Loading ...
Sorry, an error occurred while loading the content.

How to report a spam botnet

Expand Messages
  • Michael Monnerie
    We ve got one users e-mail password hacked, and at the sime time a lot of different IPs started to use that address. Here is the list. How should we report
    Message 1 of 6 , Nov 18, 2012
    • 0 Attachment
      We've got one users e-mail password hacked, and at the sime time a lot
      of different IPs started to use that address. Here is the list. How
      should we report those IPs, is there a "anti botnet unit" somewhere?
      What is the best way to fight it?

      008.021.006.226
      014.139.187.017
      014.149.118.062
      014.154.200.135
      014.154.202.080
      037.059.126.055
      037.221.130.043
      041.224.246.009
      042.120.042.108
      042.121.090.036
      046.172.226.082
      058.060.032.030
      058.060.033.119
      058.060.033.169
      058.061.061.106
      058.061.062.042
      058.061.072.130
      058.061.074.045
      058.061.080.125
      058.061.083.205
      058.061.139.110
      058.211.138.027
      059.034.057.068
      059.050.160.164
      059.050.165.200
      059.050.173.084
      059.050.175.129
      059.058.243.025
      059.060.007.146
      060.173.008.080
      060.190.136.090
      061.032.075.088
      061.040.132.114
      061.135.133.175
      061.186.008.003
      061.186.009.206
      061.186.010.132
      061.186.015.046
      061.186.015.063
      061.186.015.245
      061.186.017.127
      061.186.018.156
      061.186.021.065
      062.033.168.214
      067.019.027.250
      067.055.121.212
      080.080.108.035
      081.024.116.046
      082.026.004.179
      082.116.036.010
      084.020.082.082
      085.113.038.013
      085.234.022.126
      086.096.200.078
      087.224.152.135
      089.218.083.092
      089.218.094.166
      091.075.085.224
      091.194.057.018
      092.050.133.026
      094.023.018.040
      094.075.243.148
      094.180.123.034
      095.170.205.148
      095.211.089.043
      103.022.182.131
      109.203.203.060
      110.082.117.007
      110.139.166.231
      110.139.167.171
      110.189.168.171
      112.067.036.172
      112.067.084.091
      112.067.087.102
      112.067.112.148
      112.067.112.255
      112.067.113.192
      112.067.119.028
      112.067.173.116
      112.067.176.047
      112.067.176.082
      112.067.177.101
      112.067.177.184
      112.067.179.082
      112.067.182.232
      112.067.183.049
      112.067.183.174
      112.067.183.226
      112.067.185.027
      112.067.188.088
      112.067.190.242
      112.067.191.010
      113.015.180.062
      113.085.020.123
      113.108.201.189
      113.118.092.195
      113.118.094.156
      113.207.124.165
      115.236.050.016
      118.026.200.245
      118.097.058.166
      118.098.073.110
      118.116.161.254
      118.123.250.012
      119.147.143.042
      119.177.015.238
      120.028.008.194
      120.043.089.101
      120.132.132.119
      121.022.034.166
      121.058.235.130
      121.206.075.065
      122.166.119.208
      122.170.116.178
      122.225.202.018
      123.147.247.096
      125.007.221.146
      125.079.092.024
      125.079.092.084
      125.088.125.201
      130.185.104.080
      140.240.002.024
      140.240.002.088
      140.240.003.131
      140.240.005.087
      140.240.006.037
      140.240.008.186
      140.240.011.042
      140.240.016.005
      140.240.016.169
      140.240.022.003
      140.240.024.018
      140.240.027.004
      140.240.247.235
      140.240.253.245
      177.043.059.146
      178.074.103.049
      178.207.158.230
      178.211.050.083
      180.143.184.246
      180.149.096.069
      180.250.144.210
      182.073.108.034
      182.133.123.050
      182.255.000.039
      183.014.121.227
      183.014.124.120
      183.039.181.122
      186.201.116.194
      187.052.171.114
      187.059.087.082
      187.078.031.182
      187.115.052.040
      189.108.118.194
      190.085.096.173
      190.094.003.090
      190.187.057.130
      190.189.090.132
      190.202.116.101
      190.223.053.198
      193.039.118.019
      193.255.143.063
      195.016.049.214
      196.203.071.082
      198.144.187.074
      199.058.185.162
      200.031.105.172
      200.160.111.154
      200.175.044.223
      200.206.014.026
      201.018.107.234
      201.077.202.068
      201.086.129.043
      202.067.012.162
      202.067.235.123
      203.086.060.018
      207.194.087.105
      212.075.136.248
      212.117.174.064
      212.144.254.122
      213.247.184.145
      217.018.137.130
      217.024.114.114
      217.147.232.030
      217.219.123.059
      218.001.098.013
      218.005.074.199
      218.063.168.253
      218.065.230.131
      218.067.082.171
      218.067.083.117
      218.077.192.156
      218.077.198.087
      218.094.107.004
      220.161.133.203
      220.163.044.188
      220.196.042.048
      221.007.215.248
      221.214.221.148
      221.234.024.046
      222.078.127.223
      222.189.152.068
      222.197.214.091
      222.218.182.000
      222.218.182.249
      222.255.027.223
      223.004.241.231
      223.198.162.062
      223.199.128.154
      223.199.129.073
      223.199.129.202
      223.199.130.046
      223.199.131.114
      223.199.139.229

