Saturday, November 27, 2004
Machines coughing
- Nov 27 * new_account@turtle (1047) Your mail password
- Nov 27 * webmaster@email.co (1047) Faulty_mail delivery
- Nov 27 * webmaster@hotmail. (1059) invalid mail <SMTP:8650>
- Nov 27 * Error_Mail@wimborn (1051) Mail delivery_failed <6580>
- Nov 27 * smooth_criminal_00 (1039) Details
- Nov 27 * hostmaster@hotmail (1043) Confirmation
- Nov 27 * shaikin_fati@hotma (1041) Oh God it's
- Nov 27 * Auto-Mailer@valves (1053) Re: Faulty_mail delivery <Esmtp:5394>
- Nov 27 * nasimaqsa@hotmail. (1030) Details
- Nov 27 * Error_Mail@winzyra (1052) Re: Mail delivery_failed
- Nov 27 * info@mailcity.com (1043) Mail Error <SMTP:3234>
- Nov 27 * new_account@talk21 (1045) Re: Registration confirmation
- Nov 27 * Error_Mail@barking (1049) FwD: illegal signs in your mail
- Nov 27 * notifications@grou (1034) Oh God it's
- Nov 27 * info@hotmail.com (1051) Re: Mail delivery_failed <7339>
- Nov 27 * user_info@xtzyra.c (1046) Your Password <KEY:4924>
- Nov 27 * info@hotmail.com (1053) Faulty_mail delivery
- Nov 27 * lubsss@hotmail.com (1034) FwD: Details
Yup. Spam.
Well, more like viral spam, as it's the same box, over and over, trying
to deliver a virus. The IP
address it's coming from is 82.38.57.25
, which belongs to blueyonder, an
ISP based out of Surrey,
England.
While I could ban the IP that would only stop perhaps 40% of it, as most of it is coming in via the backup email host for my domain and I don't have the access to block IP addresses there. I did a look up on the IP address (which is how I found out who owns it) and got this:
inetnum: | 82.38.0.0 - 82.38.255.255 |
---|---|
netname: | TELEWEST-HSD_1-BRADFORD |
descr: | Telewest HSD Platform |
country: | GB |
admin-c: | TWIP3-RIPE |
tech-c: | TWIP1-RIPE |
status: | ASSIGNED PA |
mnt-by: | AS5462-MNT |
mnt-lower: | AS5462-MNT |
mnt-routes: | AS5462-MNT |
notify: | ripe@telewest.net |
notify: | capacity@telewest.co.uk |
remarks: | report abuse to abuse@blueyonder.co.uk |
remarks: | All reports via other channels will be ignored. |
changed: | ripe-admin@blueyonder.co.uk 20030313 |
source: | RIPE |
As you can see, all abuse issues need to be mailed to abuse@blueyonder.co.uk, which I did:
From: Sean Conner <sean@conman.org>
Subject: Infected machine trying to infect my machine
To: abuse@blueyonder.co.uk
Date: Thu, 25 Nov 2004 14:52:55 -0500 (EST)To whom it may concern:
A machine with the IP address of
82.38.57.25
is continuously sending me infected files, 12 alone today, and about 20 yesterday (when I first noticed). I'm not concerned terribly much about getting infected (since I run Linux, not Windows) but it is clogging up my email, and no telling how many other systems it's trying to infect. Please deal with this as soon as possible.Thank you.
Sean Conner.
[email sent to me attached]
And as you can see, that was two days ago.
And they're still coming in.
So much for reporting abuse issues.
Today, I went to their broadband support page, and put in a trouble ticket. Maybe then they'll take a look into this.