$1,000 US REWARD OFFERED
for information leading to the arrest and conviction of those responsible.
Written: May 14, 1997, 10:50pm EDT SUMMARY Attack began approximately 9:20pm EDT continuing intermittently to approximately 10:30pm EDT. Several hundred repeated e-mail messages (samples 1-3 below) were directed to the mailbox jim@newmediagroup.com. The attack resumed with a massive bulk e-mailing with headers making the message appear to come from jim@newmediagroup.com and sent via two unsecure smtp mailers. See sample message 4 below. Three messages were sent to us: One threatening message and two versions which bounced. It is extraordinarily unlikely that those named in the sample messages had anything to do with this. Please do not contact them regarding this matter. Use your energy to find the real perpetrators. The information is retained here for completeness. ----------------------------------------- MESSAGE TYPE 1, verbatim with all headers X-POP3-Rcpt: jim@newmediagroup Return-Path: jim@newmediagroup.com Received: from nevwest.nevwest.com (root@[205.254.167.10]) by newmediagroup.com (8.7.3/8.6.9) with ESMTP id WAA00462 for; Wed, 14 May 1997 22:13:55 -0400 Received: by nevwest.nevwest.com (8.8.5/8.8.5) with SMTP id RAA08708; Wed, 14 May 1997 17:35:54 -0700 From: jim@newmediagroup.com Date: Thu, 15 May 97 01:06:37 EST To: DerekT@NuKeU2.NeT Subject: Advice Message-ID: <> Courtesy of NuKe /\/\/\/\/\/\/\/\/ Hellraiser Network Copies: [ ] Single [ ] 100 [ ] 1000 [ ] 10000 [X] 100000 Frequency: [ ] Monthly [ ] Weekly [X] Daily [ ] Hourly [ ] Perpetual Source: [ ] NuKeNeT [ ] BBS [ ] ViruseXchange [X] Internet [ ] Fixed [X] AutoCycle Jim, Your e-mails have gone far from un-noticed. If you wish this to cease - simply apologise to those whom you have been plaguing and you will be removed from Hellraiser. You know who we mean. And find something sensible to do with your time. Otherwise you will be terminated. Thankyou Yours, Derek Tam, al442@freenet.carleton.ca Peter Kosta, bn816@freenet.carleton.ca Simon Carr, ca999@freenet.carleton.ca Raymond Y. Chow, al955@freenet.carleton.ca Courtesy of Hellraiser.... Jim Youll 419-243-5963 Jim Youll 419-354-2220 ----------------------------------------- MESSAGE TYPE 2, verbatim with all headers X-POP3-Rcpt: jim@newmediagroup Received: from nevwest.nevwest.com (root@[205.254.167.10]) by newmediagroup.com (8.7.3/8.6.9) with ESMTP id WAA00522 for ; Wed, 14 May 1997 22:14:36 -0400 Received: by nevwest.nevwest.com (8.8.5/8.8.5) with internal id RAA08699; Wed, 14 May 1997 17:36:54 -0700 Date: Wed, 14 May 1997 17:36:54 -0700 From: Mail Delivery Subsystem Message-Id: <199705150036.RAA08699@nevwest.nevwest.com> To: MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="RAA08699.863656614/nevwest.nevwest.com" Subject: Returned mail: User unknown Auto-Submitted: auto-generated (failure) The original message was received at Wed, 14 May 1997 17:35:47 -0700 from ppp327.enterprise.net [194.72.196.73] ----- The following addresses had permanent fatal errors ----- ----- Transcript of session follows ----- ... while talking to freenet.carleton.ca.: >>> RCPT To: <<< 550 ... User unknown 550 ... User unknown Reporting-MTA: dns; nevwest.nevwest.com