      --
      // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie
      // http://it-management.at Tel: +43 660 / 415 65 31
      // PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
      // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4
      // Keyserver: wwwkeys.pgp.net Key-ID: 1C1209B4
    • Reindl Harald
      ... welcome to the club, thanks to rate-controls reduce the damage to
      Message 2 of 6 , Nov 18, 2012
      • 0 Attachment
        Am 18.11.2012 14:08, schrieb Michael Monnerie:
        > We've got one users e-mail password hacked, and at the sime time a lot
        > of different IPs started to use that address.

        welcome to the club, thanks to rate-controls reduce
        the damage to < 700 messages at all

        > Here is the list

        the list is invalid because ip-segments
        does not have leading zeros


        > How should we report those IPs, is there a "anti botnet unit"
        > somewhere? What is the best way to fight it?

        forget it - a whois will show you that they all are from
        different countries and providers, so you have to email
        all the abuse-addresses, there will be no service do it for you

        > 008.021.006.226
        > 014.139.187.017
        > 014.149.118.062
        > 014.154.200.135
        > 014.154.202.080
        > 037.059.126.055
        > 037.221.130.043
        > 041.224.246.009
        > 042.120.042.108
        > 042.121.090.036
        > 046.172.226.082
        > 058.060.032.030
        > 058.060.033.119
        > 058.060.033.169
        > 058.061.061.106
        > 058.061.062.042
        > 058.061.072.130
        > 058.061.074.045
        > 058.061.080.125
        > 058.061.083.205
        > 058.061.139.110
        > 058.211.138.027
        > 059.034.057.068
        > 059.050.160.164
        > 059.050.165.200
        > 059.050.173.084
        > 059.050.175.129
        > 059.058.243.025
        > 059.060.007.146
        > 060.173.008.080
        > 060.190.136.090
        > 061.032.075.088
        > 061.040.132.114
        > 061.135.133.175
        > 061.186.008.003
        > 061.186.009.206
        > 061.186.010.132
        > 061.186.015.046
        > 061.186.015.063
        > 061.186.015.245
        > 061.186.017.127
        > 061.186.018.156
        > 061.186.021.065
        > 062.033.168.214
        > 067.019.027.250
        > 067.055.121.212
        > 080.080.108.035
        > 081.024.116.046
        > 082.026.004.179
        > 082.116.036.010
        > 084.020.082.082
        > 085.113.038.013
        > 085.234.022.126
        > 086.096.200.078
        > 087.224.152.135
        > 089.218.083.092
        > 089.218.094.166
        > 091.075.085.224
        > 091.194.057.018
        > 092.050.133.026
        > 094.023.018.040
        > 094.075.243.148
        > 094.180.123.034
        > 095.170.205.148
        > 095.211.089.043
        > 103.022.182.131
        > 109.203.203.060
        > 110.082.117.007
        > 110.139.166.231
        > 110.139.167.171
        > 110.189.168.171
        > 112.067.036.172
        > 112.067.084.091
        > 112.067.087.102
        > 112.067.112.148
        > 112.067.112.255
        > 112.067.113.192
        > 112.067.119.028
        > 112.067.173.116
        > 112.067.176.047
        > 112.067.176.082
        > 112.067.177.101
        > 112.067.177.184
        > 112.067.179.082
