[I repost a previous attempt without a long list of logs; if anyone is
interested in these, I can send them personally in an e-mail; maybe the
long posting makes it to the list as well]
> Okay, I've spent some serious time in my logs and backtracking the
> current spam attacks (which are still on-going, by the way. One
> interesting note is that some/many of the people being attacked are
> being attacked repeatedly, especially the people from engr.csulb.edu.)
>
> So far, ALL of the spam I've seen has originated from one of four places:
>
> nlights.net
> *dial-access.att.net
> oscva.orbital.com
> iglou.com
Dear Chuq,
My lists are always under heavy attack from dozens of places (both by spam
and by bogus subscriptions, or by mailbombing existing, unknowing users).
I was hit by the above domains as well, and had about 50% of the bogus
subscriptions in one of the other of today's postings. I have the feeling
that the above spam attacks ORIGINATE from csulb.edu, but I might be
wrong, of course, so if anyone plans on acting or placing a trap, please
do it careful. The person I will mention below might as well be a victim
like some of the rest.
I found out that most of the engr.csulb.edu addresses in fact DID exist.
black@engr.csulb.edu was, until recently, the address of the postmaster
of the domain:
220 yei.csulb.edu ESMTP Sendmail 8.8.5/8.7.3; Sun, 23 Mar 1997 12:24:58 -0800 ()
VRFY postmaster
250 <postmaster@yei.csulb.edu>
EXPN postmaster
250-<black@engr.csulb.edu>
250 <sla@notesmail.csulb.edu>
Postmasters are always a wanted target of spammers... Then there is the
following. I traced ALL mailings from iglou, att.net, nlights.net, etc.
over the past four months (I currently keep logs a looong time), as I
found out in previous cases that spammers first try at least SOMETHING
using their OWN account to see if it works. In this case, the bell rang
with the account EUNK@CSULB.EDU. An existing account that was the FIRST
(Feb 28) to start poking around my lists using some of the above domains.
But there is more. EUNK@CSULB.EDU was the ONLY ADDRESS that UNSUBSCRIBED
itself from the lists RIGHT AFTER it was subscribed, using ALL OF THE
FAKED DOMAINS! Well, if you try to be nasty, you NEVER unsub! There is
even a REPLY to a mail of the list (e.g. to the SUB message) using iglou.com.
This started BEFORE the Remal Amai (reverse of I am a lamer) words were
first used. The first account with Remal Amai was eunk@csulb.edu...
So, my suspicion rests with this user:
220 yei.csulb.edu ESMTP Sendmail 8.8.5/8.7.3; Sun, 23 Mar 1997 12:24:32 -0800 ()
VRFY eunk
250 Eun-Kyoung Lee <eunk@yei.csulb.edu>
But, like I said: I CAN BE WRONG.
I do not have the time to followup on this, so if any of you could see
whether there issomething here, please feel free to act. I include the
entire trace of eunk@csulb.edu below, so you can judge for yourself.
[I cut the trace, as this makes the e-mail probably too long for
list-managers].
A second user I just found when going through the logs that subscribed
AND UNSUBSCRIBED using oscva.orbital.com (sounds VERY suspicious, but is,
of course, no proof) is mattblack@audiophile.com...
Kind regards,
Alexander Verbraeck (tired)
List Manager BPR-L, DYNMOD-L
-----------------------------------------------------------------
Dr. Alexander Verbraeck Delft University of Technology
Department of Systems Engineering, Policy Analysis and Management
Jaffalaan 5 P.O. Box 5015, 2600 GA Delft The Netherlands
Tel: +31 15 2783805 Secr: +31 15 2788380 Fax: +31 15 2783429
e-mail: A.Verbraeck@sepa.tudelft.nl List manager BPR-L, DYNMOD-L
http://www.sepa.tudelft.nl/~alexandv/ See also ..../bpr-l.html
-----------------------------------------------------------------
Follow-Ups:
|
|
