Multiple telus.net spambots (was: [Dshield] Acceptable use policy at Telus.net)

Erik van Straten emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Tue Jan 20 13:03:19 GMT 2004


Hi Telus Abuse, Laurent, list,

Lets see if the new Telus AUP actually works.

Some telus.net compromised PC's (spambots), registered in the last 17
hours, harassing my mailserver and some of my users, and listed in
blacklist(s):

66.222.160.60   (cbl.abuseat.org)
142.59.0.195    (not in cbl, but in spamcop.net)
66.183.33.47    (cbl.abuseat.org)
207.6.208.158   (cbl.abuseat.org)
142.59.176.7    (cbl.abuseat.org)
142.173.97.221  (cbl.abuseat.org)

Three from six currently respond to ICMP ping (detailed headers at the
end of this message).

Explanation: my site is being Joe-jobbed. The information below was
extracted from the (many) bounces (DSN's, Delivery Status Notifications)
sent to my MTA. These spamproxies are forging our site name and hosts,
and spoofing originators. As can be seen below, recently the spammers
have started using 3-7 character names @mysite, which DOES cause users
to receive spam-bounces in their mailboxes: FPs*cpo.tn.tudelft.nl

More information regarding the Joe-job against my site is here:
http://www.dshield.org/pipermail/list/2004-January/013937.php

Regards,

Erik van Straten
CPO Sysadmin

P.S. DShield moderator & list: I do not intend to make a habit of
publicizing IP's like this. However IMO this problem is very much
underestimated and requires more attention. My site can still cope with
it, but it's getting worse. Many other Joe-jobbed sites, especially the
smaller ones, cannot cope and may have insufficient time/knowledge to
investigate attacks like these.

On Tue, 20 Jan 2004 00:34:10 -0800 "Laurent" <saplairoles at telus.net> wrote:
> My ISP (telus.net) seems to take matters into their hands when it comes to preventing 
> their users to from doing anything "bad". Or at least that's what they state in their new 
> acceptable use policy: http://www.mytelus.com/internet/nv/aup.do
[snip]


Note: all "at" signs below have been replaced by * to prevent anyone
from auto-grabbing email addresses (if the DShield moderator accepts
this will become a webpage).

--------------------------------------------------------------

X-Originating-IP: [66.222.160.60]
Return-Path: <ricksrx*dutndo7.tn.tudelft.nl>
Received: from ot.olympus.co.jp (d66-222-160-60.abhsia.telus.net [66.222.160.60])
        by vmd-ext.prodigy.net (8.12.10/8.12.10) with ESMTP id i0JJ6r3C501226
        for <wsho93*prodigy.net>; Mon, 19 Jan 2004 14:06:54 -0500
Message-ID: <7bc801c3df45$04f80846$17cdf2b4*ot.olympus.co.jp>
From: "Arlene Ricks" <ricksrx*dutndo7.tn.tudelft.nl>
To: wsho93*prodigy.net
Subject: buy online
Date: Tue, 20 Jan 2004 11:08:46 +0000

--------------------------------------------------------------

Return-Path: <t_bowen_og*cpo.tn.tudelft.nl>
Received: from the-undertaker.co.uk (d142-59-0-195.abhsia.telus.net [142.59.0.195])
        by gw1.pactitle.com (8.12.8/8.12.8) with ESMTP id i0JKgs2t031255
        for <ad*pactitle.com>; Mon, 19 Jan 2004 12:43:00 -0800
Message-ID: <a42e01c3df10$72f7272f$cd8562c1*the-undertaker.co.uk>
MIME-Version: 1.0
To: ad*pactitle.com
From: "Todd Bowen" <t_bowen_og*cpo.tn.tudelft.nl>
Date: Tue, 20 Jan 2004 04:44:09 +0000
Subject: New Email System

--------------------------------------------------------------

Return-Path: <qBpIoc*cpo.tn.tudelft.nl>
Received: from dutndo7.tn.tudelft.nl (d66-183-33-47.bchsia.telus.net [66.183.33.47])
        by freenet2.afn.org (8.11.6/8.11.6) with SMTP id i0K29h801572
        for <afn39674*afn.org>; Mon, 19 Jan 2004 21:09:44 -0500
Date: Mon, 19 Jan 2004 21:09:44 -0500
Message-ID: <b09101c3defd$a934b4d2$8bb19105*brDU>
From: "A Internet Store" <qBpIoc*cpo.tn.tudelft.nl>
To: afn39674*afn.org
Subject: Accomplish Your New Year's Desires

