IP | Registry | AS Name 6724 | 81.169.143.178 | ripencc | STRATO Strato AG
PEER_AS | IP | Registry | AS Name 1273 | 81.169.143.178 | ripencc | CW Cable _ Wireless 5430 | 81.169.143.178 | ripencc | FREENETDE freenet Cityline Gmb
inetnum: 81.169.128.0 - 81.169.143.255 netname: STRATO-RZG-DED descr: Strato Rechenzentrum, Berlin country: DE admin-c: CM265-RIPE tech-c: XX1-RIPE tech-c: WB14-RIPE remarks: ****************************************************** remarks: * please report spam/abuse/attaks mailto:abuse-server@strato.de * remarks: * reports to other addresses will not be processed * remarks: * please do not report simple portscans * remarks: ****************************************************** status: ASSIGNED PA mnt-by: STRATO-RZG-MNT mnt-lower: STRATO-RZG-MNT mnt-routes: STRATO-RZG-MNT
On 7/9/06, William Allen Simpson <william.allen.simpson@gmail.com> wrote: <snip>
The spam beneficiary was, of course, a US entity pretending to be from Germany, with a throwaway obscured Yahoo address:
Domain Name:OARWIND.INFO ... Tech Name:Audrey Pokela Tech Organization:Audrey Pokela Tech Street1:2940 115 Ave NW Tech Street2: Tech Street3: Tech City:COON RAPIDS Tech State/Province:MN Tech Postal Code:55433 Tech Country:US Tech Phone:+1.7634272392 Tech Phone Ext.: Tech FAX: Tech FAX Ext.: Tech Email:kjho6emb@yahoo.com Name Server:NS1.RENTSHELL.INFO Name Server:NS2.FORTWALK.INFO Name Server:NS1.BUSITEEN.INFO Name Server:NS2.SPOLF.INFO
I actually telephoned this number after googling it and getting a hit in her local phonebook, it's an elderly woman with a MN accent who is completely unaware of how the internet works on any level who says she's currently involved in a case of identity theft that is unrelated to the ownership of this domain name. I'll probably end up chasing down directnic via telephone on monday to see if that can give us any leads. The nameservers listed resolve to 2 ips, both brazilian, NS1.* owned by AS27699, NS2.* owned by AS8167. Hope that helps.
Impressive response from abuse@cw.net.... ==== This is the Postfix program at host bran.de.cw.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to <postmaster> If you do so, please include this problem report. You can delete your own text from the attached returned message. The Postfix program <abuse@bran.de.cw.com>: cannot append message to destination file /home/abuse/Mail/backup: error writing message: File too large
Gregory Hicks wrote:
Just a "joe-job" though. The headers are forged. See the IP address in thi FIRST "Received-by:" header. Came from Spain.
[...snip later headers...] Received: from trapdoor.merit.edu (unknown [84.232.124.32]) by trapdoor.merit.edu (Postfix) with SMTP id AD0CF91265 for <nanog@trapdoor.merit.edu>; Wed, 5 Jul 2006 13:39:15 -0400 (EDT) From: "nanog@enterzone.net" <nanog@enterzone.net> To: nanog@trapdoor.merit.edu
Yes, we all got it, and Google spam filters let it through, as it matches a valid mailing list. No, the received headers are not forged. The From and To are forged. The spammers have figured out how to bypass the NANOG members-only posting, in this case by pretending to be John Fraizer and sending directly to trapdoor. They're using old lists. He hasn't sent anything to NANOG from that address since 15 Feb 2005 14:30:47 -0500. Anyway, it's probably a "good thing" to nip this in the bud. It should hurt (a lot) to send spam to network operators themselves. AS | IP | AS Name 29119 | 84.232.124.32 | SERVIHOSTING-AS ServiHosting N PEER_AS | IP | AS Name 6739 | 84.232.124.32 | ONO-AS Cableuropa - ONO
William Allen Simpson wrote:
The spammers have figured out how to bypass the NANOG members-only posting, in this case by pretending to be John Fraizer and sending directly to trapdoor.