Received-From-MTA: DNS; ppp327.enterprise.net Arrival-Date: Wed, 14 May 1997 17:35:47 -0700 Final-Recipient: RFC822; ca999@freenet.carleton.ca Action: failed Status: 5.1.1 Remote-MTA: DNS; freenet.carleton.ca Diagnostic-Code: SMTP; 550 ... User unknown Last-Attempt-Date: Wed, 14 May 1997 17:36:09 -0700 Return-Path: Received: by nevwest.nevwest.com (8.8.5/8.8.5) with SMTP id RAA08659; Wed, 14 May 1997 17:35:47 -0700 From: jim@newmediagroup.com Date: Thu, 15 May 97 01:06:37 EST To: DerekT@NuKeU2.NeT Subject: Advice Message-ID: <> Courtesy of NuKe /\/\/\/\/\/\/\/\/ Hellraiser Network Copies: [ ] Single [ ] 100 [ ] 1000 [ ] 10000 [X] 100000 Frequency: [ ] Monthly [ ] Weekly [X] Daily [ ] Hourly [ ] Perpetual Source: [ ] NuKeNeT [ ] BBS [ ] ViruseXchange [X] Internet [ ] Fixed [X] AutoCycle Jim, Your e-mails have gone far from un-noticed. If you wish this to cease - simply apologise to those whom you have been plaguing and you will be removed from Hellraiser. You know who we mean. And find something sensible to do with your time. Otherwise you will be terminated. Thankyou Yours, Derek Tam, al442@freenet.carleton.ca Peter Kosta, bn816@freenet.carleton.ca Simon Carr, ca999@freenet.carleton.ca Raymond Y. Chow, al955@freenet.carleton.ca Courtesy of Hellraiser.... Jim Youll 419-243-5963 Jim Youll 419-354-2220 ----------------------------------------- MESSAGE TYPE 3, verbatim with all headers X-POP3-Rcpt: jim@newmediagroup Date: Wed, 14 May 1997 21:50:11 -0400 (EDT) From: Mail Delivery Subsystem Subject: Returned mail: Can't create output: Error 0 To: MIME-Version: 1.0 Auto-Submitted: auto-generated (failure) The original message was received at Wed, 14 May 1997 21:50:06 -0400 (EDT) from root@[205.254.167.10] ----- The following addresses had permanent fatal errors ----- |"/freenet/rootdir/bin/m2mbox /freenet/home/57/al955/mbox" (expanded from: ) |"/freenet/rootdir/bin/m2mbox /freenet/home/69/bn816/mbox" (expanded from: ) ----- Transcript of session follows ----- m2mbox (uid = 20857, euid = 20857): User al955 (Christine Mains): mail rejected: current mailbox size 1171 bytes exceeds limit of 0 bytes for users inactive over 279 days 550 |"/freenet/rootdir/bin/m2mbox /freenet/home/57/al955/mbox"... Can't create output: Error 0 m2mbox (uid = 42969, euid = 42969): User bn816 (Tanya Nye): mail rejected: current mailbox size 8361 bytes exceeds limit of 0 bytes for users inactive over 279 days 550 |"/freenet/rootdir/bin/m2mbox /freenet/home/69/bn816/mbox"... Can't create output: Error 0 Reporting-MTA: dns; freenet.carleton.ca Received-From-MTA: dns; [205.254.167.10] Arrival-Date: Wed, 14 May 1997 21:50:06 -0400 (EDT) Final-Recipient: rfc822; al955@freenet.carleton.ca X-Actual-Recipient: rfc822; |/freenet/rootdir/bin/m2mbox /freenet/home/57/al955/mbox@freenet.carleton.ca Action: failed Status: 5.3.0 Last-Attempt-Date: Wed, 14 May 1997 21:50:10 -0400 (EDT) Final-Recipient: rfc822; bn816@freenet.carleton.ca X-Actual-Recipient: rfc822; |/freenet/rootdir/bin/m2mbox /freenet/home/69/bn816/mbox@freenet.carleton.ca Action: failed Status: 5.3.0 Last-Attempt-Date: Wed, 14 May 1997 21:50:11 -0400 (EDT) Return-Path: jim@newmediagroup.com Received: from nevwest.nevwest.com (root@[205.254.167.10]) by freenet.carleton.ca (8.8.3/8.6.4) with ESMTP id VAA04307; Wed, 14 May 1997 21:50:06 -0400 (EDT) From: jim@newmediagroup.com Received: by nevwest.nevwest.com (8.8.5/8.8.5) with SMTP id RAA10620; Wed, 14 May 1997 17:48:20 -0700 Date: Thu, 15 May 97 01:06:37 EST To: DerekT@NuKeU2.NeT Subject: Advice Message-ID: <> Courtesy of NuKe /\/\/\/\/\/\/\/\/ Hellraiser Network Copies: [ ] Single [ ] 100 [ ] 1000 [ ] 10000 [X] 100000 Frequency: [ ] Monthly [ ] Weekly [X] Daily [ ] Hourly [ ] Perpetual Source: [ ] NuKeNeT [ ] BBS [ ] ViruseXchange [X] Internet [ ] Fixed [X] AutoCycle Jim, Your e-mails have gone far from un-noticed. If you wish this to cease - simply apologise to those whom you have been plaguing and you will be removed from Hellraiser. You know who we mean. And find something sensible to do with your time. Otherwise you will be terminated. Thankyou Yours, Derek Tam, al442@freenet.carleton.ca Peter Kosta, bn816@freenet.carleton.ca Simon Carr, ca999@freenet.carleton.ca Raymond Y. Chow, al955@freenet.carleton.ca Courtesy of Hellraiser.... Jim Youll 419-243-5963 Jim Youll 419-354-2220 ----------------------------------------- MESSAGE TYPE 4: Fraudulent message sent to many people with forged headers and content suggesting origin at our domain =========================================== >From al442@freenet.carleton.ca Thu May 15 12:54:10 1997 Received: from relay-5.mail.demon.net by review.demon.co.uk with SMTP id AA863697250 ; Thu, 15 May 97 12:54:10 +0100 Received: from punt-1.mail.demon.net by mailstore for steve@review.demon.co.uk id 863695623:05:08251:38; Thu, 15 May 97 12:27:03 BST Received: from [205.254.167.10] ([205.254.167.10]) by punt-1.mail.demon.net id aa0613145; 15 May 97 12:26 BST Received: by nevwest.nevwest.com (8.8.5/8.8.5) with SMTP id DAA08394; Thu, 15 May 1997 03:25:07 -0700 From: al442@freenet.carleton.ca Date: Thu, 15 May 97 11:11:16 EST To: DerekT@NuKeU2.NeT Subject: Promote your site via email!!! Message-ID: <> X-PMFLAGS: 33554560 0 Friend! We at NewMediaGroup have been established friends of the internet for some time and have produced some of the best websites on earth! NEW! NMG Email Promotion! Now - as of 05/14/97 we offer targeted email website promotion. Promote your website directly to thousands for as little as $250 I use only targeted lists - so it is *NOT* spam. Call today for a special deal!!! Jim Youll www.newmediagroup.com Email: Jim Youll (jim@newmediagroup.com) Joe Meiring (joe@newmediagroup.com) Nick Gorant (nick@newmediagroup.com) Fax: 419-242-2016 Direct-dial telephones: Toledo area: 419-243-5963 Bowling Green: 419-354-2220 ---------- END OF SAMPLE MESSAGES ---------------- Portion of system process status log showing multiple connections from sending server: newmediagroup:~# date Wed May 14 22:23:03 EDT 1997 newmediagroup:~# ps x 70 v06 S 0:00 /sbin/agetty 38400 tty6 418 s00 S 0:00 /usr/sbin/pppd -detach modem crtscts netmask 255.255.255.22 555 ? S 0:02 in.telnetd 556 pp1 S 0:01 -bash 825 ? S 0:00 sendmail: server root@freenet.carleton.ca [134.117.136.20] 826 ? S 0:00 sendmail: server root@[205.254.167.10] cmd read 827 ? S 0:00 sendmail: server root@[205.254.167.10] cmd read 828 ? S 0:00 sendmail: server root@[205.254.167.10] cmd read 829 ? S 