<html><head><meta name="Generator" content="PocoMail 3 HTML/CSS Generator"/>
<style type="text/css"><!--
p{display:block;font-family:"Tahoma";font-size:10pt;color:navy;margin:0.00in;text-align:left;}
LI{display:list-item;font-family:"Tahoma";font-size:0pt;color:black;margin-top:0.00in;margin-bottom:0.00in;text-align:left;}
td{display:block;font-family:"Tahoma";font-size:0pt;color:black;margin-left:0.00in;margin-right:0.00in;text-align:left;}
body{}
--></style>
</head><BODY BGCOLOR="#F0F0F0"><p><SPAN style="font-family:'Tahoma';">On Tue, 06 Apr 2004 15:12:05 -0700, Rhugga wrote:<br/></SPAN><SPAN style="font-family:'Tahoma';">> Michael Sullivan wrote:</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';color:maroon;">>> I read my log watch every day for my server PC each time I notice</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';color:maroon;">>> an attempted unauthorized access I run the IP through whois and</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';color:maroon;">>> then I send an email to the abuse@ address I see at the bottom of</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';color:maroon;">>> whois report. This morning I found a third attempt to send email</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';color:maroon;">>> through my smtp server from kornet.net.  Is there anyone I can</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';color:maroon;">>> report them to if it happens again?  I've sent them email all</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';color:maroon;">>> three times that they've attempted to use my server...</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';color:maroon;">>></SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';color:maroon;">>> -Michael Sullivan-</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';color:maroon;">>></SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';color:maroon;">>></SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';">> Well, if it is one of these spare bedroom data center type ISPs</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';">> that are springing up to send spam mail, your quest may become</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';">> futile. I write code for an anti-spam mail filtering service</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';">> provider, and it is a royal pain in the ass to track down these</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';">> luzers. (assuming this is a spammer probe and not a legitimate</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';">> mistake some admin might be making) Also, it may be an infected</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';">> host in that network that has some kind of adware/spyware/spamware</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';">> daemon probing for extra hops.</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';">></SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';">> You may wanna play with them a little bit, give him an open relay</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';">> and see what follows. (dont walk away from the terminal while you</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';">> are doing this, I mean, be watching tcpdump in real time) If this</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';">> is a smapper ISP, just block their network/domain/whatever at your</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';">> smtp server. (postfix is great for this type of thing)</SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';">></SPAN><SPAN style="font-family:'Tahoma';"><br/></SPAN><SPAN style="font-family:'Tahoma';">> -cc</SPAN><SPAN style="font-family:'Tahoma';"><br/><br/><br/>just a quick note - kornet.net is one of the biggest spam ISPs in the world (its the biggest ISP in Korea AFAIK). I dont even bother sending spam reports to them - they dont reply.</SPAN></p>
<p> </p>
<p><SPAN style="font-family:'Tahoma';">Jeff</SPAN></p>
</body></html>