nanog mailing list archives
Re: WTF?
From: Daniel Reed <djr () narnia n ml org>
Date: Wed, 19 Nov 1997 18:15:39 -0500 (EST)
On Wed, 19 Nov 1997, James D. Butt wrote: ) Here is what I received from abuse () ibm net ) ) ------------------------------------------------------------------------- ) DUP 11/19/97 10:56:24 ) ) Thank you for notifying us. ) ) This individual has been warned regarding the consequences of sending ) Unsolicited Commercial Email. ) Continued violations will result in an account cancellation. Please ) inform us if any other abuse originated from<ibm.net> customers. That's truly wondrous as, after sending:
From djr () narnia n ml org Wed Nov 19 17:37:59 1997
Date: Mon, 17 Nov 1997 20:25:48 -0500 (EST)
From: Daniel Reed <djr () narnia n ml org>
To: support () ibm net, abuse () ibm net
Subject: OWNED (fwd)
I have reason to believe one of your customers, perhaps still connectected
to your service, has been maliciously attacking the NANOG mailing list
(nanog () merit edu). Today the NANOG mailing list was subscribed to itself,
it received a bounce that showed us (the subscribers) an attempt to
subscribe it to several lists at a remote server, and was also subscribed
to some Marilon Monroe fan mailing list. We then received this message,
and as the headers indicate, it appears to be originating from some
ibm.net dialup user.
Received: from microsoft.com (166.72.5.121) by www.RVC.CC.IL.US
^^^^^^^^^^^^
(EMWAC SMTPRS 0.81) with SMTP id <B0000000019 () www RVC CC IL US>;
Mon, 17 Nov 1997 18:56:25 -0600
root@narnia:~# host 166.72.5.121
121.5.72.166.IN-ADDR.ARPA domain name pointer slip166-72-5-121.il.us.ibm.net
root@narnia:~#
--
Daniel Reed <n () narnia n ml org>
System administrator of narnia.n.ml.org (narnia.mhv.net [199.0.0.118])
Some people mistake genius for insanity.
---------- Forwarded message ----------
Return-Path: owner-nanog () merit edu
Received: from merit.edu [198.108.1.42]
by mail.n.ml.org (Sendmail 8.8.8) via ESMTP (UAA16049-199711180120)
for address <djr () narnia n ml org>
on Mon, 17 Nov 1997 20:20:11 -0500 (EST)
Received: from localhost (daemon@localhost)
by merit.edu (8.8.7/8.8.5) with SMTP id TAA04909;
Mon, 17 Nov 1997 19:43:41 -0500 (EST)
Received: by merit.edu (bulk_mailer v1.5); Mon, 17 Nov 1997 19:43:36 -0500
Received: (from majordom@localhost)
by merit.edu (8.8.7/8.8.5) id TAA04897
for nanog-outgoing; Mon, 17 Nov 1997 19:43:34 -0500 (EST)
Received: from www.RVC.CC.IL.US (www.RVC.CC.IL.US [207.142.145.2])
by merit.edu (8.8.7/8.8.5) with SMTP id TAA04884
for <nanog () merit edu>; Mon, 17 Nov 1997 19:43:16 -0500 (EST)
Received: from microsoft.com (166.72.5.121) by www.RVC.CC.IL.US
(EMWAC SMTPRS 0.81) with SMTP id <B0000000019 () www RVC CC IL US>;
Mon, 17 Nov 1997 18:56:25 -0600
Date: Mon, 17 Nov 1997 18:56:25 -0600
Message-ID: <B0000000019 () www RVC CC IL US>
From: Bill Gates III <billg () microsoft com>
Subject: OWNED
Sender: owner-nanog () merit edu
To: undisclosed-recipients:;
/* snipped many lines of garbage */
I received back:
From helpdesk () ibm e-mail com Wed Nov 19 17:38:33 1997
Date: Tue, 18 Nov 1997 16:15:13 EST From: helpdesk () ibm e-mail com To: DJR () NARNIA N ML ORG Subject: OWNED (FWD) Ref #: USINET 2048052 MAIL FROM:<Problem Mgmt> RCPT TO:<DJR () NARNIA N ML ORG> DATA Date: Tue, 18 NOV 97 16:14:53 est From: Problem Mgmt To: <DJR () NARNIA N ML ORG> Cc: Subject: OWNED (FWD) Ref #: USINET 2048052 An incident reported by you has been updated. The incident # is listed below. Do not respond to this e-mail. For Account: USINET Incident Number: 2048052 Status: PENDING Sev: 4 Last Updated: Tue, 18 NOV 97 16:14:53 PROBLEM UPDATED. ************************************************************************* Summary: OWNED (FWD) ------------------------------------------------------------------------- RESP 11/18/97 16:14:49 Hello, Based on the information you ave sent we are unable to match the time and ip of the header to the time and ip on our dial gateways. This header look's a bit strange, the ip does not contain a "slip" in front of it. I think that this header has been manipulated in form way. Regards, Postmaster () ibm net ************************************************************************* Please do not respond to this address. Respond to notify () vnet ibm com to which I replied, pointing out the fact that the IP address in question, when reverse resolved (which I had even included in my original message) did, in fact, begin with "slip" and end with "ibm.net." However, when I replied to notify () vnet ibm com, as I was told to by the note at the bottom of the message, I received no less than 6 messages telling me I should have sent that reply to postmaster () ibm net. I then wrote an almost-sorta- mildly nasty note to notify () vnet ibm com telling them to please get their act straight and figure out who it is, in fact, I should be contacting. I then received several more emails telling me *that* should have gone to postmaster () ibm net as well. However, I believe that all of the insightful messages announcing that "it appears we were just mailbombed, oh my!" were arguably more detrimental to the flow of information on this list than the actual subscription and message bombs that prompted them. After one of the 56 mailing lists I host on narnia is mailbombed, I make it a habit of closing all postings to that list. Not to prevent further mailbombs, as I usually find out about it too late, but to prevent the flood of "oh my, what'll we do, someone stop this madness!" messages that almost always outbomb the mailbomb. -- Daniel Reed <n () narnia n ml org> System administrator of narnia.n.ml.org (narnia.mhv.net [199.0.0.118]) What was the best thing before sliced bread?