0:00 sendmail: server root@freenet.carleton.ca [134.117.136.20] 830 ? S 0:00 sendmail: server root@[205.254.167.10] child wait 831 ? S 0:00 sendmail: server root@freenet.carleton.ca [134.117.136.20] 832 ? S 0:00 sendmail: server root@freenet.carleton.ca [134.117.136.20] 833 ? S 0:00 sendmail: server root@freenet.carleton.ca [134.117.136.20] 836 ? S 0:00 sendmail: WAA00836 root@freenet.carleton.ca [134.117.136.20 837 ? S 0:00 sendmail: server root@[205.254.167.10] child wait 843 ? S 0:00 sendmail: WAA00843 root@freenet.carleton.ca [134.117.136.20 844 ? S 0:00 sendmail: server root@[205.254.167.10] cmd read 845 ? S 0:00 sendmail: server root@freenet.carleton.ca [134.117.136.20] 847 ? S 0:00 sendmail: server root@freenet.carleton.ca [134.117.136.20] 849 ? S 0:00 sendmail: server [205.254.167.10] cmd read 850 ? S 0:00 sendmail: server root@[205.254.167.10] cmd read 853 ? S 0:00 sendmail: server root@[205.254.167.10] cmd read ---------- END OF PROCESS LOG PORTION ---------------- Mail queue showing messages enqueued with false from: address in header: newmediagroup:/var/spool/mail# mailq Mail Queue (33 requests) --Q-ID-- --Size-- -----Q-Time----- ------------Sender/Recipient------------ WAA00787* 799 Wed May 14 22:30 WAA00805 799 Wed May 14 22:33 WAA00806 799 Wed May 14 22:33 WAA00816 799 Wed May 14 22:34 WAA00807 799 Wed May 14 22:33 WAA00819 799 Wed May 14 22:34 WAA00808 799 Wed May 14 22:33 WAA00817 799 Wed May 14 22:34 WAA00809 799 Wed May 14 22:33 WAA00810 799 Wed May 14 22:33 WAA00811 799 Wed May 14 22:33 WAA00818 799 Wed May 14 22:34 WAA00835 799 Wed May 14 22:34 WAA00839 799 Wed May 14 22:34 WAA00842 799 Wed May 14 22:34 WAA00846 799 Wed May 14 22:34 WAA00789 2140 Wed May 14 22:30 <> WAA00823 2140 Wed May 14 22:34 <> WAA00821 2140 Wed May 14 22:34 <> WAA00822 2140 Wed May 14 22:34 <> WAA00820 2140 Wed May 14 22:34 <> WAA00788 3064 Wed May 14 22:30 <> WAA00834 3064 Wed May 14 22:34 <> WAA00838 3064 Wed May 14 22:34 <> WAA00840 3064 Wed May 14 22:34 <> WAA00841 3064 Wed May 14 22:34 <> WAA00848 (no control file) WAA00836 (no control file) WAA00856 (no control file) WAA00843 (no control file) WAA00853 (no control file) WAA00850 (no control file) WAA00855 (no control file) ---------- END OF MAIL QUEUE ---------------- Portion of system MESSAGES log file showing transcript of the SMTP receipt and delivery of some of the messages: May 14 22:13:40 newmediagroup sendmail[438]: WAA00438: from= , size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@ [205.254.167.10] May 14 22:13:40 newmediagroup sendmail[438]: WAA00438: to= , delay=00:00:01, mailer=local, stat=queued May 14 22:13:51 newmediagroup sendmail[448]: WAA00448: from=<>, size=2753, class =0, pri=32753, nrcpts=1, msgid=<199705150036.RAA08646@nevwest.nevwest.com>, prot o=ESMTP, relay=root@[205.254.167.10] May 14 22:13:51 newmediagroup sendmail[448]: WAA00448: to= , delay=00:00:08, mailer=local, stat=queued May 14 22:13:56 newmediagroup sendmail[450]: WAA00450: from= , size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@ [205.254.167.10] May 14 22:13:56 newmediagroup sendmail[450]: WAA00450: to= , delay=00:00:09, mailer=local, stat=queued May 14 22:13:57 newmediagroup sendmail[449]: WAA00449: from= , size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@ [205.254.167.10] May 14 22:13:57 newmediagroup sendmail[449]: WAA00449: to= , delay=00:00:13, mailer=local, stat=queued May 14 22:13:59 newmediagroup sendmail[452]: WAA00452: from= , size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@ [205.254.167.10] May 14 22:13:59 newmediagroup sendmail[452]: WAA00452: to= , delay=00:00:10, mailer=local, stat=queued May 14 22:13:59 newmediagroup sendmail[453]: WAA00453: from= , size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@ [205.254.167.10] May 14 22:13:59 newmediagroup sendmail[453]: WAA00453: to= , delay=00:00:10, mailer=local, stat=queued May 14 22:14:03 newmediagroup sendmail[455]: WAA00455: from= , size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@ [205.254.167.10] May 14 22:14:03 newmediagroup sendmail[455]: WAA00455: to= , delay=00:00:11, mailer=local, stat=queued May 14 22:14:06 newmediagroup sendmail[460]: WAA00460: from= , size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@ [205.254.167.10] May 14 22:14:06 newmediagroup sendmail[460]: WAA00460: to= , delay=00:00:11, mailer=local, stat=queued May 14 22:14:07 newmediagroup sendmail[463]: WAA00463: from= , size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@ [205.254.167.10] May 14 22:14:07 newmediagroup sendmail[463]: WAA00463: to= , delay=00:00:12, mailer=local, stat=queued May 14 22:14:08 newmediagroup sendmail[454]: WAA00454: from= , size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@ [205.254.167.10] May 14 22:14:08 newmediagroup sendmail[454]: WAA00454: to= , delay=00:00:19, mailer=local, stat=queued May 14 22:14:10 newmediagroup sendmail[469]: WAA00469: from= , size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@ [205.254.167.10] May 14 22:14:10 newmediagroup sendmail[469]: WAA00469: to= , delay=00:00:11, mailer=local, stat=queued May 14 22:14:10 newmediagroup sendmail[462]: WAA00462: from= , size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@ [205.254.167.10] May 14 22:14:10 newmediagroup sendmail[462]: WAA00462: to= , delay=00:00:15, mailer=local, stat=queued May 14 22:14:19 newmediagroup sendmail[474]: WAA00474: from= , size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@ [205.254.167.10] May 14 22:14:19 newmediagroup sendmail[474]: WAA00474: to= , delay=00:00:15, mailer=local, stat=queued May 14 22:14:22 newmediagroup sendmail[478]: WAA00478: from=<>, size=2753, class =0, pri=32753, nrcpts=1, msgid=<199705150036.RAA08675@nevwest.nevwest.com>, prot o=ESMTP, relay=root@[205.254.167.10] May 14 22:14:22 newmediagroup sendmail[478]: WAA00478: to= , delay=00:00:18, mailer=local, stat=queued May 14 22:14:23 newmediagroup sendmail[480]: WAA00480: from=<>, size=2753, class =0, pri=32753, nrcpts=1, msgid=<199705150036.RAA08694@nevwest.nevwest.com>, prot o=ESMTP, relay=root@[205.254.167.10] May 14 22:14:23 newmediagroup sendmail[480]: WAA00480: to= , delay=00:00:18, mailer=local, stat=queued May 14 22:14:23 newmediagroup sendmail[473]: WAA00473: from= , size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@ [205.254.167.10] May 14 22:14:23 newmediagroup sendmail[473]: WAA00473: to= , delay=00:00:21, mailer=local, stat=queued May 14 22:14:25 newmediagroup