__________________________________________________________________________ Text of message sent by NetSide postmaster to Versatel contacts of record: __________________________________________________________________________ This is an official complaint from NetSide Corporation, a Florida ISP, regarding a probing incident that occurred on Mar 1, 2002, from your ip 62.58.174.50 in VERSATEL-CUST-VUURWERK-FBOADSL-6. Our investigation reveals that on that date a user of your service, later identified as Alan Brown, connected to our SMTP server at ip 205.159.140.2 from your client's machine at nexus.vlan2.madscience.nl and repeatedly attempted to relay messages with forged headers to several anti-spam vigilante organizations and to himself. The following sendmail log extract (EST) documents his actions: --------------------- sendmail log extract (EST) ------------------------ Mar 1 09:46:27 sunny sendmail[26921]: JAA26921: ruleset=check_mail, arg1=, relay=nexus.vlan2.madscience.nl [62.58.174.50], reject=550 ... This domain is banned. Mar 1 09:46:27 sunny sendmail[26921]: JAA26921: from=, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=nexus.vlan2.madscience.nl [62.58.174.50] Mar 1 09:46:51 sunny sendmail[26937]: JAA26937: from=, size=984, class=0, pri=180984, nrcpts=6, msgid=, proto=SMTP, relay=nexus.vlan2.madscience.nl [62.58.174.50] Mar 1 09:46:52 sunny sendmail[26950]: JAA26937: to=, delay=00:00:08, xdelay=00:00:01, mailer=smtp, relay=frankenfurter.the-s-lab, stat=Host unknown (Name server: frankenfurter.the-s-lab: host not found) Mar 1 09:46:54 sunny sendmail[26950]: JAA26937: to=, delay=00:00:10, xdelay=00:00:02, mailer=smtp, relay=groundzero.ordb.org. [62.242.0.190], stat=Sent (Ok: queued as E5C6F5B13B) Mar 1 09:50:15 sunny sendmail[26950]: JAA26937: to=, delay=00:03:31, xdelay=00:03:21, mailer=smtp, relay=mach3.osirusoft.com. [216.102.236.44], stat=Sent (2.0.0 g1SFpr802637 Message accepted for delivery) Mar 1 09:51:42 sunny sendmail[26950]: JAA26937: to=, delay=00:04:58, xdelay=00:01:27, mailer=smtp, relay=mail.goldinc.com. [63.164.70.2], stat=Deferred: Connection refused by mail.goldinc.com. Mar 1 09:51:43 sunny sendmail[26950]: JAA26937: to=, delay=00:04:59, xdelay=00:00:01, mailer=smtp, relay=orbs.org, stat=Host unknown (Name server: orbs.org: no data known) Mar 1 09:51:45 sunny sendmail[26950]: JAA26937: to=, delay=00:05:01, xdelay=00:00:02, mailer=smtp, relay=a.mx.orbz.org. [205.231.149.25], stat=Sent (ok 1014994552 qp 6183) Mar 1 09:51:45 sunny sendmail[26950]: JAA26937: JAA26950: DSN: Host unknown (Name server: orbs.org: no data known) Mar 1 09:51:48 sunny sendmail[26950]: JAA26950: to=, delay=00:00:03, xdelay=00:00:03, mailer=smtp, relay=nexus.madscience.nl. [62.58.174.50], stat=Sent (Ok: queued as 9976625AFC) Mar 1 09:52:24 sunny sendmail[27231]: JAA27231: ruleset=check_mail, arg1=, relay=nexus.vlan2.madscience.nl [62.58.174.50], reject=451 ... Unresolvable host name. Check your DNS configuration. Mar 1 09:52:24 sunny sendmail[27231]: JAA27231: from=, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=nexus.vlan2.madscience.nl [62.58.174.50] Mar 1 09:54:55 sunny sendmail[27317]: JAA26937: to=, delay=00:08:11, xdelay=00:00:00, mailer=smtp, relay=mail.goldinc.com. [63.164.70.2], stat=Deferred: Connection refused by mail.goldinc.com. ------------------- end of sendmail log extract (EST) ---------------------- This is the nslookup, dig and trace information for ip 62.58.164.50: Name: nexus.vlan2.madscience.nl Address: 62.58.174.50 Aliases: 50.174.58.62.in-addr.arpa ; <<>> DiG 2.1 <<>> nexus.vlan2.madscience.nl ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr rd ra; Ques: 1, Ans: 1, Auth: 4, Addit: 4 ;; QUESTIONS: ;; nexus.vlan2.madscience.nl, type = A, class = IN ;; ANSWERS: nexus.vlan2.madscience.nl. 78126 A 62.58.174.50 ;; AUTHORITY RECORDS: madscience.nl. 78146 NS ns.dataloss.nl. madscience.nl. 78146 NS ns2.dataloss.nl. madscience.nl. 78146 NS ns3.dataloss.nl. madscience.nl. 78146 NS zen.madscience.nl. ;; ADDITIONAL RECORDS: ns.dataloss.nl. 76500 A 62.250.7.47 ns2.dataloss.nl. 76500 A 212.204.245.236 ns3.dataloss.nl. 76500 A 193.109.122.215 zen.madscience.nl. 78146 A 62.58.174.51 ;; Total query time: 9 msec ;; FROM: sunny to SERVER: default -- 205.159.140.2 ;; WHEN: Tue Mar 26 10:48:47 2002 ;; MSG SIZE sent: 43 rcvd: 216 traceroute to 62.58.164.50 (62.58.164.50) 30 hops max, 40 byte packets [...] 15 so-6-0-0.xr1.ams6.alter.net (146.188.8.81) 118 ms (ttl=243!) 118 ms (ttl=243!) 118 ms (ttl=243!) 16 pos1-0.gw5.ams6.alter.net (146.188.4.6) 143 ms (ttl=243!) 125 ms (ttl=243!) 118 ms (ttl=243!) 17 versatel-gw.customer.nl.uu.net (192.16.190.122) 140 ms (ttl=242!) 130 ms (ttl=242!) 145 ms (ttl=242!) 18 vlan111.as01asd2.versatel.net (62.58.62.4) 128 ms (ttl=240!) 131 ms (ttl=240!) 136 ms (ttl=240!) 19 217.16.32.81 (217.16.32.81) 142 ms (ttl=239!) 121 ms (ttl=239!) 212 ms (ttl=239!) 20 62.58.164.49 (62.58.164.49) 143 ms (ttl=238!) 159 ms (ttl=238!) 138 ms (ttl=238!) 21 62.58.164.50 (62.58.164.50) 208 ms (ttl=110!) 156 ms (ttl=110!) 256 ms (ttl=110!) Alan Brown then posted a message through the NNTP server news.osirusoft.com on the usenet newsgroup news.admin.net-abuse.email detailing his actions and asking that our class C ip block 205.159.140.0/24 be blocked by "SPEWS". The newsgroup posting is attached below, and also can be accessed on-line at: http://groups.google.com/groups?selm=Pine.GSO.4.44.0203010956410.7297-100000%40Aurora&output=gplain The log line reproduced below specifically shows Alan Brown relaying back to his own address at alanb@madscience.nl through our servers: Mar 1 09:51:48 sunny sendmail[26950]: JAA26950: to=, delay=00:00:03, xdelay=00:00:03, mailer=smtp, relay=nexus.madscience.nl. [62.58.174.50], stat=Sent (Ok: queued as 9976625AFC) Note that the record of this particular relay attempt to himself is missing from the session log Alan Brown posted in his message to the newsgroup. We believe this was concealed so that he would avoid incriminating himself. Other log lines show he intentionally used forged headers in email messages (i.e., alanb@froody.domain, Alan@frankfurter.the-s-lab) with undeliverable return addresses, which were rejected by our server (Recipient was NOT ok). The reference to "perusal of the old ORBS database and mailboxes" show Alan Brown to be the former owner of Manawatu Internet Services and the former ORBS (Open Relay Behavior-modification System) blacklist, a vigilante outfit shut down last year