--------------------------------------------------------------

Return-Path: <FPs*cpo.tn.tudelft.nl>
Received: from ns7.t3interactive.com (root*localhost)
        by 101funpages.com (8.11.6/8.11.6) with ESMTP id i0K6PUr07686
        for <fantasy_grrrl15*101funpages.com>; Tue, 20 Jan 2004 01:25:30 -0500
X-ClientAddr: 207.6.208.158
Received: from dutndo7.tn.tudelft.nl (d207-6-208-158.bchsia.telus.net [207.6.208.158])
        by ns7.t3interactive.com (8.11.6/8.11.6) with SMTP id i0K6PSY07681
        for <fantasy_grrrl15*101funpages.com>; Tue, 20 Jan 2004 01:25:29 -0500
Date: Tue, 20 Jan 2004 01:25:29 -0500
Message-ID: <a40c01c3df12$db6b843a$76a531fd*fbgjCMXY>
From: "A Internet Store" <FPs*cpo.tn.tudelft.nl>
To: fantasy_grrrl15*101funpages.com
Subject: Achieve Your New Year's Ambitions

--------------------------------------------------------------

Return-Path: <fvrjO*dutndo7.tn.tudelft.nl>
Received: (qmail 74600 invoked from network); 20 Jan 2004 05:54:51 -0000
Received: from unknown (HELO mail.personainternet.com) (10.25.1.2)
  by mail.personainternet.com with SMTP; 20 Jan 2004 05:54:51 -0000
Received: (qmail 16469 invoked by uid 514); 20 Jan 2004 05:54:50 -0000
Received: from fvrjO*dutndo7.tn.tudelft.nl by slb-mail2 by uid 502 with qmail-scanner-1.20rc3
 (clamuko: 0.60.  Clear:RC:0:.
 Processed in 0.116055 secs); 20 Jan 2004 05:54:50 -0000
Received: from unknown (HELO mxin.personainternet.com) ([10.26.1.1])
          (envelope-sender <fvrjO*dutndo7.tn.tudelft.nl>)
          by mail.personainternet.com (qmail-ldap-1.03) with SMTP
          for <hepting*isys.ca>; 20 Jan 2004 05:54:50 -0000
Received: from d142-59-176-7.abhsia.telus.net [142.59.176.7] by mxin.personainternet.com asmtp(3.0m)
        id 8472; Tue, 20 Jan 2004 00:54:49 -0500 (EST)
Message-ID: <c0e301c3df1d$69e660ed$c7607f73*yS3U5>
From: "The Internet Shop" <fvrjO*dutndo7.tn.tudelft.nl>
To: hepting*isys.ca
Subject: Complete Your New Year's Goals
Fast
Date: Tue, 20 Jan 2004 01:18:30 -0500

--------------------------------------------------------------

Received: from orange.be (d142-173-97-221.bchsia.telus.net [142.173.97.221])
        by mailgw1.fraunhofer.de (8.12.10/8.12.10) with ESMTP id i0K855kE005000
        for <bobjo*igd.fhg.de>; Tue, 20 Jan 2004 09:05:11 +0100 (MET)
Message-ID: <49e501c3df6f$2f7eeec4$c9e135a9*orange.be>
To: bobjo*igd.fhg.de
MIME-Version: 1.0
Date: Tue, 20 Jan 2004 16:06:25 +0000
From: "Lesa Duran" <lduranwo*cpo.tn.tudelft.nl>
Content-Type: text/html
X-Spamd-Host: spamd1.fraunhofer.de
X-Spam-Status: Yes, hits=9.8 required=8.0
        tests=BAYES_70,CLICK_BELOW,DATE_IN_FUTURE_06_12,HTML_60_70,
              HTML_FONT_BIG,HTML_FONT_COLOR_BLUE,HTML_FONT_COLOR_RED,
              HTML_LINK_CLICK_HERE,HTML_SHOUTING3,MIME_HTML_ONLY,
              MONEY_BACK,RCVD_IN_DSBL
        version=2.55
X-Spam-Level: *********
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
X-Spam-Report: ---- Start SpamAssassin results
  9.80 points, 8 required;
  *  1.3 -- BODY: Money back guarantee
  *  0.1 -- BODY: HTML link text says "click here"
  *  0.1 -- BODY: Message is 60% to 70% HTML
  *  0.1 -- BODY: HTML font color is red
  *  2.3 -- BODY: Bayesian classifier says spam probability is 70 to 80%
  [score: 0.7731]
  *  0.2 -- BODY: FONT Size +2 and up or 3 and up
  *  0.1 -- BODY: HTML has very strong "shouting" markup
  *  0.1 -- BODY: HTML font color is blue
  *  1.1 -- Date: is 6 to 12 hours after Received: date
  *  4.3 -- RBL: Received via a relay in list.dsbl.org
  [RBL check: found 221.97.173.142.list.dsbl.org.]
  *  0.0 -- Asks you to click below
  *  0.1 -- Message only has text/html MIME parts
  ---- End of SpamAssassin results
X-Spam-Flag: YES
Subject: [SPAM?] break me off some!

--------------------------------------------------------------





More information about the list mailing list