On our public list servers we now require admin approval of all new subscriptions as well as email verification. It takes time, but it is worth it. Additionally, the admins occassionally reply to new subscribers with "questionable" addresses and ask them for a bit more info (who/what/why/etc). Finally all new subscribers are automatically moderated until their first post proves them to in fact be legit and on topic. Finally, we crawled the archives of the big lists and have come up with a list of subscribers who haven't posted in over 9 months, we plan to set the mod bit on them too very soon. These are necessary steps simply because we see at least 30 requests each week for what amounts to invalid subscriptions, if those subscriptions went through unfettered then users would be upset. Even if one bogus subscription slips through, the auto-mod provides a second chance to stop them. Perhaps these are some ideas for the NANOG mailinglist admins to implement. -Jim P.
On Wed, Jul 05, 2006 at 05:20:04PM -0400, Jim Popovitch wrote: Hi,
Finally, we crawled the archives of the big lists and have come up with a list of subscribers who haven't posted in over 9 months, we plan to set the mod bit on them too very soon.
So people who are 'real' but lurk a loti should reply to this message so they don't get moderated :) -- Sabri Yes!! I just saved myself from being moderated (did I?)
Sabri Berisha wrote:
On Wed, Jul 05, 2006 at 05:20:04PM -0400, Jim Popovitch wrote:
Hi,
Finally, we crawled the archives of the big lists and have come up with a list of subscribers who haven't posted in over 9 months, we plan to set the mod bit on them too very soon.
So people who are 'real' but lurk a loti should reply to this message so they don't get moderated :)
I agree :-)
Hi!
Finally, we crawled the archives of the big lists and have come up with a list of subscribers who haven't posted in over 9 months, we plan to set the mod bit on them too very soon.
So people who are 'real' but lurk a loti should reply to this message so they don't get moderated :)
I agree :-)
I dont know whats worse, the spam or everybody mailing just once now ;) Fortunately my mod bit should be safe again now. Bye, Raymond.
On 7/6/06, Raymond Dijkxhoorn <raymond@prolocation.net> wrote:
Hi!
Finally, we crawled the archives of the big lists and have come up with a list of subscribers who haven't posted in over 9 months, we plan to set the mod bit on them too very soon.
So people who are 'real' but lurk a loti should reply to this message so they don't get moderated :)
I agree :-)
I dont know whats worse, the spam or everybody mailing just once now ;) Fortunately my mod bit should be safe again now.
Bye, Raymond.
I am a lurker, but also a real person
And hopefully this is on-topic enough to not be banned. Don
Sabri Berisha said the following on 6/7/2006 19:32:
So people who are 'real' but lurk a loti should reply to this message so they don't get moderated :)
Not sure I am real, but I do lurk.
I sometimes feel the same way.. -- -- Welcome My Son, Welcome To The Machine -- Bob Vaughan | techie @ tantivy.net | | P.O. Box 19792, Stanford, Ca 94309 | -- I am Me, I am only Me, And no one else is Me, What could be simpler? --
On Thu, 6 Jul 2006, Sabri Berisha wrote:
On Wed, Jul 05, 2006 at 05:20:04PM -0400, Jim Popovitch wrote:
Hi,
Finally, we crawled the archives of the big lists and have come up with a list of subscribers who haven't posted in over 9 months, we plan to set the mod bit on them too very soon.
So people who are 'real' but lurk a loti should reply to this message so they don't get moderated :)
The question would be - if you're hit by the moderation bit, and post a message that makes it past whatever moderator's criteria.. Do you then lose the moderation bit, since you how have posted within the last 9 months, and thusly have (unmoderated) access? Or maybe this is just an exercise in let's-fly-by-the-seat-of-our-pants... - d. -- Dominic J. Eidson "Baruk Khazad! Khazad ai-menu!" - Gimli ------------------------------------------------------------------------------- http://www.the-infinite.org/
I still comment here periodically when it is prudent to do so, I set this email account specifically for Nanog, anticipating spam.... -Henry sage ---- From: Dominic J. Eidson <sauron@the-infinite.org> To: nanog@merit.edu Sent: Thursday, July 6, 2006 8:14:58 AM Subject: Re: NANOG Spam? On Thu, 6 Jul 2006, Sabri Berisha wrote:
On Wed, Jul 05, 2006 at 05:20:04PM -0400, Jim Popovitch wrote:
Hi,
Finally, we crawled the archives of the big lists and have come up with a list of subscribers who haven't posted in over 9 months, we plan to set the mod bit on them too very soon.
