[108536] in North American Network Operators' Group
Re: OK, who's the idiot using tcwireless.us?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Oct 7 21:12:32 2008
From: Owen DeLong <owen@delong.com>
To: Christopher LILJENSTOLPE <cdl@asgaard.org>
In-Reply-To: <B293DBF3-18FC-4881-B4D0-41519F68E1BD@asgaard.org>
Date: Tue, 7 Oct 2008 18:11:23 -0700
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Active address validation, perhaps?
Owen
On Oct 7, 2008, at 3:05 PM, Christopher LILJENSTOLPE wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Greetings,
>
> I agree with Howard here, I don't think this is a mis-=20
> configuration, but a harvest attempt. The "mailserver" is in =20
> different messages, and I can't see how that could get misconfigured =20=
> in a honest validation server. My guess is that someone is trolling =20=
> the archives, and sending this back? Why, I have no idea, given =20
> they already can see the sending address.
>
> Chris
>
> On 07 Oct 2008, at 13.14, Valdis.Kletnieks@vt.edu wrote:
>
>> Somebody on the NANOG mailing list has their mail pointing to =20
>> tcwireless.us,
>> which is throwing challenge/response mail like the following:
>>
>>
>> Your message
>>
>> From: Valdis.Kletnieks@vt.edu
>> To: n3td3v <xploitable@gmail.com>
>> Subject: Re: Fwd: cnn.com - Homeland Security seeks cyber =20
>> counterattack system (
>> Einstein 3.0)
>> Date: 10/6/2008
>>
>> has been just received by gmail.com mailserver.
>>
>> To prove that your message was sent by a human and not a computer, =20=
>> please
>> visit the URL below and type in the alphanumeric text you will see =20=
>> in the
>> image. You will be asked to do this only once for this recipient.
>>
>> http://mail.tcwireless.us/challenge/?folder=3D2008100614384085099427
>>
>> Your message will be automatically deleted in a few days if you do =20=
>> not
>> confirm this request.
>>
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
>> DO NOT REPLY TO THIS MESSAGE. NO ONE WILL RECEIVE IT.
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
>>
>> Note it says 'gmail.com mailserver'. Paul Ferguson reported to me =20=
>> that the one
>> he saw said 'received by vt.edu mailserver'. Also note that the =20
>> From/To
>> has lost nanog@nanog.org - for both my note and Paul's (in fact, =20
>> looking at
>> Paul's actual posting and mine show nanog@nanog.org as being the =20
>> only common
>> link, thus the "must be a nanog subscriber" conclusion).
>>
>> Please, if you're going to use a C/R, at least learn how to =20
>> whitelist the
>> mailing lists you're on. And if you can't figure out how to do =20
>> that, please
>> do us all a favor and not try to run an operational network...
>
> - ---
> =E6=9D=8E=E6=9F=AF=E7=9D=BF
> Check my PGP key here:
> http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xCB67593B
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
>
> iQEcBAEBAgAGBQJI690kAAoJEGmx2Mt/+Iw/awkH/j/goIY2MuQYfMkGVCmBVlMx
> vrFACJFUdM3kFSw1KuB5l0s7U62JIuxoCMkIFuEU1xtXQzNMbmYytlkIq/oNY31q
> VEaEcG6khM7oxDrbbc4TgFVHm195o1mKYhK8TMPr5WBq9RIgY+n2iWFYfi/kIR0x
> R5VgKG2LUFOJr2i/400X8UGbq5DJAbStJf7FrqIWAQCsgtEVPSSp/cMrjujG4iPD
> 1mH4x76q3RrrMfUpcELs/LAE55eBPMFXAUx4lk13QKVhp7xkK5lkQWlUvEOUQKmQ
> zDCsj0Lu2sOPldZFszcKUQNuHQE3Bp8j3MNJ1vMBqSH2m+Gdh+Wwu3TRq8F1QaM=3D
> =3DflGu
> -----END PGP SIGNATURE-----
