[Dshield] ISP's That Ignore Abuse Reports

jayjwa jayjwa at atr2.ath.cx
Sun Jun 12 04:07:42 GMT 2005



https://atr2.ath.cx/~jayjwa/abusive-abuse-lists.html

and ...

http://www.acme.com/mail_filtering/shame.html#dnsrbls


->    ----- Transcript of session follows -----
-> ... while talking to iceman12-ext.giac.net.:
-> >>> RCPT To:<list at lists.dshield.org>
-> <<< 451 http://www.spamhaus.org/query/bl?ip=69.95.5.27
-> <list at lists.dshield.org>... Deferred: 451 http://www.spamhaus.org/query/bl?ip=69.95.5.27
-> ... while talking to mail1.sans.org.:
-> >>> DATA
-> <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
-> 550 5.1.1 <list at lists.dshield.org>... User unknown
-> <<< 503 RCPT first (#5.5.1)


Now, then...

My original message: Subject: ISP's That Ignore Abuse Reports


I just wanted to post this to show just how bad things can get when a 
major ISP like Qwest.net/Qwest.com refuses to do anything about an obvious 
security incident. Now going into day 6, I've been constantly bombarded by 
Qwest machines attempting "dictionary" spam to my mailserver. I've tried 
to keep this post brief, and the (trimmed) logs are at the very end so 
it's possible to read the story without digging thru all the logfiles.


Starting at or on June 7th, my mailserver came under attack. At first look 
I belived it to be dict (dictionary) spam, a type of spammer that just 
tries every name in the book until one hits. I've been thru this before; 
they usually stop after one incident, maybe two, and certainly if 
reported. On June 7th I sent an Abuse Report to Qwest (abuse at qwest.net) 
with my MTA's log files of the incident. The attacks continued. Notice 
that at this time Qwest was not banned from my mailserver: they could have 
easily answered me. I again sent a report, #2, as the attacks went into 
the 2nd and then 3rd straight day. When I say 'straight day', I mean 24x7 
constant connections, one after another, after another, relentlessly. Not 
surprising, Qwest did not reply. Still the attacks continued on to a 4th 
day, and I mail #3 incident report, this time from another mail account 
all together (so they didn't have the excuse of 'oh well, we don't accept 
mail from (whatever I'm supposedly guilty of today on the DNS-based block 
lists)', a well-known and popular one. This time I got an auto-responder 
reply, but this may have been only because it was the first time I 
contacted Qwest from that mail account. They *have* replied to mail, sent 
from my own server, regarding previous incidents in the past, and didn't 
sent the auto- responder there anymore. Because of this, I didn't find it 
strange that only on #3 did I see an auto-reply. In this mail I told them 
to reply to this alternate account, as I unfortunately had no choice but 
to drop all Qwest traffic to port 25, which I did, with Netfilter and 
tcpwrappers just in case Qwest had other IP's outside of the currently 
known range that I was seeing attack (this later came true).

Now on the 5th day, going for 6, and more than enough time I belive 
for them to take some kind of action (remember, it was reported 1st
day, almost 1 business week has pasted). My server was offline today
for several hours during a bad t-storm in which the building got struck,
but once back, they immediately returned, hammering away as ever.

One host in particular seems to do the bulk of connections, 63.231.195.116.

