> Path: news.bticc.net!not-for-mail > From: [EMAIL PROTECTED] > Newsgroups: lists.fwb.users,lists.ifmail > Subject: DO YOU BELIEVE IN REINCARNATION? CLICK HERE! 7192 > Date: 17 Jun 1999 17:28:38 GMT > Organization: BTI Communications -- http://www.bticc.net/ > Lines: 18 > Distribution: lists > Message-ID: <7kbb86$fdc$[EMAIL PROTECTED]> > NNTP-Posting-Host: 200.244.102.179 > X-Trace: osiris.bticc.net 929640518 15788 200.244.102.179 (17 Jun 1999 17:28:38 GMT) > X-Complaints-To: [EMAIL PROTECTED] > NNTP-Posting-Date: 17 Jun 1999 17:28:38 GMT > Xref: news.bticc.net lists.fwb.users:3 lists.ifmail:1 > > ************************************************************ > DO YOU BELIEVE IN REINCARNATION? > ************************************************************ > > Do you want to know who you were and where you lived in your > past life? > > Click here-> http://www.pridesites.com/pastlife > > ************************************************************ > > This message was posted with POST AGENT > The BEST bulk news poster > Download your FREE copy now at: > http://postagent.com/default.asp?fromAgentID=1819 > > qjgyqgmywbyjgmlwemenevzjpxxomxgst > This message is an incident report regarding a spam attack that took place this afternoon (17 June 1999). At 17:28 GMT our internal news server was compromised by a mad spammer. Fortunately, we were able to get the server shutdown in time to prevent the spam from propagating to the major news hiearchies and our FidoNet distribution. However, we have a number of gated mailing lists on the server which have instant distribution and thus got hit by the spam. The result has been a deluge of complaints to our abuse address. Since it would take the rest of the week to reply to them all, this report is being sent to each individual who sent a complaint as well as the lists that were spammed and the appropriate parties involved in the incident. The attacker used a bogus From: header using pastlife.com, but the origin IP was 200.244.102.179. After some time with nslookup and whois, I sent an e-mail to the Brazilian Research Network where the IP was part of their class A subnet. Within minutes Cristine Hoeper of nic.br sent me the nic record of highway.com.br where the the attack originated. A few minutes later I also got the following reply from Fernando Bravo of highway.com.br. Thanks guys and gals for the extremely fast response. Date: Thu, 17 Jun 1999 16:40:49 -0300 From: Cristine Hoepers <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [[EMAIL PROTECTED]: RE: System attack from 200.244.102.179] ----- Forwarded message from Fernando Bravo <[EMAIL PROTECTED]> ----- Delivered-To: [EMAIL PROTECTED] X-ROUTED: Thu, 17 Jun 1999 16:38:32 -0300 From: "Fernando Bravo" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: RE: System attack from 200.244.102.179 Date: Thu, 17 Jun 1999 16:39:51 -0300 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.0810.800 In-Reply-To: <[EMAIL PROTECTED]> Importance: Normal The person will be advised no to do so. This IP belongs to a pools of modems of our dial up users. I will do it personally. Thanks for reporting it to us. BEst regards, Fernando Bravo > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 17, 1999 16:21 > To: Fernando Bravo > Subject: Re: System attack from 200.244.102.179 > > > > > This IP belongs to 'HIGHWAY.COM.BR' domain. > I'm forwarding your e-mail to the person responsible > for this domain. Contact information follows: > > > handle:NET-200-244-102-0-24 > ip-network:200.244.102.0/24 > class-ip-network:200.244.102.0 > network-type:C > organization-name:FERNANDO BRAVO SOFTWARE LTDA > organization-postal:RIO DE JANEIRO/RJ > updated:19990617 > > HIGHWAY.COM.BR > F.BRAVO SOFTWARE LTDA > Av.Ataulfo de Paiva, 135, Sls 805/806 > 22449-900 - Rio de Janeiro - RJ > > Points of contact > Adm : FEB <[EMAIL PROTECTED]> > Tec : FEB <[EMAIL PROTECTED]> > Bil : FEB <[EMAIL PROTECTED]> > > > Thank you for your report, > > Cristine > NIC BR Security Office <[EMAIL PROTECTED]> > [EMAIL PROTECTED] > > ----- End forwarded message ----- I have implemented an even more fascist posting policy on the news server, but I am still not sure how the remote managed to post since posting had already been restricted to the local subnet. I have already noticed that several additional attempts to access the news server have taken place while it was turned off from other IP's in the 200.244.102 subnet. I will be forwarding a copy of those logs to highway.com.br and keeping a close watch on the server over the next few days. If there are any INN-2.x gurus reading this, feel free to send me a message privately as I would like to make sure this never happens again without having to permantly shutdown the server. I apologize for any inconveniences and/or problems this has caused to anyone. I would also like to thank all those involved in helping me track down the originator for their quick replies. Finally, please forgive me for 'spamming' this incident report, but it is the only way I can let the lists know the problem is being resolved without spending the next week responding to individual complaints. Regards, Jarrod Kinsley System Administrator BTI Communications -- Jarrod S. Kinsley System Administrator BTI Communications