as a result of an unfavorable New Zealand court ruling. We are alarmed he is permitted to continue his controversial probing practices from your service. We hold that Alan Brown, while connecting from your ip, has intentionally abused our mail server for the purpose of causing harm to our service, and ask you to fully investigate this incident at your end, according to your terms of service. Please respond with your findings. --Postmaster NetSide Corporation P.O. Box 403895 Miami, FL 33140, USA Tel: 305-531-1995 admin@netside.net ------------------- news.admin.net-abuse.email posting -------------------- >From: Alan Brown Newsgroups: news.admin.net-abuse.email Subject: Re: BLOCK: 205.159.140.0/24 (Attn SPEWS) (fwd) Date: Fri, 1 Mar 2002 09:57:01 -0500 Organization: OsiruSoft Research & Engineering Lines: 66 Message-ID: NNTP-Posting-Host: digistar.com Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Trace: ns.osirusoft.com 1014994626 567 198.94.138.14 (1 Mar 2002 14:57:06 GMT) X-Complaints-To: news@news.osirusoft.com NNTP-Posting-Date: 1 Mar 2002 14:57:06 GMT X-X-Sender: alanb@Aurora On Fri, 1 Mar 2002, Andy Dustman wrote: > I think this exchange speaks for itself. Particularly you should read > their position on open relays. They've also blocked most of the antispammers, from the look of it. Not listed in ORDB, or ORBZ, or Osirusoft. ... and yup, perusal of the old ORBS database and mailboxes shows they were listed manually there after having blocked that tester. Alan@frankenfurter:~$ ./rlytest -f alanb@digistar.com 205.159.140.2 Connecting to 205.159.140.2 ... <<< 220 netside.net ESMTP Sendmail 8.8.8/8.7.3; Fri, 1 Mar 2002 09:46:26 -0500 (EST) Unauthorized use and spam relaying prohibited. Violators will be prosecuted. >>> HELO frankenfurter.the-s-lab <<< 250 netside.net Hello nexus.vlan2.madscience.nl [62.58.174.50], pleased to meet you >>> MAIL FROM: <<< 550 ... This domain is banned. rlytest: relay rejected - final response code 550 Alan@frankenfurter:~$ ./rlytest -f alanb@froody.domain 205.159.140.2 Connecting to 205.159.140.2 ... <<< 220 netside.net ESMTP Sendmail 8.8.8/8.7.3; Fri, 1 Mar 2002 09:46:44 -0500 (EST) Unauthorized use and spam relaying prohibited. Violators will be prosecuted. >>> HELO frankenfurter.the-s-lab <<< 250 netside.net Hello nexus.vlan2.madscience.nl [62.58.174.50], pleased to meet you >>> MAIL FROM: <<< 250 ... Sender ok >>> RCPT TO: <<< 250 ... Recipient ok >>> RCPT TO: <<< 250 ... Recipient ok >>> RCPT TO: <<< 250 ... Recipient ok >>> RCPT TO: <<< 250 ... Recipient ok >>> RCPT TO: <<< 250 ... Recipient ok >>> RCPT TO: <<< 250 ... Recipient ok >>> DATA <<< 354 Enter mail, end with "." on a line by itself >>> (message body) <<< 250 JAA26937 Message accepted for delivery >>> QUIT <<< 221 netside.net closing connection rlytest: relay accepted - final response code 221 > -----Forwarded Message----- > > From: sunny-Admin(0000) > To: Spam Disposal Unit > Subject: Re: [SPAM 205.159.140.2] How Can I order? [t26dm] > Date: 28 Feb 2002 16:45:35 -0500 > > We have started blocking the two class C's 63.107.246.0/24 and > 63.107.247.0/24 as a result of this incident. > > For details regarding our position on open relays, please visit > http://www.dotcomeon.com/ >