...making Linux just a little more fun!
Rick Moen [rick at linuxmafia.com]
Readers of the TAG mailing list may recall a 419 (advance-money fraud) spam that hit the mailing list from a "vds2000.com" IP address. Rather than immediately consign the offender to the nether realms, I sent a copy with full headers to the relevant abuse@ address, saying "419 fraud from your IP".
That resulted in my being informed of a "trouble ticket"... and... let's just jump to the end of the story, two days further on -- my closing entry at https://help.thehostgroup.com/index.php?_m=tickets&_a=postreply&ticketid=28748 :
Just so we're really clear about this, and review: I'm a system administrator who brought to your attention in ticket #28621 an episode of 419 fraud mail from your IP, 64.6.241.11, possibly through exploit of a buggy PHP page. Ticket #28621 was immediately closed without any indication of resolution, and then (briefly) reopened when I asked what the resolution was. One day later, I find that my ticketing system login no longer has access to that ticket. I ask what's going on, resulting in this ticket (#28748) -- which ticket I find has now also been closed without comment. So, I will now be setting all systems I administer to 550-reject mail from your company's IPs. Have a nice eternity.
Rick Moen [rick at linuxmafia.com]
I wrote:
> Readers of the TAG mailing list may recall a 419 (advance-money fraud) > spam that hit the mailing list from a "vds2000.com" IP address. Rather > than immediately consign the offender to the nether realms, I sent a > copy with full headers to the relevant abuse@ address, saying "419 fraud > from your IP". > > That resulted in my being informed of a "trouble ticket"... and... let's > just jump to the end of the story, two days further on -- my closing > entry at > https://help.thehostgroup.com/index.php?_m=tickets&_a=postreply&ticketid=28748 : > > Just so we're really clear about this, and review: I'm a system > administrator who brought to your attention in ticket #28621 an episode > of 419 fraud mail from your IP, 64.6.241.11, possibly through exploit of > a buggy PHP page. Ticket #28621 was immediately closed without any > indication of resolution, and then (briefly) reopened when I asked what > the resolution was. > > One day later, I find that my ticketing system login no longer has > access to that ticket. I ask what's going on, resulting in this ticket > (#28748) -- which ticket I find has now also been closed without > comment. > > So, I will now be setting all systems I administer to 550-reject mail > from your company's IPs. Have a nice eternity.
It's possible I'm too fatigued to really analyse such matters correctly, so I welcome other comments from the less frazzled among us. One of the admins at "The Host Group" wrote back to me to say
Rick, The IP address you quote is not in our network: adam@rowlf:~$ whois 64.6.241.11
If you do that, you see:
OrgName: Jumpline.com, Inc. OrgID: JMPL Address: 1679 Gateway Circle City: Grove City StateProv: OH PostalCode: 43123 Country: US NetRange: 64.6.224.0 - 64.6.255.255 CIDR: 64.6.224.0/19 NetName: JUMPLINE-COM NetHandle: NET-64-6-224-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Allocation NameServer: NS1.FROGSPACE.NET NameServer: NS2.FROGSPACE.NET Comment: RegDate: 1999-12-07 Updated: 2008-04-11 OrgTechHandle: NOC2384-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-614-871-8436 OrgTechEmail: postmaster@vds2000.com # ARIN WHOIS database, last updated 2008-07-29 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database.
Yes, you can use the "whois" command to determine who owns an IP netblock. In this case, as the gentleman points out, the IP in question is part of range 64.6.224.0 through 64.6.255.255, which was assigned by the American Registry for Internet Numbers (the IP authority for North America) to "Jumpline, Inc." of Ohio.
In drafting my original query, I had consulted the reverse DNS for IP 64.6.241.11, like this:
$ dig -x 64.6.241.11 +short s11.n241.vds2000.com.
I had then sent off my advisory about a 419 abuse to "abuse@vds2000.com", which in turn automatically created a trouble ticket at help.thehostgroup.com. (Notice, too, the domain cited in the "OrgTechEmail" line, above.)
My logic was like this: Only the organisation that controls an IP's netblock can determine its reverse-DNS hostname, which in this case was within the "vds2000.com" domain. So, I wrote to the designated "abuse" contact for vds2000.com, which domain turns out to be owned by Jumpline.com, Inc.
My correspondent claims that his firm, The Host Group of McLean, VA is somehow not connected with mail coming from that netblock, because the netblock belongs to Jumpline.com, Inc., of Grove City, Ohio.
Which of us is incorrect? I'm on far too little sleep at the moment, but "We're not connected with domains pointed to by reverse DNS zones within our sole control" (paraphrased) smells a little fishy, to me.
Rick Moen [rick at linuxmafia.com]
I wrote:
> Which of us is incorrect? I'm on far too little sleep at the moment, > but "We're not connected with domains pointed to by reverse DNS zones > within our sole control" (paraphrased) smells a little fishy, to me.
And I should hasten to add that I did not set up automatic rejection of mail from "thehostgroup.com", in any event, just from the offending IP netblock.
René Pfeiffer [lynx at luchs.at]
On Jul 30, 2008 at 1701 -0700, Rick Moen appeared and said:
> [...] > It's possible I'm too fatigued to really analyse such matters correctly, > so I welcome other comments from the less frazzled among us. One of the > admins at "The Host Group" wrote back to me to say > > Rick, > > The IP address you quote is not in our network: > > adam@rowlf:~$ whois 64.6.241.11 > [...] > Which of us is incorrect? I'm on far too little sleep at the moment, > but "We're not connected with domains pointed to by reverse DNS zones > within our sole control" (paraphrased) smells a little fishy, to me.
The SMTP banner claims that 64.6.241.11 is cp11.myhostcenter.com. It would be interesting to see if a mail to abuse@myhostcenter.com goes to the same trouble ticketing system. Since their addresses from www.myhostcenter.com and the whois query match, I'd say yes. I think the server might be a hosted machine, the customer has no clue about it and all other references point to myhostcenter.com instead of the customer running this server.
Best, René.