nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CalPOP contact? HTTP CONNECT scanning

From: Patrick <patrick () stealthgeeks net>
Date: Thu, 4 Sep 2003 17:34:29 -0700 (PDT)


CalPoP's owners/management are knowingly facilitating this behaviour. I
know, since I (thankfully very briefly) was retained as their CTO and
explicitly raised the spam issue as soon as I became aware of it. I personally
saw machines which appeared to be running software designed to attempt to proxy
relay against Hotmail. The response I received was that "if they did
not generate complaints it was not an issue."

For all the good it will do you, you can reach two of the owners, Richard
Hoover aka Lynn at lynn () calpop com or Ross Thayer at ross () calpop com.

On Thu, 4 Sep 2003, Jeroen Massar wrote:



As people are complaining all around about ISP's,
here is my small question. Who has a _working_ contact at
"CalPOP" (216.240.128.0/19 and others). It is not in puck :(

If anybody has a working one please mail it me offlist so
that the following long version of the problem can be solved.

Is there anything alive at CalPOP that doesn't try
to abuse open proxies for massively spamming hotmail ?

These are the hits from Sep 3rd:

216.240.140.204 - - [03/Sep/2003:06:27:15 +0200] "CONNECT 65.54.253.99:25 HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:17 +0200] "CONNECT 65.54.167.5:25 HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:19 +0200] "CONNECT 65.54.253.230:25 HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:20 +0200] "CONNECT 65.54.167.230:25 HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:22 +0200] "CONNECT 65.54.254.151:25 HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:24 +0200] "CONNECT 65.54.252.99:25 HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:25 +0200] "CONNECT 65.54.254.145:25 HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:26 +0200] "CONNECT 65.54.252.230:25 HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:26 +0200] "CONNECT 65.54.254.140:25 HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:28 +0200] "CONNECT 65.54.254.145:25 HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:29 +0200] "CONNECT 65.54.252.230:25 HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:30 +0200] "CONNECT 65.54.254.140:25 HTTP/1.0" 200 2366 "-" "-"

Since 29 Sep they did that 13007 times to the same box.
Quite persistent apparently as previously at 10-15 August
they used 216.240.129.201 + .205 to hit that box for another
17502 times and that one stopped mysteriously after mailing
abuse () calpop com & noc () calpop com & sam () calpop com (as shown in whois).
Unfortunatly without any reply whatsoever and apparently
they are continuing to scan for open http connect proxies.

I know the 200 response should indicate a CONNECT succes.
But unfortunatly if one loads up an apache2 with PHP suddenly
it starts passing _all_ methods to PHP which nicely responds a 200.
But it is perfect for logging some nice data from the wanna-be-spammer.
<Limit CONNECT>Deny from all</Limit> solves that ofcourse but that
spammer needs to go, but the contacts don't work. This acts as a
perfect spamtrap honeypot btw especially as they keep trying.

Before anyone asks the IP being hit is on a DSL line so they are
quite probably scanning all the DSL networks for open proxies.

Greets,
 Jeroen
------------ Output from pgp ------------
Pretty Good Privacy(tm) Version 6.5.8
Internal development version only - not for general release.
(c) 1999 Network Associates Inc.
Export of this software may be restricted by the U.S. government.
File is signed.  signature not checked.
Signature made 2003/09/04 00:18 GMT
key does not meet validity threshold.
WARNING:  Because this public key is not certified with a trusted
signature, it is not known with high confidence that this public key
actually belongs to: "(KeyID: 0x333E7C23)".
wiping file pgptemp.$00pattern is: 0xffffffff
pattern is: 0xaaa
pattern is: 0x0
pattern is: 0xbbb
pattern is: 0x111
pattern is: 0x222
pattern is: 0x888
pattern is: 0xfff
pattern is: 0x492
pattern is: 0x999
pattern is: 0xb6d
pattern is: 0x249
pattern is: 0xdb6
pattern is: 0xffffffff
pattern is: 0x666
pattern is: 0xccc
pattern is: 0xffffffff
pattern is: 0x777
pattern is: 0x924
pattern is: 0xddd
pattern is: 0x555
pattern is: 0x333
pattern is: 0x6db
pattern is: 0xeee
pattern is: 0x444
pattern is: 0xffffffff
wiping file pgptemp.$01pattern is: 0xffffffff
pattern is: 0xccc
pattern is: 0xeee
pattern is: 0x492
pattern is: 0xfff
pattern is: 0x666
pattern is: 0x6db
pattern is: 0x111
pattern is: 0xbbb
pattern is: 0x0
pattern is: 0x888
pattern is: 0xb6d
pattern is: 0x333
pattern is: 0xffffffff
pattern is: 0x444
pattern is: 0xdb6
pattern is: 0x924
pattern is: 0x222
pattern is: 0x777
pattern is: 0x555
pattern is: 0x249
pattern is: 0xddd
pattern is: 0x999
pattern is: 0xffffffff
pattern is: 0xaaa
pattern is: 0xffffffff






/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
                               Patrick Greenwell
         Asking the wrong questions is the leading cause of wrong answers
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
Previous By Date Next
Previous By Thread Next

Current thread: