Strange message possibly through nanog mail server
Alon Tirosh
atirosh at interactiveedge.com
Wed Mar 17 21:58:00 UTC 2004
Got it, came from nanog, originated from DISA (purportedly, anyways):
Received: from 198.26.130.36 by by13fd.bay13.hotmail.msn.com with HTTP;
Wed, 17 Mar 2004 21:10:38 GMT
#whois 198.26.130.36
OrgName: The Defense Information Systems Agency
OrgID: DISA
Address: DISA/DSSO/JCLCC
Address: Room BF655A, The Pentagon
City: Washington
StateProv: DC
PostalCode: 20301
Country: US
NetRange: 198.25.0.0 - 198.26.255.255
CIDR: 198.25.0.0/16, 198.26.0.0/16
NetName: NETBLK-DISA-C
NetHandle: NET-198-25-0-0-1
Parent: NET-198-0-0-0-0
NetType: Direct Allocation
NameServer: AAA-KELLY.NIPR.MIL
NameServer: AAA-VAIHINGEN.NIPR.MIL
NameServer: AAA-WHEELER.NIPR.MIL
NameServer: AAA-VIENNA.NIPR.MIL
I *think* I loaded the page in lynx before it got rate-limited, and lynx
flashed through a whole mess of fast redirects before faulting out. No
logs, unfortunately.
Just a question: is this the chinese year of the immature script kiddie
or something?
-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
william(at)elan.net
Sent: Wednesday, March 17, 2004 5:58 PM
To: nanog at merit.edu
Subject: Strange message possibly through nanog mail server
I Just received this. I would like to check if others have received it
and did it indeed come through nanog mailist:
> Date: Wed, 17 Mar 2004 21:10:38 +0000
> From: Deep Throat <deepthroat20004 at hotmail.com>
> To: schroebel6 at aol.com
> Subject: Spamhaus Exposed
>
> Disturbing information on one of the founders of Spamhaus.org
>
> http://www.geocities.com/jackjack9872004/
_______________________________________________________________________
And while the website was unavailable and the sender is being anonymous
(whichis against nanog list policies if this was sent through it), what
I do find worse is that they managed to do it so that nanog at merit.edu is
not added to "CC" (which if I understood is always supposed to happen
when something through this mail list, which makes me think it might
have come through merit mail machine but not actually though mail list).
What I find even more disturbing is that ip address listed as origin
(which may well have been forged if they managed to gain some highier
level access to merit servers) is that of US Military.
Below is the header for your review. I do however find it slightly more
likely that its some kind of sophisticated joe-job on spamhaus and that
info is forged but they may have used some bug on merit mail software.
Return-Path: <owner-nanog at merit.edu>
Received: from trapdoor.merit.edu (trapdoor.merit.edu [198.108.1.26])
by sokol.elan.net (8.12.5/8.12.5) with ESMTP id i2HMKZdw015368
for <william at elan.net>; Wed, 17 Mar 2004 14:20:35 -0800
Received: by trapdoor.merit.edu (Postfix)
id CF8FA91307; Wed, 17 Mar 2004 16:11:00 -0500 (EST)
Delivered-To: nanog-outgoing at trapdoor.merit.edu
Received: by trapdoor.merit.edu (Postfix, from userid 56)
id 92B3591328; Wed, 17 Mar 2004 16:11:00 -0500 (EST)
Delivered-To: nanog at trapdoor.merit.edu
Received: from segue.merit.edu (segue.merit.edu [198.108.1.41])
by trapdoor.merit.edu (Postfix) with ESMTP id BCC5691307
for <nanog at trapdoor.merit.edu>; Wed, 17 Mar 2004 16:10:39 -0500
(EST)
Received: by segue.merit.edu (Postfix)
id A27775DE7B; Wed, 17 Mar 2004 16:10:39 -0500 (EST)
Delivered-To: nanog at merit.edu
Received: from hotmail.com (bay13-f78.bay13.hotmail.com [64.4.31.78])
by segue.merit.edu (Postfix) with ESMTP id 5C2B05DE72
for <nanog at merit.edu>; Wed, 17 Mar 2004 16:10:39 -0500 (EST)
Received: from mail pickup service by hotmail.com with Microsoft
SMTPSVC;
Wed, 17 Mar 2004 13:10:38 -0800
Received: from 198.26.130.36 by by13fd.bay13.hotmail.msn.com with HTTP;
Wed, 17 Mar 2004 21:10:38 GMT
X-Originating-IP: [198.26.130.36] <---- Note this, see below
X-Originating-Email: [deepthroat20004 at hotmail.com]
X-Sender: deepthroat20004 at hotmail.com
From: "Deep Throat" <deepthroat20004 at hotmail.com>
To: schroebel6 at aol.com
Subject: Spamhaus Exposed
Date: Wed, 17 Mar 2004 21:10:38 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <BAY13-F78KxAh5hMpAn0002ba61 at hotmail.com>
X-OriginalArrivalTime: 17 Mar 2004 21:10:38.0810 (UTC)
FILETIME=[4C3633A0:01C40C64]
Sender: owner-nanog at merit.edu
Precedence: bulk
Errors-To: owner-nanog-outgoing at merit.edu
X-Loop: nanog
Disturbing information on one of the founders of Spamhaus.org
http://www.geocities.com/jackjack9872004/
----------------------------------------------------------------------
$ host 198.26.130.36
36.130.26.[98.in-addr.arpa domain name pointer BU-WCS1-SAND.NIPR.MIL.
[whois.completewhois.com]
Elan Completewhois.Com Whois Server, Version 0.91a6, compiled on Jan 02,
2004 Please see http://www.completewhois.com/help.htm for command-line
options Use of this server and any information obtained here is allowed
only if you follow our policies at
http://www.completewhois.com/policies.htm
[IPv4 whois information on 198.26.130.36 ] [Query Origin: Main Whois
Query ] [whois.arin.net]
OrgName: The Defense Information Systems Agency
OrgID: DISA
Address: DISA/DSSO/JCLCC
Address: Room BF655A, The Pentagon
City: Washington
StateProv: DC
PostalCode: 20301
Country: US
NetRange: 198.25.0.0 - 198.26.255.255
CIDR: 198.25.0.0/16, 198.26.0.0/16
NetName: NETBLK-DISA-C
NetHandle: NET-198-25-0-0-1
Parent: NET-198-0-0-0-0
NetType: Direct Allocation
NameServer: AAA-KELLY.NIPR.MIL
NameServer: AAA-VAIHINGEN.NIPR.MIL
NameServer: AAA-WHEELER.NIPR.MIL
NameServer: AAA-VIENNA.NIPR.MIL
Comment:
RegDate: 1992-12-05
Updated: 2004-01-13
More information about the NANOG
mailing list