jev Posted September 23, 2004 Share Posted September 23, 2004 Just got the following from a report I sent out. Supposedly, the ticket was open for only about 1.25 hours before resolution. The server in question was hosting a user that unfortunately had an old formmail scri_pt that was exploited by a formmail attack. The scripts have been removed, the IP's blocked from the server and a filter has been put in place to drop these messages in the future. Thank you for notifying us of this problem. It's nice getting these. Not only a response on what happened, but how they cleaned up, and an actual thanks on helping to point out the problem. If this is genuine (and I have no reason to suspect otherwise, I wish more companies were like this. -JEV Link to comment Share on other sites More sharing options...
Merlyn Posted September 23, 2004 Share Posted September 23, 2004 What was the IP??? Link to comment Share on other sites More sharing options...
jev Posted September 23, 2004 Author Share Posted September 23, 2004 What was the IP??? Looks like the IP was 64.91.241.115. The tracking URL looks to be http://www.spamcop.net/sc?id=z673911137zd1...971da3351078d6z. Sorry for the lag in response (it's been a busy day) and not including that info in the first place (no real excuse for that ). -JEV Link to comment Share on other sites More sharing options...
keythumper Posted September 24, 2004 Share Posted September 24, 2004 Looks like the IP was 64.91.241.115. The tracking URL looks to be http://www.spamcop.net/sc?id=z673911137zd1...971da3351078d6z. Sorry for the lag in response (it's been a busy day) and not including that info in the first place (no real excuse for that ). -JEV 17668[/snapback] I'm also far behind in my abuse tasks. I think the abuse desk for liquidweb.com should be noticed: Parsing input: 64.91.241.115 host 64.91.241.115 = underworld.liquidweb.com. (cached) Reporting addresses: abuse[at]liquidweb.com Well done! Link to comment Share on other sites More sharing options...
dra007 Posted September 26, 2004 Share Posted September 26, 2004 Well, it looks like even our famous kornet may eventually take some action: This is Kornet Abuse Operating Center. In response of your request, we inform you that Kornet has solved the problem of suspicious activity from our network. we informed our customer of his illegal activity and requested to fixing a this problem. In future if it will try again, we will not service to this customer from our network. Related IP : 222.121.81.249 If you have any further question, please contact us kams-3522956-1-rep[at]abuse.kornet.net or http://abuse.kornet.net/ Thank you. Link to comment Share on other sites More sharing options...
agsteele Posted September 26, 2004 Share Posted September 26, 2004 It's nice getting these. Not only a response on what happened, but how they cleaned up, and an actual thanks on helping to point out the problem. If this is genuine (and I have no reason to suspect otherwise, I wish more companies were like this. We always acknowledge reports for the domains we manage. I consider it a common courtesy to let a reporter know what is happening. Thankfully, our customers don't spam - or at least any that do are quickly dealt with. The reports we receive are therefore few and far between and invariably innocent bystander type reports where a spammer has taken a domain and included it within their Email to tie up the rporting processes. So it isn't a major effort to acknowledge and thank for the reports we receive. I can imagine, though, that a large ISP hosting many domains might find the task rather overwhelming Andrew Link to comment Share on other sites More sharing options...
dra007 Posted September 26, 2004 Share Posted September 26, 2004 PS. Can someone correct <<resonce>> in the title of this thread? PS2. Thanks Wazoo for the prompt action! Link to comment Share on other sites More sharing options...
jev Posted September 27, 2004 Author Share Posted September 27, 2004 PS. Can someone correct <<resonce>> in the title of this thread? PS2. Thanks Wazoo for the prompt action! 17825[/snapback] Eh, like I said, it was a busy day. (And right before vacation -- just got back! ) Normally I'm a bit better on the spell checking though... Add another thanks for the spelling correction. -JEV Link to comment Share on other sites More sharing options...
btech Posted October 4, 2004 Share Posted October 4, 2004 Well, it looks like even our famous kornet may eventually take some action: 17818[/snapback] wow... that's something I never thought I'd see. I wonder if we'll be seeing more of these. Link to comment Share on other sites More sharing options...
Farelf Posted September 11, 2006 Share Posted September 11, 2006 wow... that's something I never thought I'd see. I wonder if we'll be seeing more of these.Well, nearly - a mere 2 years later, it was addressed to me but seems to be directed to a spamvertizer(?) and I didn't send this particular complaint to Kornet in the first place, as far as I can tell (I have sent manual reports to them but none with these particular referrents). Maybe they're just telling me it is not a valid complaint, but they tried (the Korean text could be interpreted that way, going by BabelFish). Well, I didn't make the complaint anyway.From: kams-15-20060901157640-1-rep[at]abusemail.kornet.net Subject: 민원 반송 처리 메일 [picture] 내용이 불충분하여 반송 처리되었습니다. http://abuse.kornet.net으로 접속하시면 웹으로 신고하실 수 있습니다. 원문 : Dear ISP This is an unwanted email from IP: 125.133.28.59 Please take appropriate actions to stop it. If this mail is a legal newsletter , please help to remove the recipient from your mailing list . If this spam report has any problem , please DO NOT reply directly , and use this page to tell us http://www.softworking.com/isp.asp?spammail=3085490 Thanks Best Regards, AntiSpam Team in Taiwan - softworking http://www.softworking.com The information below should be all you need. X-POP3-Rcpt: backup[at]leadcorp.com.tw Received: from 64.176.16.106 ([125.133.28.59]) by host102.apollohosting.com (8.12.11.20060614/8.13.6) with SMTP id k7RAw4jQ024036 for ; Sun, 27 Aug 2006 06:58:15 -0400 Message-Id: <200608271058.k7RAw4jQ024036[at]host102.apollohosting.com> From: "¸¨??¤F¡I" Subject: ²{?b°_¡A§A?i?H¨M?w??¤vªº??¤J,,??¿?¾???¤vªº¤u§[at]??¶¡?a?I.........................?uªº???²³æ Date: Sun, 27 Aug 2006 18:58:07 +0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--=====309474679586062=_" ----=====309474679586062=_ Content-Type: text/html; Content-Transfer-Encoding: quoted-printable =B8=A8=A5=EE=A4F=A1I [lots of whitespace] 3300">=A6p=AAG=C1=D9=B5L=AAk=A6b=BA=F4=B8=F4=A4W=C1=C8=BF=FA=A1I=B4N=B8=A8= =A5=EE=A4F=A1I=A4=E8=AAk=AFu=AA=BA=AB=DC=C2=B2=B3=E6 [=3D"http://xpoo.idv.tw/008"] [whitespace] ----=====309474679586062=_-- [picture] Anyway, it is not so nice to invite listwashing instead of taking the big stick to the perpetrators (I would like to see their foetid remains strewn in pliable strands over several acres of the mosses and brackens of the tundra, but that's just me). Maybe "legal newsletters" just means complaint from valid but forgetful subscribers. They munge when they provide enough detail to stipulate the sender anyway (msg ID) which seems a little strange. Or maybe it was (poorly) munged before they got it. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.