Hi! We got some spam mail from
Received: from 1cust151.tnt1.tampa.fl.da.uu.net (HELO byte007) (153.37.184.151) by relay.ipf.net with SMTP; 10 May 1998 04:47:58 -0000
and i cannot query the database (arin , ripe or radb) for the owner of this network. Any hints ? If we can find the sender, then we go for a hunt against this spammers. So far... Greetings Jan Czmok IPF.NET NOC more headers : Return-Path: hioqibua38@msn.com
Delivery-Date: Sun May 10 04:48:03 1998 Received: (qmail 26693 invoked from network); 10 May 1998 04:48:03 -0000 Received: from claven.cse.psu.edu (HELO cse.psu.edu) (130.203.3.50) by finch.cse.psu.edu with SMTP; 10 May 1998 04:48:03 -0000 Received: from relay.ipf.net (relay.ipf.net [195.88.0.13]) by cse.psu.edu (8.8.8/8.7.3) with SMTP id AAA21505 for <0000@0000.cs.psu.edu>; Sun, 10 May 1998 00:48:02 -0400 (EDT) Date: Sun, 10 May 1998 00:48:02 -0400 (EDT) From: hioqibua38@msn.com Received: (qmail 13706 invoked from network); 10 May 1998 04:47:58 -0000 Received: from 1cust151.tnt1.tampa.fl.da.uu.net (HELO byte007) (153.37.184.151) by relay.ipf.net with SMTP; 10 May 1998 04:47:58 -0000 To: hioqibua38@msn.com Comments: Authenticated sender is <hioqibua38@msn.com> Errors-To: shadow007@hotmail.com Subject: DO YOU KNOW HIS OR HER BACKGROUND??? Message-Id: <199805103688SAA3125@post.ipf.net>
On Sun, May 10, 1998 at 11:00:27AM +0200, Jan Czmok wrote:
We got some spam mail from
Received: from 1cust151.tnt1.tampa.fl.da.uu.net (HELO byte007) (153.37.184.151) by relay.ipf.net with SMTP; 10 May 1998 04:47:58 -0000
and i cannot query the database (arin , ripe or radb) for the owner of this network. Any hints ?
I debated posting this to this list instead of mailing it privately, but I decided the response had some pedagogical value, for some folks, anyway (and y'all who needed to know this are invited to write privately and tell me so, so I have some ammo when randy and jhawk jump my shit. :-) The .uu.net on the lookup implies that the port belongs, physically, to UUnet; the tnt1 means it's a dialup port on the Tampa, Florida, POP, which is an Ascend MAX TNT. You'll have to send it to uunet, to find out which of their lessees' customers it is, they should be able to look it up in radius logs, based on the entire headers in the message. Note that you may have to explicitly point out to them that you _know_ it may not be their customer, and that you also know that they _can_ look up whose customer is _is_ and forward the report along -- otherwise they've demonstrated a disturbing habit in the past of playing dumb, at least with me. I believe the proper address is abuse@uu.net, unless a DOS attack or something criminal appears to be involved, in which case, send it to security@uu.net. Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Two words: Darth Doogie." -- Jason Colby, Tampa Bay, Florida on alt.fan.heinlein +1 813 790 7592 Managing Editor, Top Of The Key sports e-zine ------------ http://www.totk.com
Jan, Looks like a UUnet dialup user to me. I'd say call UUnet's NOC, find out to whom this dialup was resold (e.g. Mindspring, Earthlink, etc...) and give them a call. Good luck. Blake Willis CAIS Engineering --------------------------------------------------------------------------- Blake Willis 703-448-4470x483 Network Engineer, New Customers blakew@cais.net CAIS Internet, a CGX Communications Company --------------------------------------------------------------------------- On Sun, 10 May 1998, Jan Czmok wrote:
Hi!
We got some spam mail from
Received: from 1cust151.tnt1.tampa.fl.da.uu.net (HELO byte007) (153.37.184.151) by relay.ipf.net with SMTP; 10 May 1998 04:47:58 -0000
and i cannot query the database (arin , ripe or radb) for the owner of this network. Any hints ?
If we can find the sender, then we go for a hunt against this spammers.
So far...
Greetings
Jan Czmok IPF.NET NOC
more headers :
Return-Path: hioqibua38@msn.com
Delivery-Date: Sun May 10 04:48:03 1998 Received: (qmail 26693 invoked from network); 10 May 1998 04:48:03 -0000 Received: from claven.cse.psu.edu (HELO cse.psu.edu) (130.203.3.50) by finch.cse.psu.edu with SMTP; 10 May 1998 04:48:03 -0000 Received: from relay.ipf.net (relay.ipf.net [195.88.0.13]) by cse.psu.edu (8.8.8/8.7.3) with SMTP id AAA21505 for <0000@0000.cs.psu.edu>; Sun, 10 May 1998 00:48:02 -0400 (EDT) Date: Sun, 10 May 1998 00:48:02 -0400 (EDT) From: hioqibua38@msn.com Received: (qmail 13706 invoked from network); 10 May 1998 04:47:58 -0000 Received: from 1cust151.tnt1.tampa.fl.da.uu.net (HELO byte007) (153.37.184.151) by relay.ipf.net with SMTP; 10 May 1998 04:47:58 -0000 To: hioqibua38@msn.com Comments: Authenticated sender is <hioqibua38@msn.com> Errors-To: shadow007@hotmail.com Subject: DO YOU KNOW HIS OR HER BACKGROUND??? Message-Id: <199805103688SAA3125@post.ipf.net>
At 12:20 5/11/98 -0400, you wrote:
Jan,
Looks like a UUnet dialup user to me. I'd say call UUnet's NOC, find out to whom this dialup was resold (e.g. Mindspring, Earthlink, etc...) and give them a call. Good luck.