sendmail[482]: WAA00482: from= , size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@ [205.254.167.10] May 14 22:14:25 newmediagroup sendmail[482]: WAA00482: to= , delay=00:00:18, mailer=local, stat=queued May 14 22:14:26 newmediagroup sendmail[485]: WAA00485: from= , size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@ [205.254.167.10] May 14 22:14:26 newmediagroup sendmail[485]: WAA00485: to= , delay=00:00:19, mailer=local, stat=queued May 14 22:14:26 newmediagroup sendmail[484]: WAA00484: from= , size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@ [205.254.167.10] May 14 22:14:26 newmediagroup sendmail[484]: WAA00484: to= , delay=00:00:19, mailer=local, stat=queued May 14 22:14:30 newmediagroup sendmail[492]: WAA00492: from= , size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@ [205.254.167.10] May 14 22:14:30 newmediagroup sendmail[492]: WAA00492: to= , delay=00:00:18, mailer=local, stat=queued May 14 22:14:34 newmediagroup sendmail[498]: WAA00498: from=<>, size=2753, class =0, pri=32753, nrcpts=1, msgid=<199705150036.RAA08657@nevwest.nevwest.com>, prot o=ESMTP, relay=root@[205.254.167.10] May 14 22:14:34 newmediagroup sendmail[498]: WAA00498: to= , delay=00:00:20, mailer=local, stat=queued May 14 22:14:34 newmediagroup sendmail[497]: WAA00497: from= , size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@ [205.254.167.10] May 14 22:14:34 newmediagroup sendmail[497]: WAA00497: to= , delay=00:00:20, mailer=local, stat=queued May 14 22:14:38 newmediagroup sendmail[500]: WAA00500: from= , size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@ [205.254.167.10] May 14 22:14:38 newmediagroup sendmail[500]: WAA00500: to= , delay=00:00:22, mailer=local, stat=queued ---------- END OF LOG FILE EXCERPT---------------- Miscellaneous traceroutes to originating domains implicated in this attack: traceroute to nevwest.nevwest.com (205.254.167.10), 30 hops max, 40 byte packets 1 gate2.norden1.com (192.153.35.5) 2203.91 ms 157.504 ms 428.037 ms 2 gw.norden1.com (192.153.35.2) 157.173 ms 165.965 ms 148.004 ms 3 tlp2-sl18.toledo.oar.net (199.18.111.69) 167.305 ms 428.081 ms 157.626 ms 4 oeb8-sl4-2.columbus.oar.net (199.18.105.157) 167.159 ms 168.298 ms 697.99 7 ms 5 oeb3-atm6-0.columbus.oar.net (199.18.202.13) 176.773 ms 238.37 ms 217.587 ms 6 bordercore4-hssi0-0.Washington.mci.net (166.48.43.249) 487.221 ms 888.126 ms 197.593 ms 7 core1.Washington.mci.net (204.70.4.129) 177.266 ms 348.28 ms 217.594 ms 8 mae-east2-nap.Washington.mci.net (204.70.1.222) 177.533 ms 188.082 ms 198 .274 ms 9 mae-east.agis.net (192.41.177.145) 657.001 ms 478.188 ms 207.915 ms 10 204.157.38.250 (204.157.38.250) 196.929 ms 176.396 ms 188.378 ms 11 ga007.chicago3.agis.net (206.84.228.238) 516.792 ms 578.701 ms 217.869 ms 12 205.254.173.234 (205.254.173.234) 217.885 ms 568.85 ms 197.98 ms 13 llv.chicago1.agis.net (205.137.58.10) 257.685 ms 258.248 ms 498.353 ms 14 205.254.167.10 (205.254.167.10) 287.84 ms 268.65 ms 538.641 ms CTE, Inc. (NEVWEST-DOM) 4246 Bertsos Drive Las Vegas, NV 89103 USA Domain Name: NEVWEST.COM Administrative Contact: Timm, Craig (CT1245) cte@LLV.COM 702-869-4972 (FAX) 702-869-8985 Technical Contact, Zone Contact: Warren, Jim (JW728) jim@LLV.COM 702-648-0390 Billing