STOP JUNK E-MAIL

Spam fighter attacked, threatened.
Reward offered

$1,000 US REWARD OFFERED
for information leading to the arrest and conviction of those responsible.

Logs of attack on
mailbox jim@newmediagroup.com
and regarding forged messages posted to Internet
Written: May 14, 1997, 10:50pm EDT

SUMMARY
Attack began approximately 9:20pm EDT continuing intermittently to 
approximately 10:30pm EDT.

Several hundred repeated e-mail messages (samples 1-3 below) were directed to
the mailbox jim@newmediagroup.com.

The attack resumed with a massive bulk e-mailing with headers making the message
appear to come from jim@newmediagroup.com and sent via two unsecure smtp mailers.
See sample message 4 below.


Three messages were sent to us: One threatening message and two versions which
bounced. It is extraordinarily unlikely that those named in the sample 
messages had anything to do with this. Please do not contact them regarding 
this matter. Use your energy to find the real perpetrators. The information is 
retained here for completeness.

-----------------------------------------
MESSAGE TYPE 1, verbatim with all headers

X-POP3-Rcpt: jim@newmediagroup
Return-Path: jim@newmediagroup.com
Received: from nevwest.nevwest.com (root@[205.254.167.10]) by newmediagroup.com (8.7.3/8.6.9) with ESMTP id WAA00462 for ; Wed, 14 May 1997 22:13:55 -0400
Received: by nevwest.nevwest.com (8.8.5/8.8.5) with SMTP id RAA08708;
	Wed, 14 May 1997 17:35:54 -0700
From: jim@newmediagroup.com
Date: Thu, 15 May 97 01:06:37 EST
To: DerekT@NuKeU2.NeT
Subject: Advice
Message-ID: <>

Courtesy of NuKe
/\/\/\/\/\/\/\/\/
Hellraiser Network

Copies:
[ ] Single
[ ] 100
[ ] 1000
[ ] 10000
[X] 100000

Frequency:
[ ] Monthly
[ ] Weekly
[X] Daily
[ ] Hourly
[ ] Perpetual

Source:
[ ] NuKeNeT
[ ] BBS
[ ] ViruseXchange
[X] Internet
[ ] Fixed
[X] AutoCycle

Jim,

Your e-mails have gone far from un-noticed.

If you wish this to cease - simply apologise to those whom you have been plaguing
and you will be removed from Hellraiser. You know who we mean. And find something
sensible to do with your time.

Otherwise you will be terminated.

Thankyou

Yours,

Derek Tam, al442@freenet.carleton.ca
Peter Kosta, bn816@freenet.carleton.ca
Simon Carr, ca999@freenet.carleton.ca
Raymond Y. Chow, al955@freenet.carleton.ca

Courtesy of Hellraiser....
Jim Youll 419-243-5963
Jim Youll 419-354-2220



-----------------------------------------
MESSAGE TYPE 2, verbatim with all headers

X-POP3-Rcpt: jim@newmediagroup
Received: from nevwest.nevwest.com (root@[205.254.167.10]) by newmediagroup.com (8.7.3/8.6.9) with ESMTP id WAA00522 for ; Wed, 14 May 1997 22:14:36 -0400
Received: by nevwest.nevwest.com (8.8.5/8.8.5) with internal id RAA08699;
	Wed, 14 May 1997 17:36:54 -0700
Date: Wed, 14 May 1997 17:36:54 -0700
From: Mail Delivery Subsystem 
Message-Id: <199705150036.RAA08699@nevwest.nevwest.com>
To: 
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
	boundary="RAA08699.863656614/nevwest.nevwest.com"
Subject: Returned mail: User unknown
Auto-Submitted: auto-generated (failure)

The original message was received at Wed, 14 May 1997 17:35:47 -0700
from ppp327.enterprise.net [194.72.196.73]

   ----- The following addresses had permanent fatal errors -----


   ----- Transcript of session follows -----
... while talking to freenet.carleton.ca.:
>>> RCPT To:
<<< 550 ... User unknown
550 ... User unknown

Reporting-MTA: dns; nevwest.nevwest.com
Received-From-MTA: DNS; ppp327.enterprise.net
Arrival-Date: Wed, 14 May 1997 17:35:47 -0700

Final-Recipient: RFC822; ca999@freenet.carleton.ca
Action: failed
Status: 5.1.1
Remote-MTA: DNS; freenet.carleton.ca
Diagnostic-Code: SMTP; 550 ... User unknown
Last-Attempt-Date: Wed, 14 May 1997 17:36:09 -0700