Jun  7 19:42:22 atr2 sm-mta[20604]: NOQUEUE: connect from mpls-qmqp-05.inet.qwest.net [63.231.195.116]
Jun  7 19:42:22 atr2 sm-mta[20604]: j57NgM3E020604: Milter: no active filter
Jun  7 19:42:23 atr2 sm-mta[20604]: j57NgM3E020604: <mary at atr2.ath.cx>... User unknown
Jun  7 19:42:23 atr2 sm-mta[20604]: j57NgM3E020604: from=<webmaster at atr2.ath.cx>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=mpls-qmqp-05.inet.qwest.net [63.231.195.116]
Jun  7 19:42:23 atr2 sm-mta[20605]: NOQUEUE: connect from mpls-qmqp-05.inet.qwest.net [63.231.195.116]
Jun  7 19:42:23 atr2 sm-mta[20605]: j57NgNp3020605: Milter: no active filter
Jun  7 19:42:24 atr2 sm-mta[20605]: j57NgNp3020605: <webmaster at atr2.ath.cx>... User unknown
Jun  7 19:42:25 atr2 sm-mta[20605]: j57NgNp3020605: from=<>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=mpls-qmqp-05.inet.qwest.net [63.231.195.116]
Jun  7 20:09:04 atr2 sm-mta[20608]: NOQUEUE: connect from mpls-qmqp-05.inet.qwest.net [63.231.195.116]
Jun  7 20:09:05 atr2 sm-mta[20608]: j58094lp020608: Milter: no active filter
Jun  7 20:09:06 atr2 sm-mta[20608]: j58094lp020608: <joe at atr2.ath.cx>... User unknown
Jun  7 20:09:06 atr2 sm-mta[20608]: j58094lp020608: from=<mail at atr2.ath.cx>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=mpls-qmqp-05.inet.qwest.net [63.231.195.116]
Jun  7 20:09:06 atr2 sm-mta[20609]: NOQUEUE: connect from mpls-qmqp-05.inet.qwest.net [63.231.195.116]
Jun  7 20:09:06 atr2 sm-mta[20609]: j580963R020609: Milter: no active filter
Jun  7 20:09:30 atr2 sm-mta[20609]: j580963R020609: from=<>, size=66533, class=0, nrcpts=1, msgid=<200506080009.j580963R020609 at atr2.ath.cx>, proto=SMTP, daemon=MTA, relay=mpls-qmqp-05.inet.qwest.net [63.231.195.116]
Jun  7 20:09:31 atr2 sm-mta[20610]: j580963R020609: to=<mail at atr2.ath.cx>, delay=00:00:24, xdelay=00:00:01, mailer=local, pri=96804, dsn=2.0.0, stat=Sent
Jun  7 20:09:31 atr2 sm-mta[20610]: j580963R020609: done; delay=00:00:24, ntries=1
Jun  7 21:52:16 atr2 sm-mta[20639]: NOQUEUE: connect from mpls-qmqp-01.inet.qwest.net [63.231.195.112]
Jun  7 21:52:16 atr2 sm-mta[20639]: j581qGuH020639: Milter: no active filter
Jun  7 21:52:17 atr2 sm-mta[20639]: j581qGuH020639: <serg at atr2.ath.cx>... User unknown
Jun  7 21:52:17 atr2 sm-mta[20639]: j581qGuH020639: from=<webmaster at atr2.ath.cx>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=mpls-qmqp-01.inet.qwest.net [63.231.195.112]
Jun  7 21:52:17 atr2 sm-mta[20640]: NOQUEUE: connect from mpls-qmqp-01.inet.qwest.net [63.231.195.112]
Jun  7 21:52:17 atr2 sm-mta[20640]: j581qHVh020640: Milter: no active filter
Jun  7 21:52:18 atr2 sm-mta[20640]: j581qHVh020640: <webmaster at atr2.ath.cx>... User unknown
Jun  7 21:52:18 atr2 sm-mta[20640]: j581qHVh020640: from=<>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=mpls-qmqp-01.inet.qwest.net [63.231.195.112]
Jun  7 21:57:20 atr2 sm-mta[20641]: NOQUEUE: connect from mpls-qmqp-01.inet.qwest.net [63.231.195.112]
Jun  7 21:57:20 atr2 sm-mta[20641]: j581vKLb020641: Milter: no active filter
Jun  7 21:57:21 atr2 sm-mta[20641]: j581vKLb020641: <brent at atr2.ath.cx>... User unknown
Jun  7 21:57:22 atr2 sm-mta[20641]: j581vKLb020641: from=<info at atr2.ath.cx>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=mpls-qmqp-01.inet.qwest.net [63.231.195.112]
Jun  7 21:57:22 atr2 sm-mta[20642]: NOQUEUE: connect from mpls-qmqp-01.inet.qwest.net [63.231.195.112]
Jun  7 21:57:22 atr2 sm-mta[20642]: j581vMST020642: Milter: no active filter
Jun  7 21:57:23 atr2 sm-mta[20642]: j581vMST020642: <info at atr2.ath.cx>... User unknown
Jun  7 21:57:23 atr2 sm-mta[20642]: j581vMST020642: from=<>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=mpls-qmqp-01.inet.qwest.net [63.231.195.112]
Jun  7 22:42:36 atr2 sm-mta[20647]: NOQUEUE: connect from mpls-qmqp-01.inet.qwest.net [63.231.195.112]
Jun  7 22:42:36 atr2 sm-mta[20647]: j582gaGm020647: Milter: no active filter
Jun  7 22:42:37 atr2 sm-mta[20647]: j582gaGm020647: <david at atr2.ath.cx>... User unknown
Jun  7 22:42:37 atr2 sm-mta[20647]: j582gaGm020647: from=<administrator at atr2.ath.cx>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=mpls-qmqp-01.inet.qwest.net [63.231.195.112]
Jun  7 22:42:38 atr2 sm-mta[20648]: NOQUEUE: connect from mpls-qmqp-01.inet.qwest.net [63.231.195.112]
Jun  7 22:42:38 atr2 sm-mta[20648]: j582gc7N020648: Milter: no active filter
Jun  7 22:42:39 atr2 sm-mta[20648]: j582gc7N020648: <administrator at atr2.ath.cx>... User unknown
Jun  7 22:42:39 atr2 sm-mta[20648]: j582gc7N020648: from=<>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=mpls-qmqp-01.inet.qwest.net [63.231.195.112]


