WTF?

Wed Nov 19 23:15:39 UTC 1997

On Wed, 19 Nov 1997, James D. Butt wrote:
) Here is what I received from abuse at ibm.net
) 
) -------------------------------------------------------------------------
) DUP  11/19/97 10:56:24
) 
) Thank you for notifying us.
) 
) This individual has been warned regarding the consequences of sending
) Unsolicited Commercial Email.
) Continued violations will result in an account cancellation. Please
) inform us if any other abuse originated from<ibm.net> customers.
That's truly wondrous as, after sending:
>From djr at narnia.n.ml.org Wed Nov 19 17:37:59 1997
Date: Mon, 17 Nov 1997 20:25:48 -0500 (EST)
From: Daniel Reed <djr at narnia.n.ml.org>
To: support at ibm.net, abuse at ibm.net
Subject: OWNED (fwd)

I have reason to believe one of your customers, perhaps still connectected
to your service, has been maliciously attacking the NANOG mailing list
(nanog at merit.edu). Today the NANOG mailing list was subscribed to itself,
it received a bounce that showed us (the subscribers) an attempt to
subscribe it to several lists at a remote server, and was also subscribed
to some Marilon Monroe fan mailing list. We then received this message,
and as the headers indicate, it appears to be originating from some
ibm.net dialup user.

Received: from microsoft.com (166.72.5.121) by www.RVC.CC.IL.US
                              ^^^^^^^^^^^^
 (EMWAC SMTPRS 0.81) with SMTP id <B0000000019 at www.RVC.CC.IL.US>;
 Mon, 17 Nov 1997 18:56:25 -0600

root at narnia:~# host 166.72.5.121
121.5.72.166.IN-ADDR.ARPA domain name pointer slip166-72-5-121.il.us.ibm.net
root at narnia:~#

--
Daniel Reed <n at narnia.n.ml.org>
System administrator of narnia.n.ml.org (narnia.mhv.net [199.0.0.118])
Some people mistake genius for insanity.

---------- Forwarded message ----------
Return-Path: owner-nanog at merit.edu
Received: from merit.edu [198.108.1.42]
          by mail.n.ml.org (Sendmail 8.8.8) via ESMTP (UAA16049-199711180120)
          for address <djr at narnia.n.ml.org>
          on Mon, 17 Nov 1997 20:20:11 -0500 (EST)
Received: from localhost (daemon at localhost)
	by merit.edu (8.8.7/8.8.5) with SMTP id TAA04909;
	Mon, 17 Nov 1997 19:43:41 -0500 (EST)
Received: by merit.edu (bulk_mailer v1.5); Mon, 17 Nov 1997 19:43:36 -0500
Received: (from majordom at localhost)
	by merit.edu (8.8.7/8.8.5) id TAA04897
	for nanog-outgoing; Mon, 17 Nov 1997 19:43:34 -0500 (EST)
Received: from www.RVC.CC.IL.US (www.RVC.CC.IL.US [207.142.145.2])
	by merit.edu (8.8.7/8.8.5) with SMTP id TAA04884
	for <nanog at merit.edu>; Mon, 17 Nov 1997 19:43:16 -0500 (EST)
Received: from microsoft.com (166.72.5.121) by www.RVC.CC.IL.US
 (EMWAC SMTPRS 0.81) with SMTP id <B0000000019 at www.RVC.CC.IL.US>;
 Mon, 17 Nov 1997 18:56:25 -0600
Date: Mon, 17 Nov 1997 18:56:25 -0600
Message-ID: <B0000000019 at www.RVC.CC.IL.US>
From: Bill Gates III <billg at microsoft.com>
Subject: OWNED
Sender: owner-nanog at merit.edu
To: undisclosed-recipients:;

/* snipped many lines of garbage */

I received back:
>From helpdesk at ibm.e-mail.com Wed Nov 19 17:38:33 1997
Date: Tue, 18 Nov 1997 16:15:13 EST
From: helpdesk at ibm.e-mail.com
To: DJR at NARNIA.N.ML.ORG
Subject: OWNED (FWD)                                  Ref #: USINET   2048052

MAIL FROM:<Problem Mgmt>
RCPT TO:<DJR at NARNIA.N.ML.ORG>
DATA
Date: Tue, 18 NOV 97 16:14:53 est
From: Problem Mgmt
To:   <DJR at NARNIA.N.ML.ORG>
Cc:
Subject: OWNED (FWD)                                  Ref #: USINET   2048052

An incident reported by you has been updated.
The incident # is listed below. Do not respond to this e-mail.
For Account: USINET    Incident Number: 2048052  Status: PENDING   Sev: 4
Last Updated: Tue, 18 NOV 97 16:14:53           PROBLEM UPDATED.
*************************************************************************

Summary: OWNED (FWD)

-------------------------------------------------------------------------
RESP 11/18/97 16:14:49

Hello,

Based on the information you ave sent we are unable to match the time and
ip of the header to the time and ip on our dial gateways. This header look's
a bit strange, the ip does not contain a "slip" in front of it. I think that
this header has been manipulated in form way.

Regards,
Postmaster at ibm.net

*************************************************************************

Please do not respond to this address.
Respond to notify at vnet.ibm.com

to which I replied, pointing out the fact that the IP address in question,
when reverse resolved (which I had even included in my original message)
did, in fact, begin with "slip" and end with "ibm.net." However, when I
replied to notify at vnet.ibm.com, as I was told to by the note at the bottom
of the message, I received no less than 6 messages telling me I should
have sent that reply to postmaster at ibm.net. I then wrote an almost-sorta-
mildly nasty note to notify at vnet.ibm.com telling them to please get their
act straight and figure out who it is, in fact, I should be contacting. I
then received several more emails telling me *that* should have gone to
postmaster at ibm.net as well.

However, I believe that all of the insightful messages announcing that "it
appears we were just mailbombed, oh my!" were arguably more detrimental to
the flow of information on this list than the actual subscription and
message bombs that prompted them. After one of the 56 mailing lists I host
on narnia is mailbombed, I make it a habit of closing all postings to that
list. Not to prevent further mailbombs, as I usually find out about it too
late, but to prevent the flood of "oh my, what'll we do, someone stop this
madness!" messages that almost always outbomb the mailbomb.

--
Daniel Reed <n at narnia.n.ml.org>
System administrator of narnia.n.ml.org (narnia.mhv.net [199.0.0.118])
What was the best thing before sliced bread?