Return-Path: 
Received: by nevwest.nevwest.com (8.8.5/8.8.5) with SMTP id RAA08659;
	Wed, 14 May 1997 17:35:47 -0700
From: jim@newmediagroup.com
Date: Thu, 15 May 97 01:06:37 EST
To: DerekT@NuKeU2.NeT
Subject: Advice
Message-ID: <>

Courtesy of NuKe
/\/\/\/\/\/\/\/\/
Hellraiser Network

Copies:
[ ] Single
[ ] 100
[ ] 1000
[ ] 10000
[X] 100000

Frequency:
[ ] Monthly
[ ] Weekly
[X] Daily
[ ] Hourly
[ ] Perpetual

Source:
[ ] NuKeNeT
[ ] BBS
[ ] ViruseXchange
[X] Internet
[ ] Fixed
[X] AutoCycle

Jim,

Your e-mails have gone far from un-noticed.

If you wish this to cease - simply apologise to those whom you have been plaguing
and you will be removed from Hellraiser. You know who we mean. And find something
sensible to do with your time.

Otherwise you will be terminated.

Thankyou

Yours,

Derek Tam, al442@freenet.carleton.ca
Peter Kosta, bn816@freenet.carleton.ca
Simon Carr, ca999@freenet.carleton.ca
Raymond Y. Chow, al955@freenet.carleton.ca

Courtesy of Hellraiser....
Jim Youll 419-243-5963
Jim Youll 419-354-2220





-----------------------------------------
MESSAGE TYPE 3, verbatim with all headers

X-POP3-Rcpt: jim@newmediagroup
Date: Wed, 14 May 1997 21:50:11 -0400 (EDT)
From: Mail Delivery Subsystem 
Subject: Returned mail: Can't create output: Error 0
To: 
MIME-Version: 1.0
Auto-Submitted: auto-generated (failure)

The original message was received at Wed, 14 May 1997 21:50:06 -0400 (EDT)
from root@[205.254.167.10]

   ----- The following addresses had permanent fatal errors -----
|"/freenet/rootdir/bin/m2mbox /freenet/home/57/al955/mbox"
    (expanded from: )
|"/freenet/rootdir/bin/m2mbox /freenet/home/69/bn816/mbox"
    (expanded from: )

   ----- Transcript of session follows -----
m2mbox (uid = 20857, euid = 20857): User al955 (Christine Mains): mail rejected: current mailbox size 1171 bytes exceeds limit of 0 bytes for users inactive over 279 days
550 |"/freenet/rootdir/bin/m2mbox /freenet/home/57/al955/mbox"... Can't create output: Error 0
m2mbox (uid = 42969, euid = 42969): User bn816 (Tanya Nye): mail rejected: current mailbox size 8361 bytes exceeds limit of 0 bytes for users inactive over 279 days
550 |"/freenet/rootdir/bin/m2mbox /freenet/home/69/bn816/mbox"... Can't create output: Error 0

Reporting-MTA: dns; freenet.carleton.ca
Received-From-MTA: dns; [205.254.167.10]
Arrival-Date: Wed, 14 May 1997 21:50:06 -0400 (EDT)

Final-Recipient: rfc822; al955@freenet.carleton.ca
X-Actual-Recipient: rfc822; |/freenet/rootdir/bin/m2mbox /freenet/home/57/al955/mbox@freenet.carleton.ca
Action: failed
Status: 5.3.0
Last-Attempt-Date: Wed, 14 May 1997 21:50:10 -0400 (EDT)

Final-Recipient: rfc822; bn816@freenet.carleton.ca
X-Actual-Recipient: rfc822; |/freenet/rootdir/bin/m2mbox /freenet/home/69/bn816/mbox@freenet.carleton.ca
Action: failed
Status: 5.3.0
Last-Attempt-Date: Wed, 14 May 1997 21:50:11 -0400 (EDT)

Return-Path: jim@newmediagroup.com
Received: from nevwest.nevwest.com (root@[205.254.167.10]) by freenet.carleton.ca (8.8.3/8.6.4) with ESMTP id VAA04307; Wed, 14 May 1997 21:50:06 -0400 (EDT)
From: jim@newmediagroup.com
Received: by nevwest.nevwest.com (8.8.5/8.8.5) with SMTP id RAA10620;
	Wed, 14 May 1997 17:48:20 -0700
Date: Thu, 15 May 97 01:06:37 EST
To: DerekT@NuKeU2.NeT
Subject: Advice
Message-ID: <>

Courtesy of NuKe
/\/\/\/\/\/\/\/\/
Hellraiser Network

Copies:
[ ] Single
[ ] 100
[ ] 1000
[ ] 10000
[X] 100000

Frequency:
[ ] Monthly
[ ] Weekly
[X] Daily
[ ] Hourly
[ ] Perpetual

Source:
[ ] NuKeNeT
[ ] BBS
[ ] ViruseXchange
[X] Internet
[ ] Fixed
[X] AutoCycle

Jim,

Your e-mails have gone far from un-noticed.