The machines appeared to be FreeBSD machines, although one of them registered
(and does continue to) by passive OS fingerprinting as a Windows 2000 or Xp.
They have port 628 which I've since learned a little about, and of course
the ever-popular ssh in the line of fire of the massive amount of ssh 
attacks that have been going around lately.

63.231.195.112:

PORT    STATE    SERVICE
22/tcp  open     ssh
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
628/tcp open     qmqp


63.231.195.116:

PORT    STATE    SERVICE
22/tcp  open     ssh
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
628/tcp open     qmqp


On June 10th, I saw a new set of IP's from Qwest, the 70.58.20.*'s. 
Luckly I had put Qwest into tcpwrappers, because the netfilter 
entries didn't look for that IP range at the time:

Jun 10 05:05:52 atr2 sm-mta[13886]: NOQUEUE: connect from 70-58-20-29.dnvr.qwest.net [70.58.20.29]
Jun 10 05:05:52 atr2 sm-mta[13886]: j5A95qTE013886: tcpwrappers (70-58-20-29.dnvr.qwest.net, 70.58.20.29) rejection
Jun 10 05:21:10 atr2 sm-mta[13887]: NOQUEUE: connect from 70-58-20-29.dnvr.qwest.net [70.58.20.29]
Jun 10 05:21:10 atr2 sm-mta[13887]: j5A9LA13013887: tcpwrappers (70-58-20-29.dnvr.qwest.net, 70.58.20.29) rejection
Jun 10 05:28:59 atr2 sm-mta[13890]: NOQUEUE: connect from 70-58-20-29.dnvr.qwest.net [70.58.20.29]
Jun 10 05:28:59 atr2 sm-mta[13890]: j5A9SxEu013890: tcpwrappers (70-58-20-29.dnvr.qwest.net, 70.58.20.29) rejection
Jun 10 06:09:27 atr2 sm-mta[13903]: NOQUEUE: connect from 70-58-20-29.dnvr.qwest.net [70.58.20.29]
Jun 10 06:09:27 atr2 sm-mta[13903]: j5AA9RXn013903: tcpwrappers (70-58-20-29.dnvr.qwest.net, 70.58.20.29) rejection
Jun 10 06:13:53 atr2 sm-mta[13904]: NOQUEUE: connect from 70-58-20-29.dnvr.qwest.net [70.58.20.29]
Jun 10 06:13:53 atr2 sm-mta[13904]: j5AADrTA013904: tcpwrappers (70-58-20-29.dnvr.qwest.net, 70.58.20.29) rejection
Jun 10 07:25:38 atr2 sm-mta[13915]: NOQUEUE: connect from 70-58-20-29.dnvr.qwest.net [70.58.20.29]
Jun 10 07:25:38 atr2 sm-mta[13915]: j5ABPcat013915: tcpwrappers (70-58-20-29.dnvr.qwest.net, 70.58.20.29) rejection
Jun 10 08:34:24 atr2 sm-mta[13927]: NOQUEUE: connect from 70-58-20-29.dnvr.qwest.net [70.58.20.29]
Jun 10 08:34:24 atr2 sm-mta[13927]: j5ACYOBx013927: tcpwrappers (70-58-20-29.dnvr.qwest.net, 70.58.20.29) rejection
Jun 10 09:32:40 atr2 sm-mta[13932]: NOQUEUE: connect from 70-58-20-29.dnvr.qwest.net [70.58.20.29]
Jun 10 09:32:40 atr2 sm-mta[13932]: j5ADWe28013932: tcpwrappers (70-58-20-29.dnvr.qwest.net, 70.58.20.29) rejection
Jun 10 10:22:27 atr2 sm-mta[13996]: NOQUEUE: connect from 70-58-20-29.dnvr.qwest.net [70.58.20.29]
Jun 10 10:22:27 atr2 sm-mta[13996]: j5AEMRJ6013996: tcpwrappers (70-58-20-29.dnvr.qwest.net, 70.58.20.29) rejection
Jun 10 10:40:18 atr2 sm-mta[13999]: NOQUEUE: connect from 70-58-20-29.dnvr.qwest.net [70.58.20.29]
Jun 10 10:40:18 atr2 sm-mta[13999]: j5AEeIqc013999: tcpwrappers (70-58-20-29.dnvr.qwest.net, 70.58.20.29) rejection
Jun 10 12:46:47 atr2 sm-mta[31195]: NOQUEUE: connect from 70-58-20-29.dnvr.qwest.net [70.58.20.29]
Jun 10 12:46:47 atr2 sm-mta[31195]: j5AGklsk031195: tcpwrappers (70-58-20-29.dnvr.qwest.net, 70.58.20.29) rejection
Jun 10 16:24:30 atr2 sm-mta[1269]: NOQUEUE: connect from mpls-qmqp-02.inet.qwest.net [63.231.195.113]
Jun 10 16:24:30 atr2 sm-mta[1269]: j5AKOUOk001269: tcpwrappers (mpls-qmqp-02.inet.qwest.net, 63.231.195.113) rejection
Jun 10 16:24:31 atr2 sm-mta[1270]: NOQUEUE: connect from mpls-qmqp-02.inet.qwest.net [63.231.195.113]
Jun 10 16:24:31 atr2 sm-mta[1270]: j5AKOVTj001270: tcpwrappers (mpls-qmqp-02.inet.qwest.net, 63.231.195.113) rejection
Jun 10 16:26:00 atr2 sm-mta[1290]: NOQUEUE: connect from 70-58-20-29.dnvr.qwest.net [70.58.20.29]
Jun 10 16:26:00 atr2 sm-mta[1290]: j5AKQ07X001290: tcpwrappers (70-58-20-29.dnvr.qwest.net, 70.58.20.29) rejection


