Re: UDP against (unmaintained ?) servers currently used for hipcrime attacks

The post below came from nanau this morning. I'm reposting it here so
everyone has a better understanding of what is going on. You can also
use the information to configure a killfile so you won't have to see the
flood.

Xavier Roche wrote:
Hi folks,

A number of badly maintained news servers (or servers not maintained
at all) have been used for the last several weeks as relays to start
various Usenet groups denial of service attacks, through hipcrime
runs:
- news.suddenlink.net
- news.eskimo.com
- nntp.cavtel.net
- brown.telepac.pt
- news.grnet.gr
- nntp.bresnan.com
- news.rcn.net
- news.infoave.net
..

_None_ of the respective administrators ever replied to complaints,
and hipcrime runs continues.

A temporary UDP is currently used in an attempt to block the flow of
spams, but a more formal discussion is necessary to keep this measure
active.

Any better suggestion / counter measure to handle the issue ?
Thousands of messages are posted daily to various random groups
(including sci.crypt) without any upstream administrator(s) reaction.



FYI, samples from recent floods

- news.suddenlink.net server

Path:
..!nx01.iad01.newshosting.com!newshosting.com!post01.iad01!news.suddenlink.net!not-for-mail
From: "G. Houghtelling" <lady@xxxxxxxxxxxxx>
Message-ID: <44F6A1D0.0FECD27C@xxxxxxxxxxxxx>
Newsgroups: rec.arts.poems
Subject: label besides manages Genevieve's killing
Date: Wed, 15 Aug 2007 06:34:16 GMT
Organization: Amber's slight address
X-NNTP-Trace: 185.148.142.150 214.49.117.135 241.96.185.84
Lines: 29

Path:
.!club-internet.fr!feedme-small.clubint.net!news.astraweb.com!border2.a.newsrouter.astraweb.com!feeder6.cambrium.nl!feeder5.cambrium.nl!feed.tweaknews.nl!63.218.45.10.MISMATCH!nx01.iad01.newshosting.com!newshosting.com!post01.iad01!news.suddenlink..net!not-for-mail
From: "T. S. Valdes" <kindly@xxxxxxxxx>
Message-ID: <157722AE.99E79356@xxxxxxxxx>
Newsgroups: sci.polymers
Subject: solicitor round seizes Sara's bear
Date: Wed, 15 Aug 2007 04:23:29 GMT
Organization: Evelyn's mean accountant
X-NNTP-Trace: 132.146.59.135 167.109.131.206 215.56.238.174
Lines: 43

Path:
..!nx01.iad01.newshosting.com!newshosting.com!post01.iad01!news.suddenlink.net!not-for-mail
From: morris@xxxxxxxxxxxxxx
Message-ID: <D6B47A67.CF7DADC3@xxxxxxxxxxxxxx>
Newsgroups: talk.bizarre,fr.usenet.abus.d
Subject: who rids namely, when Georgette lacks the european fat in
respect of the wedding
Date: Tue, 14 Aug 2007 06:21:18 GMT
Organization: For Mustapha the programming's structural, before me
it's metropolitan, whereas away from you it's interrupting mere.
Lines: 50
X-Complaints-To: abuse@xxxxxxxxxxxxxx

Path:
..!club-internet.fr!feedme-small.clubint.net!zen.net.uk!demorgan.zen.co.uk!nx01.iad01.newshosting.com!newshosting.com!post01.iad01!news.suddenlink.net!not-for-mail
From: allen@xxxxxxxxxxxxxx
Message-ID: <63200546I38515278@xxxxxxxxxxxxxx>
Newsgroups: fr.usenet.abus.d,it.scienza.ambiente
Subject: other australian sporting organizations will stop terribly
amid piles
Date: Tue, 14 Aug 2007 05:21:56 GMT
Organization: He'll be restoring worth profitable Tim until his reform
corrects physically.
Lines: 51
X-Complaints-To: abuse@xxxxxxxxxxxxxx

- news.rcn.net server

NNTP-Posting-Date: Thu, 16 Aug 2007 01:53:27 -0500
From: exafhe@xxxxxxxxxxxxxx (Ralph)
Message-ID: <A9E00E78.9404B598@xxxxxxxxxxxxx>
Newsgroups: sci.crypt
Subject: talal swings, then Geoff tightly covers a moderate plane in
respect of Allen's laboratory
Date: Thu, 16 Aug 2007 05:14:39 GMT
Organization: try criticising the ministry's happy affection and
Kenneth will ease you
Lines: 48
X-Usenet-Provider: http://www.giganews.com
NNTP-Posting-Host: 207.237.212.195
X-Trace:
sv3-PHnH7Vn/E6zQhyd+wYj1z+zfGvxVq92iZfgXZCC1uIeTW6bkwOaEk89pCe5fx2EttdUybOaCA0I6hsW!PDVVotyizVKcKkCIhwz8SO7DOSMonh4ULboMz62v2cR1A0QIxPItsKlYfdGZsvQg3GXO
X-Complaints-To: abuse@xxxxxxx
X-DMCA-Complaints-To: abuse@xxxxxxx
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
X-Postfilter: 1.3.35
Path:
..!64.233.178.134.MISMATCH!postnews.google.com!news1.google.com!border1.nntp.dca.giganews.com!nntp.giganews.com!local01.nntp.dca.giganews.com!nntp.rcn.net!news.rcn.net.POSTED!not-for-mail

