*****SPAM***** Re: Relentless attack

[l...@mwtcorp.net]

nse1 ~ # dig 194.122.133.83.in-addr.arpa

The IP addresses come from greatnet.de. Send a message to ab...@greatnet.de
(below) and report a possible DOS or spam attack on port 25 coming from the
addresses you indicated. They know who really has the addresses and if they
choose to be helpful can stop it fairly quickly. The fact that you waited to
let it go away on it's own works in your favor, be sure to mention it.

As an ISP I routinely block address for customers in cases like this.

; <<>> DiG 9.4.1-P1 <<>> 194.122.133.83.in-addr.arpa
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55555
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;194.122.133.83.in-addr.arpa. IN A

;; AUTHORITY SECTION:
122.133.83.in-addr.arpa. 3589 IN SOA ns-rev.greatnet.de.
abuse.greatnet.de. 1212607992 10800 3600 604800 3600

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jun 4 13:51:21 2008
;; MSG SIZE rcvd: 105

On Wed, 04 Jun 2008 14:55:50 -0500
Alexander Lázaro Gómez Valdivia <alexa...@esvc.co.cu> wrote:
> Most of the IP ranges you are provide belongs to correctansw.com servers,
>that info are provided by through a DNS request.
>
> The better you can do is:
> * Write a message to the postmaster owner of that server, also try
>postm...@thenominal.com, and ask them for a explanation.
> --- OR ---
> * Include the completely range in Blacklist Hosts and forget about this
>people, or consider include them on the Blacklist Hosts on the Firewall or
>Proxy server for more care.
>
>
> Cheers.
> A.G.Valdivia
>
>
> -----Mensaje original-----
> De: CommuniGate Pro Discussions [mailto:CGat...@mail.stalker.com] En
>nombre de Gib Henry
> Enviado el: Miércoles, 04 de Junio de 2008 01:59 p.m.
> Para: CommuniGate Pro Discussions
> Asunto: Relentless attack
>
>For several weeks, I've had certain IP ranges blocked from my SMTP listener
>because of overwhelming attacks/connection attempts (tens of thousands per
>day). Just for fun, I turned those addresses back on for a minute or two,
>and sure 'nuff, the attacks started again almost instantly, suggesting
>they've been trying all this time:
>
> 13:34:53.182 1 SMTPI-419712([83.133.122.195]) Return-Path
>'LUFE...@thenominal.com' rejected: no relay available
> 13:34:54.937 1 SMTPI-419713([83.133.122.196]) Return-Path
>'LUFE...@thenominal.com' rejected: no relay available
> 13:34:56.815 1 SMTPI-419714([83.133.122.197]) Return-Path
>'LUFE...@thenominal.com' rejected: no relay available
> 13:34:58.783 1 SMTPI-419715([83.133.122.198]) Return-Path
>'LUFE...@thenominal.com' rejected: no relay available
> 13:35:00.617 1 SMTPI-419716([83.133.122.194]) Return-Path
>'LUFE...@thenominal.com' rejected: no relay available
> 13:35:02.417 1 SMTPI-419717([83.133.122.195]) Return-Path
>'LUFE...@thenominal.com' rejected: no relay available
> 13:35:04.183 1 SMTPI-419718([83.133.122.196]) Return-Path
>'LUFE...@thenominal.com' rejected: no relay available
> 13:35:06.047 1 SMTPI-419719([83.133.122.197]) Return-Path
>'LUFE...@thenominal.com' rejected: no relay available
> 13:35:07.805 1 SMTPI-419720([83.133.122.198]) Return-Path
>'LUFE...@thenominal.com' rejected: no relay available
> 13:35:09.618 1 SMTPI-419721([83.133.122.194]) Return-Path
>'LUFE...@thenominal.com' rejected: no relay available
>
> Who ARE these people, what do they want, and how can I put a stop to
>them??? Cheers,
> --
> Gib Henry
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <CGat...@mail.stalker.com>.
> To unsubscribe, E-mail to: <CGateP...@mail.stalker.com> To switch to
>the DIGEST mode, E-mail to <CGatePr...@mail.stalker.com>
> To switch to the INDEX mode, E-mail to <CGatePr...@mail.stalker.com>
>Send administrative queries to <CGatePro...@mail.stalker.com>
>
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <CGat...@mail.stalker.com>.
> To unsubscribe, E-mail to: <CGateP...@mail.stalker.com>
> To switch to the DIGEST mode, E-mail to <CGatePr...@mail.stalker.com>
> To switch to the INDEX mode, E-mail to <CGatePr...@mail.stalker.com>
> Send administrative queries to <CGatePro...@mail.stalker.com>

Larry Ash
Network Administrator
Mountain West Telephone
400 East 1st St.
Casper, WY 82601

#############################################################
This message is sent to you because you are subscribed to
the mailing list <CGat...@mail.stalker.com>.
To unsubscribe, E-mail to: <CGateP...@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePr...@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePr...@mail.stalker.com>
Send administrative queries to <CGatePro...@mail.stalker.com>

[Gib Henry]

When I asked "who are these people," I didn't mean what does 'whois'
say; I guess what I'm really getting at is that this is way beyond
spam: What are they trying to accomplish? Not directing me to their
web page; www.thenominal.com is a totally blank page. And why ME, a
small 5-user domain, and not you big guys on this list?

Is it a bad ISP allowing this, or is it compromised machines whose
volume of connections is not recognized by the ISP? Because of
course I can't get a response from the ISP with their IP range
blocked, yet the fact that the attempts continue several weeks after
complaining to them does suggest that the ISP itself is the problem.
I hate to "throw out the baby with the bathwater," i.e. block a whole
range because of one rogue customer, but if the ISP allows/encourages
that kind of behavior, then perhaps that's justified...?

I guess in the final analysis I don't understand what the perpetrator
gets out of all this! Cheers,
--
Gib

On 6/5/08 at 4:00 AM -0700, CommuniGate Pro Discussions wrote:
>Date: Wed, 04 Jun 2008 14:30:23 -0500
>From: Lyle Giese <ly...@lcrcomputer.net>
>Subject: Re: Relentless attack

>You have done the best thing you can do for your self. I just
>checked and our Barracuda is blocking them via the Barracuda
>reputation list and they are listed in our inhouse rbl as of
>5/14/08.
>
>But their traffic levels here are not high enough to trip the
>Barracuda's rate control( > 50 connects in 30 minutes), so they have
>not come up on my radar screen.
>
>I will take the time to post our personal list of shame. These
>subnets were hitting the Barracuda so hard, they were at the top of
>the rate control list and I then ACL'ed them at our router
>
>router ACL blocks to port 25 on MailGW:Total acl blocks recorded
>Tue, Jun 3 was 19007
>acl blocks from subnet 63.111.28.0 4683
>acl blocks from subnet 64.14.239.0 984
>acl blocks from subnet 65.216.166.0 497
>acl blocks from subnet 65.240.141.0 3162
>acl blocks from subnet 129.41.76.0 2832
>acl blocks from subnet 129.41.78.0 5744
>acl blocks from subnet 129.41.98.0 712
>acl blocks from subnet 216.35.161.0 393
>
>These are all /24 subnets and are tarpitted at our Cisco router.
>This is NOT normal traffic to me and I really did not want to take
>this step as things like blacklist-admin don't work from these ip
>addresses.
>
>Oh well,