[61741] in North American Network Operators' Group
CalPOP contact? HTTP CONNECT scanning
daemon@ATHENA.MIT.EDU (Jeroen Massar)
Wed Sep 3 20:22:10 2003
From: "Jeroen Massar" <jeroen@unfix.org>
To: <nanog@merit.edu>
Date: Thu, 4 Sep 2003 02:17:52 +0200
Errors-To: owner-nanog-outgoing@merit.edu
-----BEGIN PGP SIGNED MESSAGE-----
As people are complaining all around about ISP's,
here is my small question. Who has a _working_ contact at
"CalPOP" (216.240.128.0/19 and others). It is not in puck :(
If anybody has a working one please mail it me offlist so
that the following long version of the problem can be solved.
Is there anything alive at CalPOP that doesn't try
to abuse open proxies for massively spamming hotmail ?
These are the hits from Sep 3rd:
216.240.140.204 - - [03/Sep/2003:06:27:15 +0200] "CONNECT =
65.54.253.99:25 HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:17 +0200] "CONNECT 65.54.167.5:25 =
HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:19 +0200] "CONNECT =
65.54.253.230:25 HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:20 +0200] "CONNECT =
65.54.167.230:25 HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:22 +0200] "CONNECT =
65.54.254.151:25 HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:24 +0200] "CONNECT =
65.54.252.99:25 HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:25 +0200] "CONNECT =
65.54.254.145:25 HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:26 +0200] "CONNECT =
65.54.252.230:25 HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:26 +0200] "CONNECT =
65.54.254.140:25 HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:28 +0200] "CONNECT =
65.54.254.145:25 HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:29 +0200] "CONNECT =
65.54.252.230:25 HTTP/1.0" 200 2366 "-" "-"
216.240.140.204 - - [03/Sep/2003:06:27:30 +0200] "CONNECT =
65.54.254.140:25 HTTP/1.0" 200 2366 "-" "-"
Since 29 Sep they did that 13007 times to the same box.
Quite persistent apparently as previously at 10-15 August
they used 216.240.129.201 + .205 to hit that box for another
17502 times and that one stopped mysteriously after mailing
abuse@calpop.com & noc@calpop.com & sam@calpop.com (as shown in whois).
Unfortunatly without any reply whatsoever and apparently
they are continuing to scan for open http connect proxies.
I know the 200 response should indicate a CONNECT succes.
But unfortunatly if one loads up an apache2 with PHP suddenly
it starts passing _all_ methods to PHP which nicely responds a 200.
But it is perfect for logging some nice data from the wanna-be-spammer.
<Limit CONNECT>Deny from all</Limit> solves that ofcourse but that
spammer needs to go, but the contacts don't work. This acts as a
perfect spamtrap honeypot btw especially as they keep trying.
Before anyone asks the IP being hit is on a DSL line so they are
quite probably scanning all the DSL networks for open proxies.
Greets,
Jeroen
-----BEGIN PGP SIGNATURE-----
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / jeroen@unfix.org / http://unfix.org/~jeroen/
iQA/AwUBP1aErymqKFIzPnwjEQJy9QCfSQep7SBrrZ6xaQySWJ/LTwgqFNEAoKkB
TErNe82mRJXd5JyoLMneYEVw
=3DxLmY
-----END PGP SIGNATURE-----