Path:
..!feeder.news-service.com!newsfeed.freenet.de!newspeer1.nwr.nac.net!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.giganews.com!local01.nntp.dca.giganews.com!nntp.rcn.net!news.rcn.net.POSTED!not-for-mail
NNTP-Posting-Date: Thu, 16 Aug 2007 01:43:59 -0500
From: zUDPvBzpAyc@xxxxxxxxxxxx (Johnny)
Message-ID: <8BF882E1.E7AFCC3A@xxxxxxxxxxxxxxx>
Newsgroups: sci.crypt
Subject: to be theoretical or easy will score royal packets to
forwards eliminate
Date: Thu, 16 Aug 2007 03:53:32 GMT
Organization: if you will weigh Moammar's club in addition to ranks,
it will close might the mill
Lines: 54
X-Usenet-Provider: http://www.giganews.com
NNTP-Posting-Host: 207.237.212.195
X-Trace:
sv3-kBHSOsyP5GXZ/z7SvXfNewWQVd9eCSNh2b3/odEAjmtaknBL8kI1R7lF7ijCjk3AAYzHb2lDAgAgmDc!aqLJxRadG+tZjroPBMhOXFJLTbGXl0Zox+p+QyLMPJQ/jHb20spFs+4KazsCWvmslpdyMlE=
X-Complaints-To: abuse@xxxxxxx
X-DMCA-Complaints-To: abuse@xxxxxxx
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
X-Postfilter: 1.3.35
X-Original-Bytes: 3879

- news.infoave.net server

Subject: well concerning promotion tight pretends Frederick
From: Jeremy.Tangerman@xxxxxxxxxxx
Date: Thu, 16 Aug 2007 04:41:27 GMT
Message-ID: <757B3560.E670F847@xxxxxxxxxxx>
Lines: 24
NNTP-Posting-Host: 64.203.204.101.dyn-cm-pool-65.hargray.net
Organization: it should longer derive unable and springs our
structural, minimum fears regarding a field
Path:
..!news.cs.univ-paris8.fr!u-psud.fr!crihan.fr!news.ecp.fr!news-out.superfeed.net!sp12lax.superfeed.net!news-in.newsfeeds.com!news.infoave.net!BOWEL.NE.US!Jeremy.Tangerman
Newsgroups: sci.crypt
X-Trace: news04.infoave.net 1187250719 19505 64.203.204.101 (16 Aug
2007 07:51:59 GMT)
X-Complaints-To: abuse@xxxxxxxxxxx
NNTP-Posting-Date: Thu, 16 Aug 2007 07:51:59 +0000 (UTC)

Subject: item within shed undoubtably presumes Ricky
From: Kaye.McGraph@xxxxxxxxx
Date: Thu, 16 Aug 2007 07:01:40 GMT
Message-ID: <0DE89D91.9D029D4B@xxxxxxxxx>
Lines: 44
NNTP-Posting-Host: 64.203.204.101.dyn-cm-pool-65.hargray.net
Organization: don't spread the operators even so, jump them
mysteriously Path:
..!feeder.news-service.com!38.119.100.149.MISMATCH!out.nntp.be!sp12lax.superfeed.net!news-in.newsfeeds.com!news.infoave.net!EAR.TN.US!Kaye.McGraph
Newsgroups: sci.crypt
X-Trace: news04.infoave.net 1187250856 19530 64.203.204.101 (16 Aug
2007 07:54:16 GMT)
X-Complaints-To: abuse@xxxxxxxxxxx
NNTP-Posting-Date: Thu, 16 Aug 2007 07:54:16 +0000 (UTC)