        > 112.067.182.232
        > 112.067.183.049
        > 112.067.183.174
        > 112.067.183.226
        > 112.067.185.027
        > 112.067.188.088
        > 112.067.190.242
        > 112.067.191.010
        > 113.015.180.062
        > 113.085.020.123
        > 113.108.201.189
        > 113.118.092.195
        > 113.118.094.156
        > 113.207.124.165
        > 115.236.050.016
        > 118.026.200.245
        > 118.097.058.166
        > 118.098.073.110
        > 118.116.161.254
        > 118.123.250.012
        > 119.147.143.042
        > 119.177.015.238
        > 120.028.008.194
        > 120.043.089.101
        > 120.132.132.119
        > 121.022.034.166
        > 121.058.235.130
        > 121.206.075.065
        > 122.166.119.208
        > 122.170.116.178
        > 122.225.202.018
        > 123.147.247.096
        > 125.007.221.146
        > 125.079.092.024
        > 125.079.092.084
        > 125.088.125.201
        > 130.185.104.080
        > 140.240.002.024
        > 140.240.002.088
        > 140.240.003.131
        > 140.240.005.087
        > 140.240.006.037
        > 140.240.008.186
        > 140.240.011.042
        > 140.240.016.005
        > 140.240.016.169
        > 140.240.022.003
        > 140.240.024.018
        > 140.240.027.004
        > 140.240.247.235
        > 140.240.253.245
        > 177.043.059.146
        > 178.074.103.049
        > 178.207.158.230
        > 178.211.050.083
        > 180.143.184.246
        > 180.149.096.069
        > 180.250.144.210
        > 182.073.108.034
        > 182.133.123.050
        > 182.255.000.039
        > 183.014.121.227
        > 183.014.124.120
        > 183.039.181.122
        > 186.201.116.194
        > 187.052.171.114
        > 187.059.087.082
        > 187.078.031.182
        > 187.115.052.040
        > 189.108.118.194
        > 190.085.096.173
        > 190.094.003.090
        > 190.187.057.130
        > 190.189.090.132
        > 190.202.116.101
        > 190.223.053.198
        > 193.039.118.019
        > 193.255.143.063
        > 195.016.049.214
        > 196.203.071.082
        > 198.144.187.074
        > 199.058.185.162
        > 200.031.105.172
        > 200.160.111.154
        > 200.175.044.223
        > 200.206.014.026
        > 201.018.107.234
        > 201.077.202.068
        > 201.086.129.043
        > 202.067.012.162
        > 202.067.235.123
        > 203.086.060.018
        > 207.194.087.105
        > 212.075.136.248
        > 212.117.174.064
        > 212.144.254.122
        > 213.247.184.145
        > 217.018.137.130
        > 217.024.114.114
        > 217.147.232.030
        > 217.219.123.059
        > 218.001.098.013
        > 218.005.074.199
        > 218.063.168.253
        > 218.065.230.131
        > 218.067.082.171
        > 218.067.083.117
        > 218.077.192.156
        > 218.077.198.087
        > 218.094.107.004
        > 220.161.133.203
        > 220.163.044.188
        > 220.196.042.048
        > 221.007.215.248
        > 221.214.221.148
        > 221.234.024.046
        > 222.078.127.223
        > 222.189.152.068
        > 222.197.214.091
        > 222.218.182.000
        > 222.218.182.249
        > 222.255.027.223
        > 223.004.241.231
        > 223.198.162.062
        > 223.199.128.154
        > 223.199.129.073
        > 223.199.129.202
        > 223.199.130.046
        > 223.199.131.114
        > 223.199.139.229
        >

