First step was to call the ISP who controls the subnet. Had to tell them it was denial of service attack (it was; our server was on its knees -- not the same one that runs brin-l, though) before they took real notice. Spam is routine, DoS isn't. After I sent them a sample of the 340MB of log files (ultimately) to examine, they promised to take action.
Then I called our virtual server host, Verio, which didn't help a bit. No clue about what they could do about firewalling out those addresses. Oh, well. Meanwhile, we started working on reconfiguring Squid to block them (not easy to get right in a reverse proxy!).
Meanwhile, I was trying to figure out who owned the machines responsible, so I port-scanned them with nmap and noticed that each one was running smtp... so I connected to them with telnet on port 25 -- for those who are now lost, that means I was pretending to be a mail relay delivering mail to them. Three of the four didn't tell me anything, but the fourth one contained a domain name. Looking that up on whois, I found it registered to a company in Toronto... and when I did a traceroute to that domain, it went to the same subnet. Got 'em. And surprisingly, the whois information was somewhat accurate, at least for the address and phone number.
In a very surprising coincidence, I found that they're in the same building, on the same floor, as the company we use for DNS and domain registration. Bizarre. But a totally separate company. So I called and got "Chris" on the phone, who told me that the attack must be coming from one of their customers. "Are you an ISP?" "Yes, we provide Internet connectivity to a number of companies around here."
That story fell apart when I pointed out that they own the domain name that's in the machine that's doing the attack... and later when I looked at their web page -- www.net-nucleus.com, which describes them as an e-mail marketing company. Nothing about ISP services. Spammer!
"Chris" also told me he had no idea who Mediacolumn Marketing is, which is listed as the owner of the domain net-nucleus.com, saying that they're a former client. Nor did he know who "Jen Minuchi," the listed contact name, is. But this Jen Minuchi's e-mail address, in the whois records, is "[EMAIL PROTECTED]" -- and Chris told me that his last name is Miseresky. Even spelled it for me.
Being as resourceful as I am, I managed to find the contact info for the building's property manager, so I called him and told him what kind of business was in that office. Spamming isn't illegal everywhere yet, but theft of computer services -- hijaking our proxy server -- certainly is. The manager said he'd tell the building owners, but he's not sure if they'll even understand.
Wish there was more to the story, but not yet. I can't even quite figure out where to report this spammer, since he's going through proxy servers. I guess there needs to be proxy server black hole list.
-- Nick Arnett Phone/fax: (408) 904-7198 [EMAIL PROTECTED]
_______________________________________________ http://www.mccmedia.com/mailman/listinfo/brin-l