If you wish this to cease - simply apologise to those whom you have been plaguing
and you will be removed from Hellraiser. You know who we mean. And find something
sensible to do with your time.

Otherwise you will be terminated.

Thankyou

Yours,

Derek Tam, al442@freenet.carleton.ca
Peter Kosta, bn816@freenet.carleton.ca
Simon Carr, ca999@freenet.carleton.ca
Raymond Y. Chow, al955@freenet.carleton.ca

Courtesy of Hellraiser....
Jim Youll 419-243-5963
Jim Youll 419-354-2220


-----------------------------------------
MESSAGE TYPE 4: Fraudulent message sent to many people
with forged headers and content suggesting origin at our domain

===========================================
>From al442@freenet.carleton.ca Thu May 15 12:54:10 1997
Received: from relay-5.mail.demon.net by review.demon.co.uk with SMTP 
 id AA863697250 ; Thu, 15 May 97 12:54:10 +0100
Received: from punt-1.mail.demon.net by mailstore for
steve@review.demon.co.uk
          id 863695623:05:08251:38; Thu, 15 May 97 12:27:03 BST
Received: from [205.254.167.10] ([205.254.167.10]) by
punt-1.mail.demon.net
           id aa0613145; 15 May 97 12:26 BST
Received: by nevwest.nevwest.com (8.8.5/8.8.5) with SMTP id DAA08394;
 Thu, 15 May 1997 03:25:07 -0700
From: al442@freenet.carleton.ca
Date: Thu, 15 May 97 11:11:16 EST
To: DerekT@NuKeU2.NeT
Subject: Promote your site via email!!!
Message-ID: <>
X-PMFLAGS: 33554560 0

Friend!

We at NewMediaGroup have been established friends of the internet for
some time and
 have produced some of the best websites on earth!

NEW! NMG Email Promotion!
Now - as of 05/14/97 we offer targeted email website promotion.
Promote your website directly to thousands for as little as $250

I use only targeted lists - so it is *NOT* spam.

Call today for a special deal!!!

Jim Youll
www.newmediagroup.com
Email:
Jim Youll (jim@newmediagroup.com)
Joe Meiring (joe@newmediagroup.com)
Nick Gorant (nick@newmediagroup.com)
Fax: 419-242-2016 
Direct-dial telephones: 
Toledo area: 419-243-5963
Bowling Green: 419-354-2220



---------- END OF SAMPLE MESSAGES ----------------

Portion of system process status log showing multiple connections from
sending server:

newmediagroup:~# date
Wed May 14 22:23:03 EDT 1997
newmediagroup:~# ps x
  70 v06 S     0:00 /sbin/agetty 38400 tty6
  418 s00 S     0:00 /usr/sbin/pppd -detach modem crtscts netmask 255.255.255.22
  555  ?  S     0:02 in.telnetd
  556 pp1 S     0:01 -bash
  825  ?  S     0:00 sendmail: server root@freenet.carleton.ca [134.117.136.20]
  826  ?  S     0:00 sendmail: server root@[205.254.167.10] cmd read
  827  ?  S     0:00 sendmail: server root@[205.254.167.10] cmd read
  828  ?  S     0:00 sendmail: server root@[205.254.167.10] cmd read
  829  ?  S     0:00 sendmail: server root@freenet.carleton.ca [134.117.136.20]
  830  ?  S     0:00 sendmail: server root@[205.254.167.10] child wait
  831  ?  S     0:00 sendmail: server root@freenet.carleton.ca [134.117.136.20]
  832  ?  S     0:00 sendmail: server root@freenet.carleton.ca [134.117.136.20]
  833  ?  S     0:00 sendmail: server root@freenet.carleton.ca [134.117.136.20]
  836  ?  S     0:00 sendmail: WAA00836 root@freenet.carleton.ca [134.117.136.20
  837  ?  S     0:00 sendmail: server root@[205.254.167.10] child wait
  843  ?  S     0:00 sendmail: WAA00843 root@freenet.carleton.ca [134.117.136.20
  844  ?  S     0:00 sendmail: server root@[205.254.167.10] cmd read
  845  ?  S     0:00 sendmail: server root@freenet.carleton.ca [134.117.136.20]
  847  ?  S     0:00 sendmail: server root@freenet.carleton.ca [134.117.136.20]
  849  ?  S     0:00 sendmail: server [205.254.167.10] cmd read
  850  ?  S     0:00 sendmail: server root@[205.254.167.10] cmd read
  853  ?  S     0:00 sendmail: server root@[205.254.167.10] cmd read

---------- END OF PROCESS LOG PORTION ----------------


Mail queue showing messages enqueued with false from: address in header:

newmediagroup:/var/spool/mail# mailq
                Mail Queue (33 requests)
--Q-ID-- --Size-- -----Q-Time----- ------------Sender/Recipient------------
WAA00787*     799 Wed May 14 22:30 
                                   
WAA00805      799 Wed May 14 22:33 
                                   
WAA00806      799 Wed May 14 22:33 
                                   
WAA00816      799 Wed May 14 22:34 
                                   
WAA00807      799 Wed May 14 22:33 
                                   
WAA00819      799 Wed May 14 22:34 
                                   
WAA00808      799 Wed May 14 22:33 
                                   
WAA00817      799 Wed May 14 22:34 
                                   
WAA00809      799 Wed May 14 22:33 
                                   
WAA00810      799 Wed May 14 22:33 
                                   
WAA00811      799 Wed May 14 22:33 
                                   
WAA00818      799 Wed May 14 22:34 
                                   
WAA00835      799 Wed May 14 22:34 
                                   
WAA00839      799 Wed May 14 22:34 
                                   
WAA00842      799 Wed May 14 22:34 
                                   
WAA00846      799 Wed May 14 22:34 
                                   
WAA00789     2140 Wed May 14 22:30 <>
                                   
WAA00823     2140 Wed May 14 22:34 <>
                                   
WAA00821     2140 Wed May 14 22:34 <>
                                   
WAA00822     2140 Wed May 14 22:34 <>
                                   
WAA00820     2140 Wed May 14 22:34 <>
                                   
WAA00788     3064 Wed May 14 22:30 <>
                                   
WAA00834     3064 Wed May 14 22:34 <>
                                   
WAA00838     3064 Wed May 14 22:34 <>
                                   
WAA00840     3064 Wed May 14 22:34 <>
                                   
WAA00841     3064 Wed May 14 22:34 <>
                                   
WAA00848  (no control file)
WAA00836  (no control file)
WAA00856  (no control file)
WAA00843  (no control file)
WAA00853  (no control file)
WAA00850  (no control file)
WAA00855  (no control file)

---------- END OF MAIL QUEUE ----------------



Portion of system MESSAGES log file showing transcript of the SMTP receipt
and delivery of some of the messages:


