POP3 DoS attacks and mailanyone.net?

Andrew Fried andrew.fried at gmail.com
Tue Sep 1 20:30:47 UTC 2009


Hummm.  Looking through some of my data I found that the domain
NORTHROANOKE.COM resolves to 98.190.204.2 (the first attack vector).

That box is running Microsoft Business Server 2003.  NORTHROANOKE.COM
appears to be some kind of assisted living facility in Roanoke, Virginia
(based on whois).

Doesn't look gmail related from that perspective...


Andrew

Andrew Fried
andrew.fried at gmail.com


Winn Johnston wrote:
> Issues with gmail.com 
> 
> here in DC
> 
> Winn Johnston
> ________________________________________
> From: up at 3.am [up at 3.am]
> Sent: Tuesday, September 01, 2009 3:28 PM
> To: nanog at nanog.org
> Subject: POP3 DoS attacks and mailanyone.net?
> 
> For the first time since I can remember, my POP3 server was effectively
> shut down by too many simultaneous connections today.  The first fix I
> tried was to raise the number of connections from the default 40 to 100,
> but the problem soon returned.
> 
> I finally ipfw'd off the offending IP (98.190.204.2 for anyone
> interested), then went to look for other possible offenders in the log.  I
> noticed several thousand connections today to a few dozen former users
> from 4 IPs from 208.70.128.0/21.  One of the users was actually
> legitimate.
> 
> These IPs belong to mailanyone.net.  The tech contact in their ARIN record
> is listed as:
> 
> OrgTechHandle: BHE57-ARIN
> OrgTechName:   Heitman, Bryan
> OrgTechPhone:  +1-816-587-4700
> OrgTechEmail:  hostmaster at mailanyone.net
> 
> However, that phone number goes to a UPS store that has no idea what I'm
> talking about.  I then dialed their suppseod NOC number:
> 
> Comment:    FuseMail, LLC Network Operations Center contact
> Comment:    877.888.3873 x3
> 
> I am on hold with that number right now with some very loud and annoying
> music.
> 
> Can anyone offer any insight as to these people and how/who to deal with
> there?
> 
> Would a provider be amiss to just block their entire /21?
> 
> TIA,
> 
> James Smallacombe                     PlantageNet, Inc. CEO and Janitor
> up at 3.am                                                     http://3.am
> =========================================================================
> 
> 
> ______________________________________________________________________
> This inbound email was scanned by MessageLabs
> _____________________________________________________________________
> 
> ______________________________________________________________________
> This email was scanned by MessageLabs
> _____________________________________________________________________
> 




More information about the NANOG mailing list