[Dshield] Spammer

Ed Truitt ed.truitt at etee2k.net
Wed Oct 29 12:57:48 GMT 2003

KennethSoong at tagtechnology.com.sg wrote:

>     I seem notice a particular spammer from IP range of using
>our MS Exchanger 2000 Server to relay their emails. Can anyone tell me who
>this people are. I tried ping, tracert and even checking whois database but
>each it return error or no record.
>Kenneth Soong
I tried WHOIS, and got the following info:

inetnum: -
netname:      DISHNET
descr:        DISHNETDSL LTD
descr:        19, Cathedral Garden Road
descr:        Nungambakkam
descr:        CHENNAI
country:      IN
admin-c:      DIH1-AP
tech-c:       DIH1-AP
mnt-by:       APNIC-HM
mnt-lower:    MAINT-IN-DISHNET
changed:      hostmaster at apnic.net 20000321
changed:      hostmaster at apnic.net 20000927
changed:      hm-changed at apnic.net 20020612
source:       APNIC

role:         DISHNET IP Hostmaster
address:      DishnetDSL Limited
address:      19, Cathedral Garden Road
address:      Chennai, 600 034
phone:        +91-44-825 6201
phone:        +91-44-825 6149
phone:        +91-44-826 9801
fax-no:       +91-44-825 7477
e-mail:       ip-admin at ddsl.net
trouble:      Network abuse issues and SPAM complaints
trouble:      should be sent to abuse at eth.net
admin-c:      BR31-AP
tech-c:       BR31-AP
nic-hdl:      DIH1-AP
remarks:      role object for Dishnet IP Administrators
notify:       ip-admin at ddsl.net
mnt-by:       MAINT-IN-DISHNET
changed:      bbreddy at ddsl.net 20020530
source:       APNIC

So, you should be able to forward the entire email in question 
(including headers) or the relevant log extracts to abuse at eth.net and 
hopefully get some response.

Now, to look at this from another perspective:  why do you allow IPs 
from outside your network to use your Exchange server as a relay?  I do 
happen to know that the current version of Exchange does allow for 
preventing such use (anonymous relay), and the last batch of MSFT 
security bulletins included 1 against Exchange, which could lead to DoS 
or even worse execution of arbitrary code.  I would give very serious 
thought to securing that box if I were you. 

Just my $0.02, and doing my part to make the 'Net a safer (or less 
dangerous, anyway) place.

Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

More information about the list mailing list