May 14 22:13:40 newmediagroup sendmail[438]: WAA00438: from=, size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@
[205.254.167.10]
May 14 22:13:40 newmediagroup sendmail[438]: WAA00438: to=, delay=00:00:01, mailer=local, stat=queued
May 14 22:13:51 newmediagroup sendmail[448]: WAA00448: from=<>, size=2753, class
=0, pri=32753, nrcpts=1, msgid=<199705150036.RAA08646@nevwest.nevwest.com>, prot
o=ESMTP, relay=root@[205.254.167.10]
May 14 22:13:51 newmediagroup sendmail[448]: WAA00448: to=, delay=00:00:08, mailer=local, stat=queued
May 14 22:13:56 newmediagroup sendmail[450]: WAA00450: from=, size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@
[205.254.167.10]
May 14 22:13:56 newmediagroup sendmail[450]: WAA00450: to=, delay=00:00:09, mailer=local, stat=queued
May 14 22:13:57 newmediagroup sendmail[449]: WAA00449: from=, size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@
[205.254.167.10]
May 14 22:13:57 newmediagroup sendmail[449]: WAA00449: to=, delay=00:00:13, mailer=local, stat=queued
May 14 22:13:59 newmediagroup sendmail[452]: WAA00452: from=, size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@
[205.254.167.10]
May 14 22:13:59 newmediagroup sendmail[452]: WAA00452: to=, delay=00:00:10, mailer=local, stat=queued
May 14 22:13:59 newmediagroup sendmail[453]: WAA00453: from=, size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@
[205.254.167.10]
May 14 22:13:59 newmediagroup sendmail[453]: WAA00453: to=, delay=00:00:10, mailer=local, stat=queued
May 14 22:14:03 newmediagroup sendmail[455]: WAA00455: from=, size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@
[205.254.167.10]
May 14 22:14:03 newmediagroup sendmail[455]: WAA00455: to=, delay=00:00:11, mailer=local, stat=queued
May 14 22:14:06 newmediagroup sendmail[460]: WAA00460: from=, size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@
[205.254.167.10]
May 14 22:14:06 newmediagroup sendmail[460]: WAA00460: to=, delay=00:00:11, mailer=local, stat=queued
May 14 22:14:07 newmediagroup sendmail[463]: WAA00463: from=, size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@
[205.254.167.10]
May 14 22:14:07 newmediagroup sendmail[463]: WAA00463: to=, delay=00:00:12, mailer=local, stat=queued
May 14 22:14:08 newmediagroup sendmail[454]: WAA00454: from=, size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@
[205.254.167.10]
May 14 22:14:08 newmediagroup sendmail[454]: WAA00454: to=, delay=00:00:19, mailer=local, stat=queued
May 14 22:14:10 newmediagroup sendmail[469]: WAA00469: from=, size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@
[205.254.167.10]
May 14 22:14:10 newmediagroup sendmail[469]: WAA00469: to=, delay=00:00:11, mailer=local, stat=queued
May 14 22:14:10 newmediagroup sendmail[462]: WAA00462: from=, size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@
[205.254.167.10]
May 14 22:14:10 newmediagroup sendmail[462]: WAA00462: to=, delay=00:00:15, mailer=local, stat=queued
May 14 22:14:19 newmediagroup sendmail[474]: WAA00474: from=, size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@
[205.254.167.10]
May 14 22:14:19 newmediagroup sendmail[474]: WAA00474: to=, delay=00:00:15, mailer=local, stat=queued
May 14 22:14:22 newmediagroup sendmail[478]: WAA00478: from=<>, size=2753, class
=0, pri=32753, nrcpts=1, msgid=<199705150036.RAA08675@nevwest.nevwest.com>, prot
o=ESMTP, relay=root@[205.254.167.10]
May 14 22:14:22 newmediagroup sendmail[478]: WAA00478: to=, delay=00:00:18, mailer=local, stat=queued
May 14 22:14:23 newmediagroup sendmail[480]: WAA00480: from=<>, size=2753, class
=0, pri=32753, nrcpts=1, msgid=<199705150036.RAA08694@nevwest.nevwest.com>, prot
o=ESMTP, relay=root@[205.254.167.10]
May 14 22:14:23 newmediagroup sendmail[480]: WAA00480: to=, delay=00:00:18, mailer=local, stat=queued
May 14 22:14:23 newmediagroup sendmail[473]: WAA00473: from=, size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@
[205.254.167.10]
May 14 22:14:23 newmediagroup sendmail[473]: WAA00473: to=, delay=00:00:21, mailer=local, stat=queued
May 14 22:14:25 newmediagroup sendmail[482]: WAA00482: from=, size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@
[205.254.167.10]
May 14 22:14:25 newmediagroup sendmail[482]: WAA00482: to=, delay=00:00:18, mailer=local, stat=queued
May 14 22:14:26 newmediagroup sendmail[485]: WAA00485: from=, size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@
[205.254.167.10]
May 14 22:14:26 newmediagroup sendmail[485]: WAA00485: to=, delay=00:00:19, mailer=local, stat=queued
May 14 22:14:26 newmediagroup sendmail[484]: WAA00484: from=, size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@
[205.254.167.10]
May 14 22:14:26 newmediagroup sendmail[484]: WAA00484: to=, delay=00:00:19, mailer=local, stat=queued
May 14 22:14:30 newmediagroup sendmail[492]: WAA00492: from=, size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@
[205.254.167.10]
May 14 22:14:30 newmediagroup sendmail[492]: WAA00492: to=, delay=00:00:18, mailer=local, stat=queued
May 14 22:14:34 newmediagroup sendmail[498]: WAA00498: from=<>, size=2753, class
=0, pri=32753, nrcpts=1, msgid=<199705150036.RAA08657@nevwest.nevwest.com>, prot
o=ESMTP, relay=root@[205.254.167.10]
May 14 22:14:34 newmediagroup sendmail[498]: WAA00498: to=, delay=00:00:20, mailer=local, stat=queued
May 14 22:14:34 newmediagroup sendmail[497]: WAA00497: from=, size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@
[205.254.167.10]
May 14 22:14:34 newmediagroup sendmail[497]: WAA00497: to=, delay=00:00:20, mailer=local, stat=queued
May 14 22:14:38 newmediagroup sendmail[500]: WAA00500: from=, size=1077, class=0, pri=31077, nrcpts=1, msgid=<>, proto=ESMTP, relay=root@
[205.254.167.10]
May 14 22:14:38 newmediagroup sendmail[500]: WAA00500: to=, delay=00:00:22, mailer=local, stat=queued

