RE: [nznog] New and unacknowledged Exchange / Win2k SMTP vulnerability?
The bulk of the 218.0.0.0 Class A range is allocated to provincial entities in the PRC. The other big source of addresses I have seen is the 61.0.0.0 subnet which is spread between India and the PRC, again in the PRC it seems to be allocated to provincial entities. The 61.11 range in India has been very active trying to fish passwords but strangely whoever is doing it is coming from right across the whole A range. Snip of repeated ORF event below: NOTIFICATION - Open Relay Filter Enterprise Edition =================================================================== The following event has occurred: Class : Block Severity : Info Source : SMTPSVC-1 Related IP : 61.11.47.52 Text description: ================= Blocked. Recipient address (user3(a)989888.com) is not listed in the Active Directory. Sender: test(a)yahoo.com. SMTP response: End snip. This particular event just won't stop. Geoff Williams -----Original Message----- From: Joe Abley [mailto:jabley(a)isc.org] Sent: Tuesday, 28 October 2003 12:41 PM To: Geoff Williams Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] New and unacknowledged Exchange / Win2k SMTP vulnerability? On 27 Oct 2003, at 17:25, Geoff Williams wrote:
I had originally blocked 2 Class A IP ranges at our router after watching the traffic and finding that they were allocated to a provider in China.
Which class A networks do you think are allocated to a provider in China? This email is confidential and intended for the recipient only. If you receive it in error please delete it immediately.
On Tue, 28 Oct 2003, Geoff Williams wrote:
The bulk of the 218.0.0.0 Class A range is allocated to provincial entities in the PRC.
Except for the /17's out of this class A which are allocated to NZ entities such as TelstraClear. Blocking this would be inadvisable. --- Matt Camp
Geoff and all, This ip 61.11.47.52, belongs to: 61.11.32.0 - 61.11.127.255 netname: DISHNET descr: DISHNETDSL Limited, descr: 19 Cathedral Garden Road descr: Chennai 600 034 country: IN admin-c: DIH1-AP tech-c: DIH1-AP remarks: role objects for Dishnet IP Administrators mnt-by: APNIC-HM mnt-lower: MAINT-IN-DISHNET changed: hostmaster(a)apnic.net 20010227 status: ALLOCATED PORTABLE source: APNIC role: DISHNET IP Hostmaster address: DishnetDSL Limited address: 19, Cathedral Garden Road address: Chennai, 600 034 phone: +91-44-825 6201 phone: +91-44-825 6149 phone: +91-44-826 9801 fax-no: +91-44-825 7477 e-mail: ip-admin(a)ddsl.net trouble: Network abuse issues and SPAM complaints trouble: should be sent to abuse(a)eth.net admin-c: BR31-AP tech-c: BR31-AP nic-hdl: DIH1-AP remarks: role object for Dishnet IP Administrators notify: ip-admin(a)ddsl.net mnt-by: MAINT-IN-DISHNET changed: bbreddy(a)ddsl.net 20020530 source: APNIC Geoff Williams wrote:
The bulk of the 218.0.0.0 Class A range is allocated to provincial entities in the PRC.
The other big source of addresses I have seen is the 61.0.0.0 subnet which is spread between India and the PRC, again in the PRC it seems to be allocated to provincial entities. The 61.11 range in India has been very active trying to fish passwords but strangely whoever is doing it is coming from right across the whole A range. Snip of repeated ORF event below:
NOTIFICATION - Open Relay Filter Enterprise Edition ===================================================================
The following event has occurred:
Class : Block Severity : Info Source : SMTPSVC-1 Related IP : 61.11.47.52
Text description: ================= Blocked. Recipient address (user3(a)989888.com) is not listed in the Active Directory. Sender: test(a)yahoo.com. SMTP response:
End snip.
This particular event just won't stop.
Geoff Williams
-----Original Message----- From: Joe Abley [mailto:jabley(a)isc.org] Sent: Tuesday, 28 October 2003 12:41 PM To: Geoff Williams Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] New and unacknowledged Exchange / Win2k SMTP vulnerability?
On 27 Oct 2003, at 17:25, Geoff Williams wrote:
I had originally blocked 2 Class A IP ranges at our router after watching the traffic and finding that they were allocated to a provider in China.
Which class A networks do you think are allocated to a provider in China?
This email is confidential and intended for the recipient only. If you receive it in error please delete it immediately.
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Regards, -- Jeffrey A. Williams Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!) "Be precise in the use of words and expect precision from others" - Pierre Abelard =============================================================== CEO/DIR. Internet Network Eng. SR. Eng. Network data security Information Network Eng. Group. INEG. INC. E-Mail jwkckid1(a)ix.netcom.com Contact Number: 214-244-4827 or 214-244-3801
participants (3)
-
Geoff Williams -
Jeff Williams -
Matt Camp