[Dshield] Help on Finding contacts at domains

Doug White doug at clickdoug.com
Fri Sep 5 00:41:12 GMT 2003


I am experiencing similar - here is what the mail server log says:

Sep  4 19:32:03 GULF postfix/smtpd[22412]: connect from
adsl-68-73-64-36.dsl.klmzmi.ameritech.net[68.73.64.36]
Sep  4 19:32:04 GULF postfix/smtpd[22412]: 75C333E0070:
client=adsl-68-73-64-36.dsl.klmzmi.ameritech.net[68.73.64.36]
Sep  4 19:32:05 GULF postfix/smtpd[22412]: reject: RCPT from
adsl-68-73-64-36.dsl.klmzmi.ameritech.net[68.73.64.36]: 504 <JERRY>: Helo
command rejected: need fully-qualified hostname; from=<CZUBA at ANDERINGER.COM>
to=<munged>
Sep  4 19:32:07 GULF postfix/smtpd[22420]: connect from
adsl-68-73-64-36.dsl.klmzmi.ameritech.net[68.73.64.36]
Sep  4 19:32:08 GULF postfix/smtpd[22420]: D9FDA3E007A:
client=adsl-68-73-64-36.dsl.klmzmi.ameritech.net[68.73.64.36]
Sep  4 19:32:10 GULF postfix/smtpd[22420]: reject: RCPT from
adsl-68-73-64-36.dsl.klmzmi.ameritech.net[68.73.64.36]: 504 <JERRY>: Helo
command rejected: need fully-qualified hostname; from=<JonathanW at Panaband.com>
to=<munged>
Sep  4 19:32:11 GULF postfix/smtpd[22412]: disconnect from
adsl-68-73-64-36.dsl.klmzmi.ameritech.net[68.73.64.36]
Sep  4 19:32:15 GULF postfix/smtpd[22420]: disconnect from
adsl-68-73-64-36.dsl.klmzmi.ameritech.net[68.73.64.36]

But the actual email header says completely different source, etc.  All are
crafted as bounces, but have the SoBig attachements.  We are receiving around
500 of these per day for the past week or so.

======================================
Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
Featuring Win2003 Enterprise, RedHat Linux, CFMX 6.1 and all databases.
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
Suggested corporate Anti-virus policy: http://www.dshield.org/antivirus.pdf
======================================
If you are not satisfied with my service, my job isn't done!

----- Original Message ----- 
From: "John Dalton" <dubuque_1 at msn.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Thursday, September 04, 2003 5:24 PM
Subject: Re: [Dshield] Help on Finding contacts at domains


| Deb,
| I failed to state the infection the machine is spreading is Sobig, and I did
| see those email addresses and phone numbers, which I should have mentioned.
| But I did not want to go that far yet :) Plus figuring out which poor person
| to ask
|
| Brings back memories one time of a runaway machine blasting our company with
| hundreds of emails in a couple hours, when I contacted the
| administrative/technical contact number, they stated "how did you get this
| number" and I almost didn't have the heart to tell them it was the one
| listed as contacts for the domain at Internic :)
| I will give it a few more days, seems to be finding this one might be
| difficult if it is on again off again, but it has stayed a consistent
| machine name IP for the whole time, but with a name like Valued, I think it
| is a users machine
|
| Thanks
|
|
| ----- Original Message ----- 
| From: "Deb Hale" <haled at pionet.net>
| To: "'General DShield Discussion List'" <list at dshield.org>
| Sent: Thursday, September 04, 2003 4:40 PM
| Subject: RE: [Dshield] Help on Finding contacts at domains
|
|
| > John,  According to the information from the dshield database and their
| > support page their abuse email address is abuse at illinois.net.  It appears
| > that Illinois Communication Network actually provides service for the
| school
| > districts as well as the government agencies in Illinois.
| >
| > I know that a major school district in Illinois got hit with the Blaster.
| > They probably are still having fallout from that.  They had to shutdown
| all
| > of their computers and are gradually bringing them back on line.
| >
| > http://www.illinois.net/contact/icnstaff.htm  I noticed that they do have
| > their staff directory on line.  You may try sending an email to their IT
| > people and see if you get any response that way.
| >
| > Deb
| >
| >
| >
| > -----Original Message-----
| > From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
| > Of John Dalton
| > Sent: Thursday, September 04, 2003 4:11 PM
| > To: General DShield Discussion List
| > Subject: [Dshield] Help on Finding contacts at domains
| >
| >
| > I need to draw on the excellent resources here on the dshield list :)
| >
| > In the last week I have had a smattering of emails that were generated
| > elsewhere and I am the one contacted. I would not be even asking this if
| the
| > fact they all come from two ISP's, one who I contacted by phone the other
| > day, and after getting past the persons attitude while answering (so what
| is
| > our users email address, to which I answered his MACHINES IP was x.x.x.x,)
| I
| > now have a good slug of ones coming from 207.63.198.104, shown in headers
| > (where the victims show them) as:
| > Received: from  VALUED-078DE3BD ([207.63.198.104]
| > I looked them up to find:
| > Illinois Century Network
| > 120 west jefferson
| > suite b
| > springfield
| > IL
| > 62702
| > United States
| >
| > Illinois Century Network
| > +1-217-557-6555
| > hostmaster at illinois.net
| >
| > I have emailed to abuse.fraud and hostmaster at illinois.net, I have gone
| to
| > www.illinois.net, and tried to find contacts for a email contact. They
| seem
| > to be a Provider for Illinois school districts for Internet connectivity.
| >
| > It is a nuisance for now, but all the emails I am getting about "sending"
| > infected emails to various companies, all indicate this IP as the origin.
| >
| > Yes I have made sure I am all patched, and checked several ways to confirm
| I
| > am NOT infected.
| >
| > Can anyone enlighten me to how to pursue this next, and how they came up
| > with this direction ...
| >
| > Thanks in advance
| > John D
| >
| > _______________________________________________
| > list mailing list
| > list at dshield.org
| > To change your subscription options (or unsubscribe), see:
| > http://www.dshield.org/mailman/listinfo/list
| >
| >
| >
| > _______________________________________________
| > list mailing list
| > list at dshield.org
| > To change your subscription options (or unsubscribe), see:
| http://www.dshield.org/mailman/listinfo/list
| >
|
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
|




More information about the list mailing list