Re: flooded with jr* spam
On Thu, 07 Feb 2008 12:51:51 +0100, you wrote: Michael W Cocke wrote: They use DHCP. Netops has to trace it, and I seem to be about 5Kth on the list. sigh Ironic as hell, considering the effort I put into avoiding MIT netops about 20 years ago. But you should be able to run tcpdump locally on your own machine? Unless the addresse changes rapidly, you catch one such ICMP then report the IP to your netops guys. /Per Jessen, Zürich All that shows is their external address. They use NAT. Anyway, it's academic - netops seems to have found it and pulled it offline. Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: flooded with jr* spam
Michael W Cocke wrote: They use DHCP. Netops has to trace it, and I seem to be about 5Kth on the list. sigh Ironic as hell, considering the effort I put into avoiding MIT netops about 20 years ago. But you should be able to run tcpdump locally on your own machine? Unless the addresse changes rapidly, you catch one such ICMP then report the IP to your netops guys. /Per Jessen, Zürich
flooded with jr* spam
Has anyone else noticed a similar pattern or does someone out there hate me? :) The top 100 SPAM senders on my network (1 minute snapshot below) are all forgeries starting with jr- or jq- 24 [EMAIL PROTECTED] 22 [EMAIL PROTECTED] 22 [EMAIL PROTECTED] 22 [EMAIL PROTECTED] 21 [EMAIL PROTECTED] 20 [EMAIL PROTECTED] 20 [EMAIL PROTECTED] 19 [EMAIL PROTECTED] 19 [EMAIL PROTECTED] 19 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 17 [EMAIL PROTECTED] 17 [EMAIL PROTECTED] 17 [EMAIL PROTECTED] 16 [EMAIL PROTECTED] 16 [EMAIL PROTECTED] 16 [EMAIL PROTECTED] 16 [EMAIL PROTECTED] 16 [EMAIL PROTECTED] 16 [EMAIL PROTECTED] 15 [EMAIL PROTECTED] 15 [EMAIL PROTECTED] 14 [EMAIL PROTECTED] 14 [EMAIL PROTECTED] 14 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 12 [EMAIL PROTECTED] 12 [EMAIL PROTECTED] 12 [EMAIL PROTECTED] 12 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] The annoying thing is, nothing particularly similar about the SPAM being relayed... -Vlad
Re: flooded with jr* spam
I'll trade you - somewhere in MIT (20K+ computers) is hitting me twice per second with ICMP packets, and netops can't find who I had to degrade the logging on my snort-inline because the system was drowning. Mike- On Tue, 5 Feb 2008 13:58:30 -0500, you wrote: Has anyone else noticed a similar pattern or does someone out there hate me? :) The top 100 SPAM senders on my network (1 minute snapshot below) are all forgeries starting with jr- or jq- 24 [EMAIL PROTECTED] 22 [EMAIL PROTECTED] 22 [EMAIL PROTECTED] 22 [EMAIL PROTECTED] 21 [EMAIL PROTECTED] 20 [EMAIL PROTECTED] 20 [EMAIL PROTECTED] 19 [EMAIL PROTECTED] 19 [EMAIL PROTECTED] 19 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 17 [EMAIL PROTECTED] 17 [EMAIL PROTECTED] 17 [EMAIL PROTECTED] 16 [EMAIL PROTECTED] 16 [EMAIL PROTECTED] 16 [EMAIL PROTECTED] 16 [EMAIL PROTECTED] 16 [EMAIL PROTECTED] 16 [EMAIL PROTECTED] 15 [EMAIL PROTECTED] 15 [EMAIL PROTECTED] 14 [EMAIL PROTECTED] 14 [EMAIL PROTECTED] 14 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 13 [EMAIL PROTECTED] 12 [EMAIL PROTECTED] 12 [EMAIL PROTECTED] 12 [EMAIL PROTECTED] 12 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 11 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 10 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 9 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 8 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] 7 [EMAIL PROTECTED] The annoying thing is, nothing particularly similar about the SPAM being relayed... -Vlad -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: flooded with jr* spam
Michael W Cocke wrote: I'll trade you - somewhere in MIT (20K+ computers) is hitting me twice per second with ICMP packets, and netops can't find who tcpdump ? /Per Jessen, Zürich