        --

        Reindl Harald
        the lounge interactive design GmbH
        A-1060 Vienna, Hofmühlgasse 17
        CTO / CISO / Software-Development
        p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40
        icq: 154546673, http://www.thelounge.net/

        http://www.thelounge.net/signature.asc.what.htm
      • Michael Monnerie
        ... ? cat list|sed s/00/0/g if you need to. But whois can cope with that: % The key 125.088.125.201 has been changed to 125.88.125.201 for lookup.
        Message 3 of 6 , Nov 18, 2012
        • 0 Attachment
          Am Sonntag, 18. November 2012, 14:12:47 schrieb Reindl Harald:
          > the list is invalid because ip-segments
          > does not have leading zeros

          ?
          cat list|sed 's/00/0/g' if you need to. But whois can cope with that:

          % The key "125.088.125.201" has been changed to "125.88.125.201" for
          lookup.

          Nothing should have problems with leading zeroes.

          > forget it - a whois will show you that they all are from
          > different countries and providers, so you have to email
          > all the abuse-addresses, there will be no service do it for you

          I've found the CERT reporting site:
          https://forms.us-cert.gov/report/index.php

          I was hoping someone may know a central site.

          whois was done, report sent to all sites who have an e-mail in their
          answer.

          --
          mit freundlichen Grüssen,
          Michael Monnerie, Ing. BSc

          it-management Internet Services: Protéger
          http://proteger.at [gesprochen: Prot-e-schee]
          Tel: +43 660 / 415 6531
        • Jim Reid
          ... Sometimes reality intrudes on ideals. There is legacy software out there which will not behave the way you expect. Sometimes a digit string which begins
          Message 4 of 6 , Nov 18, 2012
          • 0 Attachment
            On 18 Nov 2012, at 17:40, Michael Monnerie <lists.michael.monnerie@...-management.at> wrote:

            > Nothing should have problems with leading zeroes.

            Sometimes reality intrudes on ideals. There is legacy software out there which will not behave the way you expect. Sometimes a digit string which begins with a leading zero will be treated as a sequence of digits in octal rather than decimal. [Yes, and a string which starts "0x" is considered to be in hex.] I think this quirk is buried deep in the library code for scanf() and its friends.

            You were just lucky that the whois client you chose for your example did The Right Thing. For your definition of The Right Thing.
          • Wietse Venema
            ... You mean, like UNIX libc libraries? % telnet 168.100.189.015 22 Trying 168.100.189.13... (FreeBSD, Fedora Core, Solaris). Wietse
            Message 5 of 6 , Nov 18, 2012
            • 0 Attachment
              Jim Reid:
              > On 18 Nov 2012, at 17:40, Michael Monnerie <lists.michael.monnerie@...-management.at> wrote:
              >
              > > Nothing should have problems with leading zeroes.
              >
              > Sometimes reality intrudes on ideals. There is legacy software out
              > there which will not behave the way you expect. Sometimes a digit

              You mean, like UNIX libc libraries?

              % telnet 168.100.189.015 22
              Trying 168.100.189.13...

              (FreeBSD, Fedora Core, Solaris).

              Wietse
            • Reindl Harald
              ... that s why i said invalid because 99 out of 100 packages will not behave like expected
              Message 6 of 6 , Nov 18, 2012
              • 0 Attachment
                Am 18.11.2012 20:19, schrieb Wietse Venema:
                > Jim Reid:
                >> On 18 Nov 2012, at 17:40, Michael Monnerie <lists.michael.monnerie@...-management.at> wrote:
                >>
                >>> Nothing should have problems with leading zeroes.
                >>
                >> Sometimes reality intrudes on ideals. There is legacy software out
                >> there which will not behave the way you expect. Sometimes a digit
                >
                > You mean, like UNIX libc libraries?
                >
                > % telnet 168.100.189.015 22
                > Trying 168.100.189.13...
                >
                > (FreeBSD, Fedora Core, Solaris)

                that's why i said invalid because 99 out of 100
                packages will not behave like expected
              Your message has been successfully submitted and would be delivered to recipients shortly.