E-mailing the DOD-CERT is also another way to try to get these things fixed. (...I'm not 100% certain that getting this fixed was the point of this, but I figured I'd point that out on the off chance.) I'm forwarding the header information of this spam to the appropriate folks. V/R, Matthew Swaar ASN568 Analyst matthew.swaar@cert.mil -----Original Message----- From: Eric Kuhnke [mailto:eric@fnordsystems.com] Sent: Tuesday, December 16, 2003 2:46 PM To: nanog@merit.edu Subject: 25,000 ton amphibious spam relay http://www.interesting-people.org/archives/interesting-people/200312/msg0007 0.html ================================= At 09:59 AM 12/16/2003, Rich Kulawiec wrote: [ Doesn't it just make you feel all safe and cozy when the people responsible for our defense are allowing military hardware to be hijacked to relay spam? ---Rsk ] ----- Forwarded message from Bruce Gingery <bg7341@GTCS.COM> -----
Date: Tue, 16 Dec 2003 00:48:14 -0700 From: Bruce Gingery <bg7341@GTCS.COM> Subject: Spam, Block: 25,000 ton spam relay, with photos of it! To: SPAM-L@PEACH.EASE.LSOFT.COM
ANNOUNCING: The amphibious transport dock and spam relay
http://www.news.navy.mil/list_all.asp?id=8488 Zoom-in http://www.news.navy.mil/view_single.asp?id=4553 http://www.news.navy.mil/view_single.asp?id=2746
The ship supports the Marine Corps "mobility triad," the LCAC (Landing Craft Air Cushion vehicle), the "Triple A-V" (AAAV - Advanced Amphibious Assault Vehicle) and the MV-22 (Osprey tiltrotor aircraft),
and (apparently) spammers in Guandong. Red China.
Furthermore, San Antonio incorporates the latest quality of life standards for the embarked Marines and sailors, including the sit-up berth, ship services mall, a fitness center and learning resource center/electronic classroom
and Unsolicited Bulk E-Mail.
Of course, it's possible that one of the OTHER eleven ships, still under construction, is the Avondale, LA dot-MIL spam relay, or trojaned boat, or some nice-and-secure Windows box in the construction drydocks, running Microsoft Exchange Internet Mail Service Version 5.5.2653.13
But doesn't it make all Americans feel all fuzzy and secure that a Red Chinese spammer can abuse a US Naval Vessel of one of the newest designs, to relay his "business proposition"?
Perhaps it's tied to the USS Green Bay, instead? or USS New Orleans?
http://www.navsea.navy.mil/newswire_content.asp?txtDataID=8963&txtTypeID=2
The USS Mesa Verde, seems to be in Mississippi, instead
http://www.navsea.navy.mil/newswire_content.asp?txtDataID=8663&txtTypeID=2
But the E-Mail headers finger the USS San Antonio, LPD 17, already christened, and due for commissioning some time this coming year.
LPD 17 Looks Like a "Gator"
http://www.navsea.navy.mil/newswire_content.asp?txtDataID=8596&txtTypeID=2
but from here, it just looks like another spammer.