Contact: Timm, Craig (CT1245) cte@LLV.COM 702-869-4972 (FAX) 702-869-8985 Record last updated on 01-Apr-97. Record created on 01-Apr-97. Database last updated on 14-May-97 06:13:23 EDT. Domain servers in listed order: SAHARA.LLV.COM 205.254.164.2 MOJAVE.LLV.COM 205.254.164.3 traceroute to freenet.carleton.ca (134.117.136.20), 30 hops max, 40 byte packets 1 gate.norden1.com (192.153.35.4) 174.016 ms 164.371 ms 157.86 ms 2 gw.norden1.com (192.153.35.2) 167.424 ms 175.652 ms 157.84 ms 3 tlp2-sl18.toledo.oar.net (199.18.111.69) 177.177 ms 298.162 ms 277.283 ms 4 oeb8-sl4-3.columbus.oar.net (199.18.98.241) 167.16 ms 168.084 ms 167.514ms 5 * oeb3-atm6-0.columbus.oar.net (199.18.202.13) 171.189 ms 228.083 ms 6 bordercore4-hssi0-0.Washington.mci.net (166.48.43.249) 186.784 ms 178.184ms 207.549 ms 7 core1.NorthRoyalton.mci.net (204.70.4.205) 277.072 ms 278.334 ms 267.462ms 8 core-hssi-2.Chicago.mci.net (204.70.1.93) 277.148 ms 298.302 ms 227.549 ms 9 border3-fddi-0.Chicago.mci.net (204.70.2.83) 217.154 ms 208.276 ms 237.507 ms 10 canet.Chicago.mci.net (204.70.26.10) 357.131 ms 238.357 ms 227.511 ms 11 psp.on.canet.ca (205.207.238.141) 227.122 ms 228.349 ms 227.413 ms 12 exterior.onet.on.ca (192.68.55.102) 257.145 ms 237.516 ms 237.937 ms 13 toronto4-fddi-if.onet.on.ca (130.185.15.14) 247.197 ms 238.19 ms 287.486ms 14 ottawa3-ser1-toronto4-if.onet.on.ca (130.185.2.130) 267.398 ms 277.686 ms ottawa3-ser2-toronto4-if.onet.on.ca (130.185.2.134) 288.106 ms 15 carleton-ottawa3-if.onet.on.ca (130.185.17.10) 277.063 ms * 261.343 ms 16 onet-gate.carleton.ca (134.117.18.1) 256.674 ms 268.285 ms 277.54 ms 17 ncf-gate-j1.carleton.ca (134.117.1.27) 267.19 ms 278.309 ms 287.561 ms 18 freenet.carleton.ca (134.117.136.20) 277.118 ms 258.302 ms 267.527 ms newmediagroup:~# traceroute to 194.72.196.73 (194.72.196.73), 30 hops max, 40 byte packets 1 gate.norden1.com (192.153.35.4) 159.305 ms 154.901 ms 159.132 ms 2 gw.norden1.com (192.153.35.2) 189.431 ms 157.667 ms 159.484 ms 3 tlp2-sl18.toledo.oar.net (199.18.111.69) 159.422 ms 149.657 ms 179.113 ms 4 oeb8-sl6-3.columbus.oar.net (199.18.98.13) 179.743 ms 178.342 ms 158.989ms 5 oeb3-atm6-0.columbus.oar.net (199.18.202.13) 199.77 ms 189.4 ms 159.464 ms 6 bordercore4-hssi0-0.Washington.mci.net (166.48.43.249) 189.078 ms 177.502ms 179.609 ms 7 bordercore4-loopback.WestOrange.mci.net (166.48.10.1) 209.037 ms 189.958 ms 179.222 ms 8 british-telecom.WestOrange.mci.net (166.48.11.250) 269.304 ms 260.009 ms 279.083 ms 9 194.72.24.158 (194.72.24.158) 259.403 ms 269.912 ms 278.951 ms 10 telehouse-transit-e3-4.ukcore.bt.net (194.72.27.166) 269.13 ms 269.868 ms 259.173 ms 11 londonc-smds-f1-0.ukcore.bt.net (194.72.7.12) 259.403 ms 270.094 ms 279.04 ms 12 manchester-smds-s0.ukcore.bt.net (194.72.0.2) 279.429 ms 289.612 ms 299.735 ms 13 manx.customer.bt.net (194.72.10.250) 289.168 ms 290.09 ms 289.136 ms 14 gateway.enterprise.net (194.72.194.1) 319.69 ms 290.065 ms 339.246 ms 15 max006.enterprise.net (194.72.194.25) 279.298 ms 340.045 ms 309.165 ms 16 ppp327.enterprise.net (194.72.196.73) 539.678 ms 519.987 ms 1129.45 ms newmediagroup:~# Whois: dom enterprise.net ENTERPRISE PLC (ENTERPRISE8-DOM) 64 BUCKS ROAD DOUGLAS, ISLE OF MAN IM1 3AF UK Domain Name: ENTERPRISE.NET Administrative Contact: FROST, GARETH (GF567) TECHNICAL@ENTERPRISE.NET +44 01624 612880 (FAX) +44 01624 615876 Technical Contact, Zone Contact: Naylor, Darren (DN131) djn@ENTERPRISE.NET 44 1624 677666 Billing Contact: Huxley, Jon (JH1067) jon@ENTERPRISE.NET +44 1624 677666 Record last updated on 30-Jan-97. Record created on 19-Nov-96. Database last updated on 14-May-97 06:13:23 EDT. Domain servers in listed order: DNS0.ENTERPRISE.NET 194.72.192.1 DNS1.ENTERPRISE.NET 194.72.192.3 The attacks apparently came from this address and this mailserver: (I watched the server connecting / see the transcripts above) 1 gate.norden1.com (192.153.35.4) 174.016 ms 164.371 ms 157.86 ms 2 gw.norden1.com (192.153.35.2) 167.424 ms 175.652 ms 157.84 ms 3 tlp2-sl18.toledo.oar.net (199.18.111.69) 177.177 ms 298.162 ms 277.283 ms 4 oeb8-sl4-3.columbus.oar.net (199.18.98.241) 167.16 ms 168.084 ms 167.514ms 5 * oeb3-atm6-0.columbus.oar.net (199.18.202.13) 171.189 ms 228.083 ms 6 bordercore4-hssi0-0.Washington.mci.net (166.48.43.249) 186.784 ms 178.184ms 207.549 ms 7 core1.NorthRoyalton.mci.net (204.70.4.205) 277.072 ms 278.334 ms 267.462ms 8 core-hssi-2.Chicago.mci.net (204.70.1.93) 277.148 ms 298.302 ms 227.549 ms 9 border3-fddi-0.Chicago.mci.net (204.70.2.83) 217.154 ms 208.276 ms 237.507 ms 10 canet.Chicago.mci.net (204.70.26.10) 357.131 ms 238.357 ms 227.511 ms 11 psp.on.canet.ca (205.207.238.141) 227.122 ms 228.349 ms 227.413 ms 12 exterior.onet.on.ca (192.68.55.102) 257.145 ms 237.516 ms 237.937 ms 13 toronto4-fddi-if.onet.on.ca (130.185.15.14) 247.197 ms 238.19 ms 287.486ms 14 ottawa3-ser1-toronto4-if.onet.on.ca (130.185.2.130) 267.398 ms 277.686 ms ottawa3-ser2-toronto4-if.onet.on.ca (130.185.2.134) 288.106 ms 15 carleton-ottawa3-if.onet.on.ca (130.185.17.10) 277.063 ms * 261.343 ms 16 onet-gate.carleton.ca (134.117.18.1) 256.674 ms 268.285 ms 277.54 ms 17 ncf-gate-j1.carleton.ca (134.117.1.27) 267.19 ms 278.309 ms 287.561 ms 18 freenet.carleton.ca (134.117.136.20) 277.118 ms 258.302 ms 267.527 ms This server also appears in the SMTP logs: newmediagroup:/var/adm# traceroute 205.254.167.10 traceroute to 205.254.167.10 (205.254.167.10), 30 hops max, 40 byte packets 1 gate.norden1.com (192.153.35.4) 174.243 ms 158.551 ms 177.314 ms 2 gw.norden1.com (192.153.35.2) 166.768 ms 161.13 ms 205.398 ms 3 tlp2-sl18.toledo.oar.net (199.18.111.69) 237.278 ms 199.294 ms 249.278 ms 4 oeb8-sl4-2.columbus.oar.net (199.18.105.157) 199.41 ms 220.543 ms 261.308 ms 5 oeb3-atm6-0.columbus.oar.net (199.18.202.13) 209.943 ms 260.37 ms 240.869 ms 6 bordercore4-hssi0-0.Washington.mci.net (166.48.43.249) 200.466 ms 239.379 ms 259.513 ms 7 core5.Washington.mci.net (204.70.4.109) 245.479 ms 193.57 ms 225.359 ms 8 mae-east3-nap.Washington.mci.net (204.70.1.22) 314.67 ms 299.561 ms 217.8 59 ms 9 mae-east.agis.net (192.41.177.145) 218.795 ms 219.532 ms 250.083 ms 10 204.157.38.250 (204.157.38.250) 207.993 ms 219.306 ms 179.626 ms 11 ga007.chicago3.agis.net (206.84.228.238) 289.419 ms 270.072 ms 259.081 ms 12 205.254.173.234 (205.254.173.234) 269.436 ms 219.897 ms 218.991 ms 13 llv.chicago1.agis.net (205.137.58.10) 299.696 ms 359.805 ms 259.496 ms 14 205.254.167.10 (205.254.167.10) 389.448 ms 289.961 ms 299.789 ms