And if the NOC actually provides that info, please drop me a line. Their abuse people keep telling us on SPAM-L that they their legal VP won't let them release the names of the resellers using the POPs. If there's a way around that...it'd be most handy... Mr. Spammer, meet Mr. Mallet... Dean Robb PC-Easy On-site computer services (757) 495-EASY [3279]
On Tue, May 12, 1998 at 01:06:17AM -0400, Dean Robb wrote:
Looks like a UUnet dialup user to me. I'd say call UUnet's NOC, find out to whom this dialup was resold (e.g. Mindspring, Earthlink, etc...) and give them a call. Good luck.
And if the NOC actually provides that info, please drop me a line. Their abuse people keep telling us on SPAM-L that they their legal VP won't let them release the names of the resellers using the POPs. If there's a way around that...it'd be most handy...
I don't expect them to release it to _me_, but if they refuse to pursue the spam problem with _their_ customer, whom they _can identify_, then, well... maybe it's time for someone to threaten president@whitehouse.gov via a leased UUnet dialup... Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Two words: Darth Doogie." -- Jason Colby, Tampa Bay, Florida on alt.fan.heinlein +1 813 790 7592 Managing Editor, Top Of The Key sports e-zine ------------ http://www.totk.com
On 05/12/98, "Jay R. Ashworth" <jra@scfn.thpl.lib.fl.us> wrote:
I don't expect them to release it to _me_, but if they refuse to pursue the spam problem with _their_ customer, whom they _can identify_, then, well... maybe it's time for someone to threaten president@whitehouse.gov via a leased UUnet dialup...
I'm sure it's happened already. -- J.D. Falk <jdfalk@vix.com> Vixie Enterprises http://www.vix.com/
At 8:34 PM -0400 5/12/98, Jay R. Ashworth wrote:
well... maybe it's time for someone to threaten president@whitehouse.gov via a leased UUnet dialup...
You realize this is enough to prompt a call by the secret service... ;-) Don't encourage the clueless, else they might actually do something like that. --Dean ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP/DCE http://www.av8.com We Make IT Fly! (617)242-3091 x246 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
On Wed, May 13, 1998 at 04:34:33PM -0400, Dean Anderson wrote:
At 8:34 PM -0400 5/12/98, Jay R. Ashworth wrote:
well... maybe it's time for someone to threaten president@whitehouse.gov via a leased UUnet dialup...
You realize this is enough to prompt a call by the secret service...
To _me_? What I said wasn't a threat, cannot be construed as a threat, nor even an incitement to _make_ a threat, as I wasn't directing it _to_ anyone.
;-)
SS people don't smile. It's in the handbook, page 6.
Don't encourage the clueless, else they might actually do something like that.
Not my problem. Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Two words: Darth Doogie." -- Jason Colby, Tampa Bay, Florida on alt.fan.heinlein +1 813 790 7592 Managing Editor, Top Of The Key sports e-zine ------------ http://www.totk.com
well... maybe it's time for someone to threaten president@whitehouse.gov via a leased UUnet dialup... You realize this is enough to prompt a call by the secret service... Don't encourage the clueless, else they might actually do something like
Hi, that. As a person who has been getting a call and/or email from the US Secret Service, the FBI, the NCIS, and probably the CIA (but if they told me, they'd have to kill me of course), every other week, I'll just say the clueless don't need encouragement (also, it'd be nice if someone in the US gov't could read the little lines that say "check the APNIC database before contacting APNIC". But then again, why should the US Gov't be any different that the people in the US?) Regards, -drc
On Mon, 11 May 1998, Blake Willis wrote:
Looks like a UUnet dialup user to me. I'd say call UUnet's NOC, find out to whom this dialup was resold (e.g. Mindspring, Earthlink, etc...) and give them a call. Good luck.
FYI, MindSpring does not use UUNet dialups. Brandon Ross Network Engineering 404-815-0770 800-719-4664 Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com AOL Instant Messenger: Brandon NR ICQ: 2269442 Stop Smurf attacks! Configure your router interfaces to block directed broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.
On Tue, May 12, 1998 at 07:28:07PM -0400, Brandon Ross wrote:
On Mon, 11 May 1998, Blake Willis wrote:
Looks like a UUnet dialup user to me. I'd say call UUnet's NOC, find out to whom this dialup was resold (e.g. Mindspring, Earthlink, etc...) and give them a call. Good luck.
FYI, MindSpring does not use UUNet dialups.
Forgive me, of course you're right, and I knew that; it's been a bad week. Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Two words: Darth Doogie." -- Jason Colby, Tampa Bay, Florida on alt.fan.heinlein +1 813 790 7592 Managing Editor, Top Of The Key sports e-zine ------------ http://www.totk.com
participants (8)
-
Blake Willis -
Brandon Ross -
David R. Conrad -
Dean Anderson -
Dean Robb -
J.D. Falk -
Jan Czmok -
Jay R. Ashworth