So people who are 'real' but lurk a loti should reply to this message so they don't get moderated :)
The question would be - if you're hit by the moderation bit, and post a message that makes it past whatever moderator's criteria.. Do you then lose the moderation bit, since you how have posted within the last 9 months, and thusly have (unmoderated) access? Or maybe this is just an exercise in let's-fly-by-the-seat-of-our-pants... - d. -- Dominic J. Eidson "Baruk Khazad! Khazad ai-menu!" - Gimli ------------------------------------------------------------------------------- http://www.the-infinite.org/
Henry Linneweh wrote:
I still comment here periodically when it is prudent to do so, I set this email account specifically for Nanog, anticipating spam....
-Henry
sage ---- From: Dominic J. Eidson <sauron@the-infinite.org> To: nanog@merit.edu Sent: Thursday, July 6, 2006 8:14:58 AM Subject: Re: NANOG Spam?
On Thu, 6 Jul 2006, Sabri Berisha wrote:
On Wed, Jul 05, 2006 at 05:20:04PM -0400, Jim Popovitch wrote:
Hi,
Finally, we crawled the archives of the big lists and have come up with a list of subscribers who haven't posted in over 9 months, we plan to set the mod bit on them too very soon.
So people who are 'real' but lurk a loti should reply to this message so they don't get moderated :)
unlurked:) Having very good experiences with spam filters (I have them all switched off :) I did not even see the spam. My "manual spamfilter" successfully removed them. Yes, I remember spam with nanog in the sender field. I receive a lot of spam from everybody, including myself. That is why it never occured it me it might not have been faked.
The question would be - if you're hit by the moderation bit, and post a message that makes it past whatever moderator's criteria.. Do you then lose the moderation bit, since you how have posted within the last 9 months, and thusly have (unmoderated) access?
Or maybe this is just an exercise in let's-fly-by-the-seat-of-our-pants...
- d.
Mine is more a fly-by without pants :) Having been hit by the lurking bit, you most likely have not spammed or that bit would not be set in the first place. Looks like a job for a trunk monkey. Regards Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: peter@peter-dambier.de mail: peter@echnaton.serveftp.com http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
I sit here and read the messages daily and post occasionally. Dont moderate bit my ass. Thanks. Greg ----- Original Message ----- From: "Dominic J. Eidson" <sauron@the-infinite.org> To: <nanog@merit.edu> Sent: Thursday, July 06, 2006 8:14 AM Subject: Re: NANOG Spam?
On Thu, 6 Jul 2006, Sabri Berisha wrote:
On Wed, Jul 05, 2006 at 05:20:04PM -0400, Jim Popovitch wrote:
Hi,
Finally, we crawled the archives of the big lists and have come up with a list of subscribers who haven't posted in over 9 months, we plan to set the mod bit on them too very soon.
So people who are 'real' but lurk a loti should reply to this message so they don't get moderated :)
The question would be - if you're hit by the moderation bit, and post a message that makes it past whatever moderator's criteria.. Do you then lose the moderation bit, since you how have posted within the last 9 months, and thusly have (unmoderated) access?
Or maybe this is just an exercise in let's-fly-by-the-seat-of-our-pants...
- d.
-- Dominic J. Eidson "Baruk Khazad! Khazad ai-menu!" - Gimli -------------------------------------------------------------------------------
This is directed to the remaining 9,983[1] subscribers to the NANOG list who have *not yet* sent email to announce the fact that they are lurkers. (I think I heard someone say that there were 10,000[1] people on the list, but maybe it was only 1,000, or 100 - I'm old, and bad with numbers and have A.D.D. and all that). But whatever the number... if you believe you have to post a message to show that you exist... DON'T. No-one really cares. Please go read Jim Popovich's misunderstood post which started this whole thing: http://www.merit.edu/mail.archives/nanog/msg01009.html Read Joe Yao's follow up, logically letting those subscribers from the now recognized slow learning crowd know that Jim was describing actions he took for *other* lists that *he* controlled. Not NANOG. And if you still don't get it, read Jim's confirmation of Joe's hypothesis. But *please please*, don't post a message just because you think that if you don't, you'll be unsubscribed. If this was a list I had any influence over, I would use the fact that a subscriber posts a defensive message as canonical evidence of lack of clue, and instantly drop them from the list. [1] And yes, if the number is anything close to 10,000, we can make the assumption that the list is comprised predominantly of hoisl's classmates (a free NANOG 27 t-shirt to the first person who recalls and provides a link showing the connection :-)). And if you do know what the reference is, check that no-one has yet provided it before doing so - don't become a hoisl yourself. /rlj Speaking only for myself.