---------- END OF LOG FILE EXCERPT----------------




Miscellaneous traceroutes to originating domains 
implicated in this attack:


traceroute to nevwest.nevwest.com (205.254.167.10), 30 hops max, 40 byte packets
 1  gate2.norden1.com (192.153.35.5)  2203.91 ms  157.504 ms  428.037 ms
 2  gw.norden1.com (192.153.35.2)  157.173 ms  165.965 ms  148.004 ms
 3  tlp2-sl18.toledo.oar.net (199.18.111.69)  167.305 ms  428.081 ms  157.626 ms
 4  oeb8-sl4-2.columbus.oar.net (199.18.105.157)  167.159 ms  168.298 ms  697.99
7 ms
 5  oeb3-atm6-0.columbus.oar.net (199.18.202.13)  176.773 ms  238.37 ms  217.587
 ms
 6  bordercore4-hssi0-0.Washington.mci.net (166.48.43.249)  487.221 ms  888.126
ms  197.593 ms
 7  core1.Washington.mci.net (204.70.4.129)  177.266 ms  348.28 ms  217.594 ms
 8  mae-east2-nap.Washington.mci.net (204.70.1.222)  177.533 ms  188.082 ms  198
.274 ms
 9  mae-east.agis.net (192.41.177.145)  657.001 ms  478.188 ms  207.915 ms
10  204.157.38.250 (204.157.38.250)  196.929 ms  176.396 ms  188.378 ms
11  ga007.chicago3.agis.net (206.84.228.238)  516.792 ms  578.701 ms  217.869 ms
12  205.254.173.234 (205.254.173.234)  217.885 ms  568.85 ms  197.98 ms
13  llv.chicago1.agis.net (205.137.58.10)  257.685 ms  258.248 ms  498.353 ms
14  205.254.167.10 (205.254.167.10)  287.84 ms  268.65 ms  538.641 ms


CTE, Inc. (NEVWEST-DOM)
   4246 Bertsos Drive
   Las Vegas, NV 89103
   USA

   Domain Name: NEVWEST.COM

   Administrative Contact:
      Timm, Craig  (CT1245)  cte@LLV.COM
      702-869-4972 (FAX) 702-869-8985
   Technical Contact, Zone Contact:
      Warren, Jim  (JW728)  jim@LLV.COM
      702-648-0390
   Billing Contact:
      Timm, Craig  (CT1245)  cte@LLV.COM
      702-869-4972 (FAX) 702-869-8985

   Record last updated on 01-Apr-97.
   Record created on 01-Apr-97.
   Database last updated on 14-May-97 06:13:23 EDT.

   Domain servers in listed order:

   SAHARA.LLV.COM               205.254.164.2
   MOJAVE.LLV.COM               205.254.164.3



traceroute to freenet.carleton.ca (134.117.136.20), 30 hops max, 40 byte packets
 1  gate.norden1.com (192.153.35.4)  174.016 ms  164.371 ms  157.86 ms
 2  gw.norden1.com (192.153.35.2)  167.424 ms  175.652 ms  157.84 ms
 3  tlp2-sl18.toledo.oar.net (199.18.111.69)  177.177 ms  298.162 ms  277.283 ms
 4  oeb8-sl4-3.columbus.oar.net (199.18.98.241)  167.16 ms  168.084 ms  167.514ms
 5  * oeb3-atm6-0.columbus.oar.net (199.18.202.13)  171.189 ms  228.083 ms
 6  bordercore4-hssi0-0.Washington.mci.net (166.48.43.249)  186.784 ms  178.184ms  207.549 ms
 7  core1.NorthRoyalton.mci.net (204.70.4.205)  277.072 ms  278.334 ms  267.462ms
 8  core-hssi-2.Chicago.mci.net (204.70.1.93)  277.148 ms  298.302 ms  227.549 ms
 9  border3-fddi-0.Chicago.mci.net (204.70.2.83)  217.154 ms  208.276 ms  237.507 ms
10  canet.Chicago.mci.net (204.70.26.10)  357.131 ms  238.357 ms  227.511 ms
11  psp.on.canet.ca (205.207.238.141)  227.122 ms  228.349 ms  227.413 ms
12  exterior.onet.on.ca (192.68.55.102)  257.145 ms  237.516 ms  237.937 ms
13  toronto4-fddi-if.onet.on.ca (130.185.15.14)  247.197 ms  238.19 ms  287.486ms
14  ottawa3-ser1-toronto4-if.onet.on.ca (130.185.2.130)  267.398 ms  277.686 ms
ottawa3-ser2-toronto4-if.onet.on.ca (130.185.2.134)  288.106 ms
15  carleton-ottawa3-if.onet.on.ca (130.185.17.10)  277.063 ms *  261.343 ms
16  onet-gate.carleton.ca (134.117.18.1)  256.674 ms  268.285 ms  277.54 ms
17  ncf-gate-j1.carleton.ca (134.117.1.27)  267.19 ms  278.309 ms  287.561 ms
18  freenet.carleton.ca (134.117.136.20)  277.118 ms  258.302 ms  267.527 ms
newmediagroup:~#


traceroute to 194.72.196.73 (194.72.196.73), 30 hops max, 40 byte packets
 1  gate.norden1.com (192.153.35.4)  159.305 ms  154.901 ms  159.132 ms
 2  gw.norden1.com (192.153.35.2)  189.431 ms  157.667 ms  159.484 ms
 3  tlp2-sl18.toledo.oar.net (199.18.111.69)  159.422 ms  149.657 ms  179.113 ms
 4  oeb8-sl6-3.columbus.oar.net (199.18.98.13)  179.743 ms  178.342 ms  158.989ms
 5  oeb3-atm6-0.columbus.oar.net (199.18.202.13)  199.77 ms  189.4 ms  159.464 ms
 6  bordercore4-hssi0-0.Washington.mci.net (166.48.43.249)  189.078 ms  177.502ms  179.609 ms
 7  bordercore4-loopback.WestOrange.mci.net (166.48.10.1)  209.037 ms  189.958 ms  179.222 ms
 8  british-telecom.WestOrange.mci.net (166.48.11.250)  269.304 ms  260.009 ms 279.083 ms
 9  194.72.24.158 (194.72.24.158)  259.403 ms  269.912 ms  278.951 ms
10  telehouse-transit-e3-4.ukcore.bt.net (194.72.27.166)  269.13 ms  269.868 ms 259.173 ms
11  londonc-smds-f1-0.ukcore.bt.net (194.72.7.12)  259.403 ms  270.094 ms  279.04 ms
12  manchester-smds-s0.ukcore.bt.net (194.72.0.2)  279.429 ms  289.612 ms  299.735 ms
13  manx.customer.bt.net (194.72.10.250)  289.168 ms  290.09 ms  289.136 ms
14  gateway.enterprise.net (194.72.194.1)  319.69 ms  290.065 ms  339.246 ms
15  max006.enterprise.net (194.72.194.25)  279.298 ms  340.045 ms  309.165 ms
16  ppp327.enterprise.net (194.72.196.73)  539.678 ms  519.987 ms  1129.45 ms
newmediagroup:~#


Whois: dom enterprise.net
ENTERPRISE PLC (ENTERPRISE8-DOM)
   64 BUCKS ROAD
   DOUGLAS, ISLE OF MAN IM1 3AF
   UK

   Domain Name: ENTERPRISE.NET

   Administrative Contact:
      FROST, GARETH  (GF567)  TECHNICAL@ENTERPRISE.NET
      +44 01624 612880 (FAX) +44 01624 615876
   Technical Contact, Zone Contact:
      Naylor, Darren  (DN131)  djn@ENTERPRISE.NET
      44 1624 677666
   Billing Contact:
      Huxley, Jon  (JH1067)  jon@ENTERPRISE.NET
      +44 1624 677666

   Record last updated on 30-Jan-97.
   Record created on 19-Nov-96.
   Database last updated on 14-May-97 06:13:23 EDT.