These are the firewall logs, and make up most of the bulk of the logs
that I have on Qwest. They're long, so I've not shown all of them:


Jun  9 05:01:02 atr2 kernel: Dict. SPAM: IN=ppp0 OUT= MAC= SRC=63.227.27.12 DST=64.179.7.59 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=57003 DF PROTO=TCP SPT=17520 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0 
Jun  9 05:01:05 atr2 kernel: Dict. SPAM: IN=ppp0 OUT= MAC= SRC=63.227.27.12 DST=64.179.7.59 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=57015 DF PROTO=TCP SPT=17520 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0

Jun  9 15:10:30 atr2 kernel: Dict. SPAM: IN=ppp0 OUT= MAC= SRC=63.227.27.12 DST=64.179.7.59 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=59925 DF PROTO=TCP SPT=12706 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0 
Jun  9 15:19:57 atr2 kernel: Dict. SPAM: IN=ppp0 OUT= MAC= SRC=63.227.27.12 DST=64.179.7.59 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=65496 DF PROTO=TCP SPT=12958 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0


Jun 10 01:04:16 atr2 kernel: Dict. SPAM: IN=ppp0 OUT= MAC= SRC=63.227.27.12 DST=64.179.7.59 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=48261 DF PROTO=TCP SPT=29269 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0 
Jun 10 01:04:19 atr2 kernel: Dict. SPAM: IN=ppp0 OUT= MAC= SRC=63.227.27.12 DST=64.179.7.59 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=48266 DF PROTO=TCP SPT=29269 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0


Jun 10 03:38:28 atr2 kernel: Dict. SPAM: IN=ppp0 OUT= MAC= SRC=63.227.27.12 DST=64.179.7.59 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=2794 DF PROTO=TCP SPT=11829 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0 
Jun 10 03:38:34 atr2 kernel: Dict. SPAM: IN=ppp0 OUT= MAC= SRC=63.227.27.12 DST=64.179.7.59 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=2830 DF PROTO=TCP SPT=11829 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0

Incident report #4 was just sent...do you think they'll listen this time? 
Notice also that I'm mailing them these reports from my own MTA: they're 
banned from it and can't answer. This is a seperate account altogether. I 
thought I'd point that out before someone says that they may have only 
been trying to mail me a reply. Even if this was the case, these 
connections are non-stop, constant, and no legit mailserver tries without 
a break- it waits, then tries a fixed number of times.


-- 
Confidentiality Notice: This email may contain confidential
and privileged information. If in the event that it does,
please send it back to me with a reply telling me how
stupid I am for sending confidential info to a public forum.
 



More information about the list mailing list