On 7/8/06, Rodney Joffe <rjoffe@centergate.com> wrote: <snip>
[1] And yes, if the number is anything close to 10,000, we can make the assumption that the list is comprised predominantly of hoisl's classmates (a free NANOG 27 t-shirt to the first person who recalls and provides a link showing the connection :-)). And if you do know what the reference is, check that no-one has yet provided it before doing so - don't become a hoisl yourself. <snip>
Reading back to April 1997, I find a very interesting digression that delves deeply into water management solutions. Absolutely hilarious. Laughing, Allen Parker
On Jul 8, 2006, at 2:03 PM, Allen Parker wrote:
Reading back to April 1997, I find a very interesting digression that delves deeply into water management solutions.
Ding Ding Ding. Give Allen the T-Shirt.
Absolutely hilarious.
I have long considered that thread to be the high water mark (excuse the pun) of the early days of NANOG, when layer 8 and layer 9 had no impact on "us" and we all had time to enjoy being network engineers. And when peering session with AS1 and AS701 and AS1239 could all be arranged, agreed to, and set up in between presentations. <sigh> Your t-shirt is on its way. For those who are interested in the resultant discussion about AFR, VFR, CFR and ATM: http://www.cctec.com/maillists/nanog/historical/9704/msg00048.html is the start of the thread(s).
On Thu, Jul 06, 2006 at 01:32:11PM +0200, Sabri Berisha wrote:
On Wed, Jul 05, 2006 at 05:20:04PM -0400, Jim Popovitch wrote:
Hi,
Finally, we crawled the archives of the big lists and have come up with a list of subscribers who haven't posted in over 9 months, we plan to set the mod bit on them too very soon.
So people who are 'real' but lurk a loti should reply to this message so they don't get moderated :)
I'm immoderate. But I believe that Popovitch was speaking of different mailing lists than this one. -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
Joseph S D Yao wrote:
I'm immoderate. But I believe that Popovitch was speaking of different mailing lists than this one.
Yes that is true, at least the part about the lists. ;-) I run a mailing list discussion system for a few non-profits, it is those lists (and their admins) that I was speaking of. Apologies to all for possibly having incited this chatter. -Jim P.
Jim Popovitch wrote:
William Allen Simpson wrote:
The spammers have figured out how to bypass the NANOG members-only posting, in this case by pretending to be John Fraizer and sending directly to trapdoor.
On our public list servers we now require admin approval of all new subscriptions as well as email verification....Perhaps these are some ideas for the NANOG mailinglist admins to implement.
Or not. I expect that we've seen only the tip of the iceberg on people who will now post one "I'm here, please don't moderate me" post. NANOG has how many readers? For those who may have misread Jim's post, he was talking about *another* mailing list, not this one, on the moderation method mentioned. No sign that this is in effect on nanog. -- No matter how much you want to try and spin it, MySpace is the Paris Hilton of the internet. (http://www.digg.com/users/ArcaneDevice)
participants (19)
-
Allen Parker
-
Bob Vaughan
-
Dominic J. Eidson
-
Etaoin Shrdlu
-
Greg Taylor
-
Gregory Hicks
-
Henry Linneweh
-
Home Business Services, Inc.
-
Jim Popovitch
-
Joseph S D Yao
-
M. Aelmans | Synssans
-
Marko Milivojevic
-
Mathias Koerber
-
Peter Dambier
-
Raymond Dijkxhoorn
-
Rodney Joffe
-
Sabri Berisha
-
Valdis.Kletnieks@vt.edu
-
William Allen Simpson