Jump to content
Sign in to follow this  
bobbear

Curious reply....

Recommended Posts

I reported an ordinary, run of the mill Smith Barney Citigroup (whoever they are...) 'phishing' scam/spam that came from 157.134.186.227 (dial-bu-186-227.wcnet.org) which SpamCop parser gave the reporting addresses for as support[at]oar.net & postmaster[at]oar.net

I got the following polite but rather uninformative reply from oar.net support, (via SpamCop):

Hello,

Please contact the people below concerning your complaint:

Gary Border, xxxxxx[at]wcnet.org, 419-352-7526

Terry Moenich, xxxxxx[at]wcnet.org, (877) 729-2638, fax: (419) 353-6082

Thank You,

Daniel Toskin

Seems a strange thing for a support/abuse team to do, (rather than just pass the report on and perhaps notify me they've done it). Just wondered if there's something I'm missing here....

Share this post


Link to post
Share on other sites

Tracking URL of the original spam somplaint still available?

Looking further, perhaps the assignment of certain things aren't yet accomplished ..??

Network Owner wood county internet council inc

Domain wcnet.org

Date of first message seen from this address 2004-10-03

CIDR range 157.134.160.0/19

# of domains controlled by this network owner 15

Report on IP address: 157.134.186.227

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 3.3..... 33698%

Last 30 days ... 1.9 ..... 1169%

Average ..........0.8

Thus might be explained by a new system/server brought on line with some new clients, or it could also be showing a new e-mail server that's already been "discovered" by the wrong folks. On the other hand, the netblock still does seem to be under oar's block;

10/04/04 13:47:23 IP block 157.134.186.227

Trying 157.134.186.227 at ARIN

Trying 157.134.186 at ARIN

OARnet OAR (NET-157-134-0-0-1)

157.134.0.0 - 157.134.255.255

Wood County Internet Council OAR-157-134-160-0 (NET-157-134-160-0-1)

157.134.160.0 - 157.134.191.255

But that's a big enough chunk, maybe I can see why oar wants to have complaints (at least start to) go to these folks.

That said, I am now waiting for a phone call back from the folks at wcnet.org ....

Share this post


Link to post
Share on other sites

Thanks for that, Wazoo.

I don't keep copies of the tracking URL's, unfortunately, although I do send myself copies of the reports, (which I have for this one), but am I right in saying that the report copy doesn't contain the tracking URL? I can certainly post a copy of the report if it's any help to you.

Share this post


Link to post
Share on other sites

Better might be if you were to try to re-parse the spam, let the parser do it's thing, copy the Tacking URL from that parse, and either cancel the report (or guessing that it's too old and won't report anything anyway) and paste that Tracking URL in your next post.

Share this post


Link to post
Share on other sites

Thanks for that ... doesn't appear to leave much doubt as to the source. However, no call back, and another call out there found no one home. E-mail sent to Mr. Moenich and "help" addresses there (and a CC: to Deputies here) advising of the issues with the server at this IP, noting that since the first phone call, three other BLs have picked it up, suggesting that assignment data on the IP block get updated, abuse.net registration be accompliashed, and in general, a heads-up notofication that if's possible that a SpamCopDNSbl also seems likely to occur based on seeing your spam and all the other information currently showing. There may be enough data provided to get a manual edit of the SpamCop database to route future complaints to wcnet.org, but that's not my call. Think I've done all I can do for them <g>

Share this post


Link to post
Share on other sites

I'm very impressed indeed - thanks for that. I won't pretend to understand all that's going on there, I'm afraid, but I certainly appreciate all the efforts you've put in.

Share this post


Link to post
Share on other sites

No return phone call, no response via e-mail .. so I called them once again. Though a pleasant enough conversation, I'm not sure much was accomplished. Arguement was that the IP in question is part of a dial-up pool, not an e-mail server. SenderBase data had to be screwed, as the tech staff would have noticed that kind of traffic going out. He had heard of SpamCop, but dealing with an e-mail invit to PerlCon, and the complaint was against a spamvertised site .. but when he checked the site, it was a development place for Perl programmers, so he didn't see the "problem" .... Invited me to send all this information to him, but then identified the same e-mail address I used yesterday (CC:'d to "info" and Deputies) so not sure what a second e-mail would gain.

On their web-site, there's mention of a 2 hour connect time during peak hours http://www.wcnet.org/help/wc/wcfaq.php extended to 4 hours during off-peak and week-ends .. another reason he wasn't believing the SenderBase data.

As far as registration data, he was confused, as this IP range has been under his control for years .... then even mentioned that it was in "oar" space ....

Anyway, SenderBase shows -100% traffic "today";

http://www.senderbase.org/?searchBy=ipaddr...157.134.186.227

Report on IP address: 157.134.186.227

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 0.0 ... -100%

Last 30 days .. 1.9 .... 1178%

Average ........ 0.8

So if it isn't an e-mail server, the next likely scenario is that the compromised "home" computer has since reconnected on a different IP in that dial-up pool. End result, a lot of time spent, but not much accomplished. Though talked of being around since ARPA-NET, and this outfit being around for quite a while, I don't see that the basics ever really got addressed. Perhaps the routing will get changed in the SpamCop routing database, but then again, I haven't heard anything from that direction either <g>

Share this post


Link to post
Share on other sites
... Smith Barney Citigroup (whoever they are...)

18255[/snapback]

The largest financial institution in the world, FYI.

Share this post


Link to post
Share on other sites
The largest financial institution in the world, FYI.

18298[/snapback]

Ah THAT Smith Barney Citigroup..... :) My defence, (such as it is....), is that they do not have any presence on UK city high streets at all. Our high streets are dominated by the likes of HSBC, Barclays, Lloyds TSB et al.....

Share this post


Link to post
Share on other sites
No return phone call, no response via e-mail .. so I called them once again.  Though a pleasant enough conversation, I'm not sure much was accomplished.  Arguement was that the IP in question is part of a dial-up pool, not an e-mail server.  <snip>

18294[/snapback]

Thanks Wazoo. If his 'dial-up pool' includes ADSL IP allocations then I suppose it is, (or should I say was), even more likely that it could have been an infected bot pc doing its dastardly stuff......

Share this post


Link to post
Share on other sites

He only mentioned that they had "had some issues with their DSL network" ... but wouldn't go into any detail <g>

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×