- nntp.bresnan.com server

Path:
..!club-internet.fr!feedme-small.clubint.net!news.glorb.com!border1.nntp.dca.giganews.com!nntp.giganews.com!local01.nntp.dca.giganews.com!nntp.bresnan.com!news.bresnan.com.POSTED!not-for-mail
NNTP-Posting-Date: Tue, 14 Aug 2007 21:09:27 -0500
From: effective@xxxxxxxxxxxxxx (Bernadette)
Message-ID: <EEF705F9.58E1512A@xxxxxxxxxxxxxx>
Newsgroups: sci.engr.lighting,fr.usenet.abus.d
Subject: surprising dear around afternoon
Date: Wed, 15 Aug 2007 00:02:40 GMT
Approved: effective@xxxxxxxxxxxxxx (Bernadette)
Lines: 37
X-Usenet-Provider: http://www.giganews.com
NNTP-Posting-Host: 72.174.51.72
X-Trace:
sv3-KIfQntTfkk2U7+MY7wIdb410mwwqzb9qjtTRYhiA76RHUMEchBRflirzjJ+PC8m8AMijtAp/WhsJaSh!lwvPktIbSYd/yl7N/Hznmh7JHpzEqMN6EXgvRE8G6X0a4jp1sTPYsdhufEHAHAJS7HSb0YU=
X-Complaints-To: abuse@xxxxxxxxxxx
X-DMCA-Complaints-To: abuse@xxxxxxxxxxx
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
X-Postfilter: 1.3.35

Path:
..!feeder.news-service.com!newsfeed.freenet.de!newspeer1.nwr.nac.net!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.giganews.com!local01.nntp.dca.giganews.com!nntp.bresnan.com!news.bresnan.com.POSTED!not-for-mail
NNTP-Posting-Date: Tue, 14 Aug 2007 21:08:24 -0500
From: Taysseer Haron Safief <appeal@xxxxxxxxxxxxxx>
Message-ID: <23EAEBAC6D8@xxxxxxxxxxxxxx>
Newsgroups: alt.support.sleep-disorder,fr.usenet.abus.d
Subject: newcomer on to wind
Date: Wed, 15 Aug 2007 02:06:23 GMT
Approved: Taysseer Haron Safief <appeal@xxxxxxxxxxxxxx>
Lines: 53
X-Usenet-Provider: http://www.giganews.com
NNTP-Posting-Host: 72.174.51.72
X-Trace:
sv3-7k3rB+Z+Wa1YZuXtDNUTni1hEIlmaGafdnXYQleLX6p72VDFjF+94qyqMJ4zzOvIP9F/U3pIsL04DrT!cd463jeSY3+XNPgPRUkTM327By8AgAUItabtMjbRLSJvDcNNgNRa4QIKOwmuR1g=
X-Complaints-To: abuse@xxxxxxxxxxx
X-DMCA-Complaints-To: abuse@xxxxxxxxxxx
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
X-Postfilter: 1.3.35
X-Original-Bytes: 3766

Path:
..!oleane.net!oleane!news-out.newsfeeds.com!local!news.eskimo.com!eskimo.com!not-for-mail
From: MikeL <mike.lottridge@xxxxxxxxxxx>
Newsgroups: soc.sexuality.spanking,comp.robotics.misc
Subject: Re: wireless camera, battery operated
Date: Tue, 14 Aug 2007 07:05:56 GMT
Organization: http://groups.google.com
Lines: 29
Approved: notvalid@xxxxxxxxxxxxxxxxxxxxxxxx
Message-ID: <3129212841.794315.903549@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
References: <1187042325.702685.178690@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
NNTP-Posting-Host: ultra5.eskimo.com
X-Trace: eskinews.eskimo.com 1187077810 26293 204.122.16.68 (14 Aug
2007 07:50:10 GMT)
X-Complaints-To: abuse@xxxxxxxxxx
NNTP-Posting-Date: 14 Aug 2007 07:50:10 GMT
X-Antiabuse: This header was added to track abuse, please include it
with any abuse report
X-Antiabuse: Primary Hostname - newshosting.wingsix.com
X-Antiabuse: Original Domain - moderators.isc.org
X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-Antiabuse: Sender Address Domain - radisys.com
X-Source:
X-Source-Args:
X-Source-Dir:
Complaints-To: notvalid@xxxxxxxxxxxxxxxxxxxxxxxx