Re: flooded with jr* spam
They use DHCP. Netops has to trace it, and I seem to be about 5Kth on the list. sigh Ironic as hell, considering the effort I put into avoiding MIT netops about 20 years ago. Mike- On Tue, 05 Feb 2008 21:01:04 +0100, you wrote: Michael W Cocke wrote: I'll trade you - somewhere in MIT (20K+ computers) is hitting me twice per second with ICMP packets, and netops can't find who tcpdump ? /Per Jessen, Zürich -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: flooded with jr* spam
the inline snort station should show some more detail. do you have access to your routers and switches ? Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Michael W Cocke [EMAIL PROTECTED] wrote: I'll trade you - somewhere in MIT (20K+ computers) is hitting me twice per second with ICMP packets, and netops can't find who I had to degrade the logging on my snort-inline because the system was drowning. Mike- On Tue, 5 Feb 2008 13:58:30 -0500, you wrote: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: flooded with jr* spam
Yes, I do have a lot more detail. It's all been reported to MIT per their procedure. Unfortunately it comes down to whatever is happening is happening in the MIT network, we'll take it from here, have a nice day (Without a pause for breath even) Up to a large point I have sympathy for them - it's no damn fun finding a specific system on any campus, and MIT is bigger than anything I've seen, even Berkeley. Mike- On Tue, 5 Feb 2008 20:09:10 + (GMT), you wrote: the inline snort station should show some more detail. do you have access to your routers and switches ? Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Michael W Cocke [EMAIL PROTECTED] wrote: I'll trade you - somewhere in MIT (20K+ computers) is hitting me twice per second with ICMP packets, and netops can't find who I had to degrade the logging on my snort-inline because the system was drowning. Mike- On Tue, 5 Feb 2008 13:58:30 -0500, you wrote: -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: flooded with jr* spam
--On Tuesday, February 5, 2008 1:58 PM -0500 Vlad Mazek [EMAIL PROTECTED] wrote: Has anyone else noticed a similar pattern or does someone out there hate me? :) The top 100 SPAM senders on my network (1 minute snapshot below) are all forgeries starting with jr- or jq- 24 [EMAIL PROTECTED] 22 [EMAIL PROTECTED] 22 [EMAIL PROTECTED] 22 [EMAIL PROTECTED] 21 [EMAIL PROTECTED] 20 [EMAIL PROTECTED] 20 [EMAIL PROTECTED] 19 [EMAIL PROTECTED] 19 [EMAIL PROTECTED] 19 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 18 [EMAIL PROTECTED] 17 [EMAIL PROTECTED] 17 [EMAIL PROTECTED] 17 [EMAIL PROTECTED] Yeah, we noticed. We get 3 million BOUNCES a day for [EMAIL PROTECTED], from stupid systems that don't reject for unknown users, but accept and then mail a bounce. If 3 million are undeliverable just to badly configured systems, imagine how many are really undeliverable, and then imagine how many are being sent! And for just that one sender. Note, [EMAIL PROTECTED] does not exist and never did-- it is totally safe to reject all mail from it. We refuse the bounces at the RCPT command, but it's still a lot of useless smtp connections. The spam is from the Herbal King, for organ enlargement, isn't it? Unfortunately we cannot deliver to one mailbox fast enough to collect very many samples, but that's what we saw last time we tried it. The messages have a faked Received header that looks pretty good. Note that Senderbase shows cs.columbia.edu as a columbia.edu's biggest single sender of email, despite the fact that it sends NO mail, based entirely on Senderbase believing Recieved headers. It makes you want to add points for senders starting with jr or jq, doesn't it? Joseph Brennan Columbia University Information Technology