   Domain servers in listed order:

   DNS0.ENTERPRISE.NET          194.72.192.1
   DNS1.ENTERPRISE.NET          194.72.192.3





The attacks apparently came from this address and this mailserver:
(I watched the server connecting / see the transcripts above)

 1  gate.norden1.com (192.153.35.4)  174.016 ms  164.371 ms  157.86 ms
 2  gw.norden1.com (192.153.35.2)  167.424 ms  175.652 ms  157.84 ms
 3  tlp2-sl18.toledo.oar.net (199.18.111.69)  177.177 ms  298.162 ms  277.283 ms
 4  oeb8-sl4-3.columbus.oar.net (199.18.98.241)  167.16 ms  168.084 ms  167.514ms
 5  * oeb3-atm6-0.columbus.oar.net (199.18.202.13)  171.189 ms  228.083 ms
 6  bordercore4-hssi0-0.Washington.mci.net (166.48.43.249)  186.784 ms  178.184ms  207.549 ms
 7  core1.NorthRoyalton.mci.net (204.70.4.205)  277.072 ms  278.334 ms  267.462ms
 8  core-hssi-2.Chicago.mci.net (204.70.1.93)  277.148 ms  298.302 ms  227.549 ms
 9  border3-fddi-0.Chicago.mci.net (204.70.2.83)  217.154 ms  208.276 ms  237.507 ms
10  canet.Chicago.mci.net (204.70.26.10)  357.131 ms  238.357 ms  227.511 ms
11  psp.on.canet.ca (205.207.238.141)  227.122 ms  228.349 ms  227.413 ms
12  exterior.onet.on.ca (192.68.55.102)  257.145 ms  237.516 ms  237.937 ms
13  toronto4-fddi-if.onet.on.ca (130.185.15.14)  247.197 ms  238.19 ms  287.486ms
14  ottawa3-ser1-toronto4-if.onet.on.ca (130.185.2.130)  267.398 ms  277.686 ms
ottawa3-ser2-toronto4-if.onet.on.ca (130.185.2.134)  288.106 ms
15  carleton-ottawa3-if.onet.on.ca (130.185.17.10)  277.063 ms *  261.343 ms
16  onet-gate.carleton.ca (134.117.18.1)  256.674 ms  268.285 ms  277.54 ms
17  ncf-gate-j1.carleton.ca (134.117.1.27)  267.19 ms  278.309 ms  287.561 ms
18  freenet.carleton.ca (134.117.136.20)  277.118 ms  258.302 ms  267.527 ms


This server also appears in the SMTP logs:

newmediagroup:/var/adm# traceroute 205.254.167.10
traceroute to 205.254.167.10 (205.254.167.10), 30 hops max, 40 byte packets
 1  gate.norden1.com (192.153.35.4)  174.243 ms  158.551 ms  177.314 ms
 2  gw.norden1.com (192.153.35.2)  166.768 ms  161.13 ms  205.398 ms
 3  tlp2-sl18.toledo.oar.net (199.18.111.69)  237.278 ms  199.294 ms  249.278 ms
 4  oeb8-sl4-2.columbus.oar.net (199.18.105.157)  199.41 ms  220.543 ms  261.308
 ms
 5  oeb3-atm6-0.columbus.oar.net (199.18.202.13)  209.943 ms  260.37 ms  240.869
 ms
 6  bordercore4-hssi0-0.Washington.mci.net (166.48.43.249)  200.466 ms  239.379
ms  259.513 ms
 7  core5.Washington.mci.net (204.70.4.109)  245.479 ms  193.57 ms  225.359 ms
 8  mae-east3-nap.Washington.mci.net (204.70.1.22)  314.67 ms  299.561 ms  217.8
59 ms
 9  mae-east.agis.net (192.41.177.145)  218.795 ms  219.532 ms  250.083 ms
10  204.157.38.250 (204.157.38.250)  207.993 ms  219.306 ms  179.626 ms
11  ga007.chicago3.agis.net (206.84.228.238)  289.419 ms  270.072 ms  259.081 ms
12  205.254.173.234 (205.254.173.234)  269.436 ms  219.897 ms  218.991 ms
13  llv.chicago1.agis.net (205.137.58.10)  299.696 ms  359.805 ms  259.496 ms
14  205.254.167.10 (205.254.167.10)  389.448 ms  289.961 ms  299.789 ms

Statement about this incident

Back to home page



Copyright 1997 Jim Youll, all rights reserved
This document may be freely distributed provided any such redistribution presents the document in its original unmodified form including the copyright notice and this message.