An off-topic, unsolicited, unwelcome commercial newsgroup posting was
received (allegedly) from [log in to unmask] to the comp.sys.hp.mpe
newsgroup and subsequently echoed to the [log in to unmask] mailing
list. This message is being posted to relevant identified parties in
the spam origins as well as the spam-l listserv list and copied to the
recipients of the HP3000-L mailing list who were victimized by this
blatant abuse of network resources (I am the list administrator) for
which I profusely apologize to my readers, but hopefully this will
thwart any ill feelings from our otherwise civilized list. I must also
apologize to them for this *further* waste of bandwidth but feel that
they deserve an explanation and clear evidence that action has been
taken (especially in light of e-mail forgery/spam being a recent list
topic).
This particular spam started over 24 hours ago as I received it from the
nodmgt-l listserv list (echoed from bit.listserv.nodmgt-l); it was
reported on news.admin.net-abuse.misc earlier today and I presumed that
the incident was over. Now we have a new posting, from a new return
address, but with the same NNTP posting host and header trace info.
This evidence, coupled with recent news.admin.net-abuse.misc discussions
over the apparently unresponsive earthlink.net (posting origin) and
uu.net (ISP for earthlink) are reaching a peak. Please take *some*
action on this abuse; the violations are numerous, the evidence is
considerable, but the net administration community has seen an apparent
disregard for any attention or control on your end. At the risk of
sounding like a raving fanatic (which I am certainly not) I will retreat
to subjective evidence.
The "From:" address (trivially forged, but for the record) is
<[log in to unmask]>. This is a non-existant host (local info faked):
xyzzy.utc.edu% nslookup wstarztv.net
Server: xyzzy.utc.edu
Address: www.xxx.yy.zz
*** xyzzy.utc.edu can't find wstarztv.net: Non-existent host/domain
Next we have, from the headers:
NNTP-Posting-Host: cust78.max19.washington.dc.ms.uu.net
Date: Tue, 4 Mar 1997 22:21:34 GMT
That should be sufficient to check NNTP logs. uu.net contact info in
whois lists uu.net recipients in the header.
The Path: field ends with:
uunet!in1.uu.net!206.250.118.17!nntp.earthlink.net!usenet
earthlink was an injection site, as was 206.250.118.17:
Name: mars-c.earthlink.net
Address: 206.250.118.17
The nntp.earthink.net server is just an alias:
Name: mars-c.earthlink.net
Address: 206.250.118.17
Aliases: nntp.earthlink.net
The advertised host is www.nude-celebs.com which is:
T.H.E. (NUDE-CELEBS-DOM)
1522 Rotunda Dr.
Queens Village, NY 23703
US
Domain Name: NUDE-CELEBS.COM
Administrative Contact:
Hancock, James (JH5247) [log in to unmask]
757 484-7128
Technical Contact, Zone Contact:
Wiedmeier, Vic (VW125) [log in to unmask]
(213) 637-3485 (FAX) (213) 385-6182
They receive nameservice from:
Domain servers in listed order:
NS1.INTERNETCONNECT.NET 206.171.236.2
NS1.PBI.NET 206.13.28.11
PBI.NET is PacBell:
[No name] (PBI2-HST) PBI.NET 206.13.12.28
Pacific Bell Internet Services (PBI3-DOM) PBI.NET
The internet address block is a bulk assignment to PacBell. The other
server, Internetconnect.net is:
CDC Development Corp. (INTERNETCONNECT2-DOM)
3250 Wilshire Blvd., Suite 2008
Los Angeles, CA 90010
US
Domain Name: INTERNETCONNECT.NET
Administrative Contact:
Young, Cliff (CY180) [log in to unmask]
(213) 637-3485 (FAX) 213) 385-6182
Technical Contact, Zone Contact:
InternetConnect, Webmaster (WI62) [log in to unmask]
213 637-3485 (FAX) 213 385-6182
Record last updated on 28-Feb-97.
Record created on 29-Apr-96.
Domain servers in listed order:
NS1.INTERNETCONNECT.NET 206.171.236.2
NS1.PBI.NET 206.13.28.11
Again, PBI/Internetconnect connection.
If there is any retribution available to you in your terms of service
agreement/acceptable use policy for your customers, please take action
to insure that this incident does not recur. Your co-operation would be
greatly appreciated.
Jeff Kell <[log in to unmask]> utc.edu postmaster/listserv administrator
|