bobbear Posted October 4, 2004 Share Posted October 4, 2004 I reported an ordinary, run of the mill Smith Barney Citigroup (whoever they are...) 'phishing' scam/spam that came from 157.134.186.227 (dial-bu-186-227.wcnet.org) which SpamCop parser gave the reporting addresses for as support[at]oar.net & postmaster[at]oar.net I got the following polite but rather uninformative reply from oar.net support, (via SpamCop): Hello, Please contact the people below concerning your complaint: Gary Border, xxxxxx[at]wcnet.org, 419-352-7526 Terry Moenich, xxxxxx[at]wcnet.org, (877) 729-2638, fax: (419) 353-6082 Thank You, Daniel Toskin Seems a strange thing for a support/abuse team to do, (rather than just pass the report on and perhaps notify me they've done it). Just wondered if there's something I'm missing here.... Link to comment Share on other sites More sharing options...
Wazoo Posted October 4, 2004 Share Posted October 4, 2004 Tracking URL of the original spam somplaint still available? Looking further, perhaps the assignment of certain things aren't yet accomplished ..?? Network Owner wood county internet council inc Domain wcnet.org Date of first message seen from this address 2004-10-03 CIDR range 157.134.160.0/19 # of domains controlled by this network owner 15 Report on IP address: 157.134.186.227 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ......... 3.3..... 33698% Last 30 days ... 1.9 ..... 1169% Average ..........0.8 Thus might be explained by a new system/server brought on line with some new clients, or it could also be showing a new e-mail server that's already been "discovered" by the wrong folks. On the other hand, the netblock still does seem to be under oar's block; 10/04/04 13:47:23 IP block 157.134.186.227 Trying 157.134.186.227 at ARIN Trying 157.134.186 at ARIN OARnet OAR (NET-157-134-0-0-1) 157.134.0.0 - 157.134.255.255 Wood County Internet Council OAR-157-134-160-0 (NET-157-134-160-0-1) 157.134.160.0 - 157.134.191.255 But that's a big enough chunk, maybe I can see why oar wants to have complaints (at least start to) go to these folks. That said, I am now waiting for a phone call back from the folks at wcnet.org .... Link to comment Share on other sites More sharing options...
bobbear Posted October 4, 2004 Author Share Posted October 4, 2004 Thanks for that, Wazoo. I don't keep copies of the tracking URL's, unfortunately, although I do send myself copies of the reports, (which I have for this one), but am I right in saying that the report copy doesn't contain the tracking URL? I can certainly post a copy of the report if it's any help to you. Link to comment Share on other sites More sharing options...
Wazoo Posted October 4, 2004 Share Posted October 4, 2004 Better might be if you were to try to re-parse the spam, let the parser do it's thing, copy the Tacking URL from that parse, and either cancel the report (or guessing that it's too old and won't report anything anyway) and paste that Tracking URL in your next post. Link to comment Share on other sites More sharing options...
bobbear Posted October 4, 2004 Author Share Posted October 4, 2004 Have done: Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z679233183z23...b552f17bf15751z [Report cancelled] Link to comment Share on other sites More sharing options...
Wazoo Posted October 4, 2004 Share Posted October 4, 2004 Thanks for that ... doesn't appear to leave much doubt as to the source. However, no call back, and another call out there found no one home. E-mail sent to Mr. Moenich and "help" addresses there (and a CC: to Deputies here) advising of the issues with the server at this IP, noting that since the first phone call, three other BLs have picked it up, suggesting that assignment data on the IP block get updated, abuse.net registration be accompliashed, and in general, a heads-up notofication that if's possible that a SpamCopDNSbl also seems likely to occur based on seeing your spam and all the other information currently showing. There may be enough data provided to get a manual edit of the SpamCop database to route future complaints to wcnet.org, but that's not my call. Think I've done all I can do for them <g> Link to comment Share on other sites More sharing options...
bobbear Posted October 4, 2004 Author Share Posted October 4, 2004 I'm very impressed indeed - thanks for that. I won't pretend to understand all that's going on there, I'm afraid, but I certainly appreciate all the efforts you've put in. Link to comment Share on other sites More sharing options...
Wazoo Posted October 5, 2004 Share Posted October 5, 2004 No return phone call, no response via e-mail .. so I called them once again. Though a pleasant enough conversation, I'm not sure much was accomplished. Arguement was that the IP in question is part of a dial-up pool, not an e-mail server. SenderBase data had to be screwed, as the tech staff would have noticed that kind of traffic going out. He had heard of SpamCop, but dealing with an e-mail invit to PerlCon, and the complaint was against a spamvertised site .. but when he checked the site, it was a development place for Perl programmers, so he didn't see the "problem" .... Invited me to send all this information to him, but then identified the same e-mail address I used yesterday (CC:'d to "info" and Deputies) so not sure what a second e-mail would gain. On their web-site, there's mention of a 2 hour connect time during peak hours http://www.wcnet.org/help/wc/wcfaq.php extended to 4 hours during off-peak and week-ends .. another reason he wasn't believing the SenderBase data. As far as registration data, he was confused, as this IP range has been under his control for years .... then even mentioned that it was in "oar" space .... Anyway, SenderBase shows -100% traffic "today"; http://www.senderbase.org/?searchBy=ipaddr...157.134.186.227 Report on IP address: 157.134.186.227 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 0.0 ... -100% Last 30 days .. 1.9 .... 1178% Average ........ 0.8 So if it isn't an e-mail server, the next likely scenario is that the compromised "home" computer has since reconnected on a different IP in that dial-up pool. End result, a lot of time spent, but not much accomplished. Though talked of being around since ARPA-NET, and this outfit being around for quite a while, I don't see that the basics ever really got addressed. Perhaps the routing will get changed in the SpamCop routing database, but then again, I haven't heard anything from that direction either <g> Link to comment Share on other sites More sharing options...
Ariel Posted October 5, 2004 Share Posted October 5, 2004 ... Smith Barney Citigroup (whoever they are...) 18255[/snapback] The largest financial institution in the world, FYI. Link to comment Share on other sites More sharing options...
bobbear Posted October 5, 2004 Author Share Posted October 5, 2004 The largest financial institution in the world, FYI. 18298[/snapback] Ah THAT Smith Barney Citigroup..... My defence, (such as it is....), is that they do not have any presence on UK city high streets at all. Our high streets are dominated by the likes of HSBC, Barclays, Lloyds TSB et al..... Link to comment Share on other sites More sharing options...
bobbear Posted October 5, 2004 Author Share Posted October 5, 2004 No return phone call, no response via e-mail .. so I called them once again. Though a pleasant enough conversation, I'm not sure much was accomplished. Arguement was that the IP in question is part of a dial-up pool, not an e-mail server. <snip> 18294[/snapback] Thanks Wazoo. If his 'dial-up pool' includes ADSL IP allocations then I suppose it is, (or should I say was), even more likely that it could have been an infected bot pc doing its dastardly stuff...... Link to comment Share on other sites More sharing options...
Wazoo Posted October 5, 2004 Share Posted October 5, 2004 He only mentioned that they had "had some issues with their DSL network" ... but wouldn't go into any detail <g> Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.