At 9:51 AM -0700 2/26/02, Lane Roathe imposed structure on a stream of electrons, yielding: >Hello all, > >For many years my domain, IFD.COM, has been hijacked by Swiss Bank (now >known as ubswarburg). Beyond the few emails containing confidential >financial information and some interesting love letters the traffic was >fairly small, and since Swiss Bank refused to even talk to me about it I >basically put up with it, and once I started using SIMS I no longer got >the email into my inbox so it was pretty much invisible. > >Until a few weeks ago when my Centris 610 (which ran DNS and email for >me) started crashing often. This weekend it crashed and wouldn't start >back up, kept crashing as soon as a network connection was established. I >finally startup up w/o networking and noticed that the SIMS logs were >several MB each (I am used to 22K sized logs, and I log very little >normally). Examination of the logs revealed that I was getting 100 to 200 >emails per minute from Swiss Bank! So, I took down my development machine >(an 8500 w/a 400Mhz G3 and SCSI RAID array) and made it my email server. >Complete overkill, but it's handling the load now. > >My question is how to I get Swiss Bank to stop using my domain? Here are >the relavent details: > >1. Internic and Dotster both say there is nothing they can do because >Swiss Bank has not actually "stolen" the domain, it's still registered to me. > >2. Swiss Bank seems to be using my domain internally, and for years only >a few emails leaked out. Now, it seems they are using it for mailing >lists, including UCE with invalid return addresses (within usbwarburg.com). > >3. Here are some log entries, there are thousands in my logs: > >- normal logging - >06:16:10 1 SMTP-564(gate.chi.ubswarburg.com) SPAM? Recipient '<SH-OCADM- >[EMAIL PROTECTED]>' rejected: user unknown >02:03:13 1 SMTP-225(gate.ldn.swissbank.com) SPAM? Recipient '<SH-GGL- >[EMAIL PROTECTED]>' rejected: user unknown [snip]
All the sending machines seem to be Swiss Bank/UBS Warburg machines. That's good. You should be able to do a few DNS lookups and a bit of ARIN/RIPE whois work to find all their network space. This is the sort of thing firewalls are made for, and you SHOULD block the traffic. The less involvement you have in their idiotic misconfiguration and resulting mail fiasco, the better. Note that all of this internal mail aimed at ifd.com addresses is definitely bouncing somewhere, even if they eventually route it all to /dev/null. >NOTE: the "blacklist" seems to be a SIMS thing, I do not have a blacklist >setup (ie, not using ORBS, etc.) Yes. SIMS temporarily bans any host which attempts to send to too many bogus addresses. It's a great protection against 'dictionary attack' harvesting and spamming. >All emails to support/abuse/postmaster/webmaster @ ubsw/swissbank/ >ubswarburg have been ignored, or at least not a single response. Any help >appriciated, like to get my bandwidth back! Go postal. Hire a lawyer to send their legal department a real physical 'cease and desist' letter outlining what this is doing to your system and explaining what you've tried to do online to get them to stop. You might also be able to get law enforcement interested in this. This company is effectively mounting a denial-of-service attack on you across the Internet, and that is a felony in the US. The fact that they are a big banking company whose ultimate parent is in .ch makes no difference: they are attacking your machine in Colorado, USA and so they are committing a felony in Colorado, USA. Besides which, they have US operations (big ones) so they are quite accessible. It looks like 'gate.chi.ubswarburg.com' is actually in Chicago. Another option: talk to their upstream provider(s) about this. It looks like Cable & Wireless (sadly, better known as Clueless & Witless in net-abuse circles) for the Chicago machine, and PSI-UK (try [EMAIL PROTECTED]) for the London one. And of course, Dale's suggestion about going public is a fine idea. Even if you can't get "real" media interested, Slashdot is always there and a surprising number of people in "real" media use it as a place to sniff out good 'net' stories. -- Bill Cole [EMAIL PROTECTED] ############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