[SPECIMEN] H: Return-Path: <lugbkbgkd@ms13.hinet.net> H: Received: from avnavfw.lpd17.navsea.navy.mil H: (avnavfw.pms317.navy.mil [205.67.231.235]) H: by mail.gtcs.com (8.12.10/8.11.3/gtcs-6.3.8) with SMTP H: id hBG65HO8091853 H: for <[victim]>; Mon, 15 Dec 2003 23:06:39 -0700 (MST) H: (envelope-from: <lugbkbgkd@ms13.hinet.net>) H: X-Authentication-Warning: serv.gtcs.com: Host H: avnavfw.pms317.navy.mil [205.67.231.235] H: claimed to be avnavfw.lpd17.navsea.navy.mil H: Received: from no.name.available by avnavfw.lpd17.navsea.navy.mil H: via smtpd (for [209.181.16.1]) with SMTP; 16 Dec 2003
05:53:08 UT
H: Received: from avnavfw.AVONDALE (205.67.231.5 [205.67.231.5]) by H: swn-email.lpd17.navy.mil with SMTP (Microsoft Exchange Internet Mail H: Service Version 5.5.2653.13) H: id YY2BDP4P; Tue, 16 Dec 2003 00:07:28 -0600 H: From: "HuatonE-ScooterCo.,Ltd" <1232312fs21d@ms13.hinet.net> H: Received: from [61.145.234.62] by avnavfw.AVONDALE H: via smtpd (for [205.66.99.30]) with SMTP; 16 Dec 2003 05:51:47 UT H: Subject: Re.About our new product H: Content-Type: text/html H: Date: Tue, 16 Dec 2003 13:57:41 +0800 H: X-Priority: 3
[extract from HTML body] B: Our company specializes in exporting electric & gas scooters, which B: are most popular with our customers at home and abroad. Now we are B: writing to offer you an opportunity to develop a mutual trade. If B: you are interested in establishing business relations with us, please B: let us know your requirements. Then we would like to forward catalogues B: as well as detailed information to you, and offer the best price to B: you. We assure you of our best attention to your any inquiries. B: We anticipate your early response in respect.
B: Huaton E-scooter Co., Ltd. B: Room.B-202,Building Si-Hai-Ming-Yuan B: Burg Weiji,Zone Gongbei B: City Zhuhai 519020 B: Province Kwangtung,China B: Tel:86-756-821-6922 B: Fax:86-756-888-3037 ...
Spam support by: The US Navy, Avondale Lousiana Shipyard, Firewall, and hosts behind it
OrgName: DoD Network Information Center OrgID: DNIC Address: 7990 Science Applications Ct Address: M/S CV 50 City: Vienna StateProv: VA NetRange: 205.0.0.0 - 205.117.255.255 Comment: DOD Network Information Center Comment: Space and Naval Warfare Systems Comment: Washington, DC 20363-5100 US
Responsible for these not-yet-commissioned ships ... Naval Sea Systems Command 1333 Isaac Hull Avenue S. E. Washington Navy Yard, D.C. 20376 Congressional/Press Inquiries: (202) 781-4124
Link in spam hosted at B: http://dateu.to/ inetnum: 202.181.192.0 - 202.181.223.255 netname: HKCIX
Link in spam hosted at B: http://i19.ac.tpe.yahoo.com/ inetnum: 202.1.232.0 - 202.1.239.255 netname: YAHOO-ASIA descr: streaming media, e-mail, instant messenger, www, etc country: HK
Spammer at: inetnum: 61.145.0.0 - 61.145.255.255 netname: CHINANET-GD descr: CHINANET Guangdong province network
----- End forwarded message ----- ------------------------------------- You are subscribed as interesting-people@lists.elistx.com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Swaar, Matthew L. writes on 12/16/2003 3:52 PM:
E-mailing the DOD-CERT is also another way to try to get these things fixed.
(...I'm not 100% certain that getting this fixed was the point of this, but I figured I'd point that out on the off chance.)
I'm forwarding the header information of this spam to the appropriate folks.
Yup - and this was behind a Raptor firewall, which seems to have added to rather than subtracted from the general insecurity of an old exchange server, in this case.
H: Received: from no.name.available by avnavfw.lpd17.navsea.navy.mil H: via smtpd (for [209.181.16.1]) with SMTP; 16 Dec 2003 05:53:08 UT
The no.name.available and via smtpd in the top header say it all - and so much for smtp proxies trying to munge every single piece of version information in sight including the smtp banner, to ensure "security by obscurity" :)
H: Received: from avnavfw.AVONDALE (205.67.231.5 [205.67.231.5]) by H: swn-email.lpd17.navy.mil with SMTP (Microsoft Exchange Internet Mail H: Service Version 5.5.2653.13)
Not that just plain old exchange of such an antique vintage would have been anything but secure, nosirree ... -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
participants (2)
-
Suresh Ramasubramanian
-
Swaar, Matthew L.