You are here: Home > Participate > Join a Discussion > Mailman Archives
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

RE: About the Unsolicited Use of Our Legal IP Addresses

  • To: "Rodney Tillotson" < >
    "RIPE anti-spam WG" < >
  • From: "Muharrem Ay \(Garanti Teknoloji\)" < >
  • Date: Tue, 30 Jul 2002 15:01:12 +0300
  • Cc: < >

Hi Rodney,

Many thanks for your detailed analysis. What happened is that, we have been
getting too many emails similar to the one I sent in the last 3-4 months.
All have the same "Received:" line which includes one of our legal but unused
addresses ( 

I tried the same thing by using SMTP connection with Sendmail in Solaris 2.6.
I wrote those "Received:" lines to the DATA portion, and I can comfortably
confirm that you are right.

An interesting progress happened today, we have noticed from the IDS logs that
an IP address belonging to CONCENTRIC.NET range performs several unicode attack
scans continuously in some days. So, as I had started that Concentric.Net has
nothing to be blamed, I don't believe that they are not guilty anymore.

About Tripod and the FreeAccess.exe, those parts are really not important at all
sincw we have too many spam mails which are all about different things. So, we are
interested in the source not the destination. Right?

We would like to get to know what to do in such a case. We have decided to develop
some strategies about spam & abuse mailing activities, Acceptable Use of Policy,
and also actions to take when faced with such events. Also, we need to think of
saving ourselves. We needd to know where to talk with and/or register with in order
to declare that we are in no way involved in a mass mailing activity, and we are
opoosite to such thoughts, and we would like to cooperate to anyone who insists on
blaming us to involve in such an activity in order to clarify the situation and
prevent attacks.

Any comments?

Thanks in advance.

Muharrem AY
Garanti Technology 
IT Security Department
Phone	: +90.212.4783422
Fax	: +90.212.6570473
Mailto	: muharremay@localhost 
Address	: Evren Mah. Kocman Cd. No: 22
	  34550 Gunesli	Istanbul/TURKEY

-----Original Message-----
From: Rodney Tillotson [
] Sent: Monday, July 29, 2002 5:28 PM To: RIPE anti-spam WG Subject: Re: About the Unsolicited Use of Our Legal IP Addresses At 29/07/2002 12:17 +0300, Muharrem Ay wrote: > We don't want to be put in the blacklists or shitlists of > organizations. We would like to get help from you to do this. > Also, we would be glad if you can tell us what exactly is > being happening, and what can we be done to get rid. First, what has happened. Your analysis was right and I've just written it out in more detail here. The top Received: line is internal to MSN. Not interesting. The next line says that the MSN mailer had the message from, somewhere in China. I have to guess that the person who complained to you did not change that IP address. In this line, '' is a meaningless forgery. The bulk mailer connected from the Chinese system with 'HELO' to confuse anyone reading the header. There is no connection between that line and the other Received: lines, so you have to assume they are fictional and included by the bulk mailing program to confuse anyone reading the header. _None_ of these addresses:,,, or these domain names:,,, had any part in the origination or transmission of the message. The message passed by the bulk mailer in the DATA phase already included all the false Received: lines. So who has done anything wrong here? The managers of, who left it insecure either as an open mail relay (not to my casual test), an open proxy server of some kind (it is listening on port 1080), or a system vulnerable to root compromise. The person who sent the bulk mail. That could be a manager or user of but it probably wasn't. The managers might in principle be able to partly trace the misuse but they probably won't. The person operating the advertised Web site. Unfortunately the URL in the mail is a free Tripod page for which the only responsibility Tripod will accept is to remove it. Perhaps nobody has asked them, because it's still there at present. The person operating the site that the downloaded program FreeAccess.exe connects to. I haven't dared to try that :-) I believe you should complain to Tripod (in VE and US), to Chinanet and perhaps to CN-CERT. There is no guarantee that any of them will help you but they may close an account and the bulk mailer may move on to some different forged Received: lines. Other people may take a more optimistic view? Rodney Tillotson, JANET-CERT +44 1235 822 255. Received: from ([]) by with Microsoft SMTPSVC(5.0.2195.4905); Sun, 28 Jul 2002 00:31:59 -0700 Received: from ([]) by with Microsoft SMTPSVC(5.0.2195.4905); Sun, 28 Jul 2002 00:31:52 -0700 Received: from [] by with SMTP; Jul, 28 2002 12:19:32 AM +0300 Received: from [] by with QMQP; Jul, 27 2002 11:05:48 PM -0200 Received: from ([]) by with QMQP; Jul, 27 2002 10:28:43 PM +0300 Received: from unknown (HELO ( by with QMQP; Jul, 27 2002 9:14:49 PM -0200 From: Vim hing@localhost <
>> To: You Cc: Subject: School Girl Teens Caught Fuck'n In Showers !!!!! dmlwt Sender: Vim hing@localhost Mime-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Date: Sun, 28 Jul 2002 00:32:48 -0700 X-Mailer: MIME-tools 5.503 (Entity 5.501) X-Priority: 1 Return-Path: hing@localhost Message-ID: <
> X-OriginalArrivalTime: 28 Jul 2002 07:31:59.0606 (UTC) FILETIME=[DBDBF960:01C23608] HOT FREE MORPHEUS XXX MILLIONS OF MOVIES AND PICS TO DOWNLOAD FOR FREE!!! Click Here <>To Download Free Software! P.S DOWNLOAD IT NOW BEFORE IT'S GONE!

  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>