- news.eskimo.com server

Path:
..!feeder.news-service.com!news-out.newsfeeds.com!local!news.eskimo.com!eskimo.com!not-for-mail
From: "Wayne C. Gramlich" <Gramlich@xxxxxxxxxxx>
Newsgroups: soc.sexuality.spanking,comp.robotics.misc
Subject: Re: Massive newgroup spam attacks?
Date: Tue, 14 Aug 2007 06:04:33 GMT
Organization: AT&T http://yahoo.sbc.com
Lines: 44
Approved: notvalid@xxxxxxxxxxxxxxxxxxxxxxxx
Message-ID: <49D0A8E0.14100@xxxxxxxxxxx>
References: <46BFDCC2.4030500@xxxxxxxxxxx>
<1b3ayn5too.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
NNTP-Posting-Host: ultra5.eskimo.com
X-Trace: eskinews.eskimo.com 1187077985 26321 204.122.16.68 (14 Aug
2007 07:53:05 GMT)
X-Complaints-To: abuse@xxxxxxxxxx
NNTP-Posting-Date: 14 Aug 2007 07:53:05 GMT
X-Antiabuse: This header was added to track abuse, please include it
with any abuse report
X-Antiabuse: Primary Hostname - newshosting.wingsix.com
X-Antiabuse: Original Domain - moderators.isc.org
X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-Antiabuse: Sender Address Domain - PacBell.Net
X-Source:
X-Source-Args:
X-Source-Dir:
Complaints-To: notvalid@xxxxxxxxxxxxxxxxxxxxxxxx

- brown.telepac.pt server

From: ODEZW@xxxxxxxxxxxx (Robbie)
Message-ID: <YBxqF6dRC$HR2.6589742@xxxxxxxxxxxxx>
Newsgroups: sci.crypt,soc.culture.jewish.moderated
Subject: i mean tensely, unless Usha overcomes frames according to
Excelsior's grain
Date: Fri, 10 Aug 2007 20:09:50 GMT
Approved: ODEZW@xxxxxxxxxxxx (Robbie)
Organization: All welsh banks communicate Valerie, and they ie hold
Woodrow too.
Lines: 77
NNTP-Posting-Host: 85.139.154.186
X-Trace: 1186789206 news.telepac.pt 25227 85.139.154.186
X-Complaints-To: abuse@xxxxxxxxxxxxxxx
Path:
..!news.tele.dk!news.tele.dk!small.news.tele.dk!lnewsinpeer00.lnd.ops.eu.uu.net!bnewsinpeer00.bru.ops.eu.uu.net!emea.uu.net!newshub.netvisao.pt!nntp.cprm.net!brown.telepac.pt!not-for-mail

Path:
..!news.tele.dk!news.tele.dk!small.news.tele.dk!lnewsinpeer00.lnd.ops.eu.uu.net!bnewsinpeer00.bru.ops.eu.uu.net!emea.uu.net!newshub.netvisao.pt!nntp.cprm.n
et!brown.telepac.pt!not-for-mail
From: Carolyn <5p3RU9GG@xxxxxxxxxxxxxx>
Message-ID: <62EAEFBA.05EF8EA1@xxxxxxxxxxxxx>
Newsgroups: sci.crypt,rec.humor.jewish
Subject: Re: it can seize once, arise accidentally, then shiver till
the shaft about the mountain
Date: Fri, 10 Aug 2007 19:54:55 GMT
Approved: Carolyn <5p3RU9GG@xxxxxxxxxxxxxx>
Organization: How did Angelo undermine let alone all the theatres? We
can't envisage suppers unless Susan wi
ll carelessly exceed afterwards.
Lines: 72
NNTP-Posting-Host: 85.139.154.186
X-Trace: 1186788003 news.telepac.pt 25195 85.139.154.186
X-Complaints-To: abuse@xxxxxxxxxxxxxxx

--
Rhonda Lea Kirk

Some are tempted to think of life in cyberspace as insignificant,
as escape or meaningless diversion. It is not. Our experiences there
are serious play. We belittle them at our risk. Sherry Turkle


.

Relevant Pages

  • RE: FSMT Fatal error - Non cluster - Src Win2k SP4 DC to Win2K3 SP
    ... This posting is provided "AS IS" with no warranties, ... Newsgroups: microsoft.public.windows.server.migration ... NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250 ... I have used the tool to move files successfully to this server so I think ...
    (microsoft.public.windows.server.migration)
  • RE: FSMT Fatal error - Non cluster - Src Win2k SP4 DC to Win2K3 SP
    ... This posting is provided "AS IS" with no warranties, ... Newsgroups: microsoft.public.windows.server.migration ... NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250 ... I have used the tool to move files successfully to this server so I think ...
    (microsoft.public.windows.server.migration)
  • RE: 5.7.1 domain isnt in my list of allowed rcpthosts
    ... the error information is not reported by exchange server. ... Microsoft CSS Online Newsgroup Support ... newsgroups so that they can be resolved in an efficient and timely manner. ...
    (microsoft.public.windows.server.sbs)
  • Re: How to send NNTP "cancel" message?
    ... that selects the newsgroups to apply to. ... Most of the canceled messages appear on the Google Groups server. ... How to send NNTP "cancel" message? ... Messages can be canceled by the news server administrator or server side ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Server Sync and OMA Wont work.
    ... newsgroups so that they can be resolved in an efficient and timely manner. ... Microsoft engineers can only focus on one issue per thread. ... Server Sync and OMA Won't work. ... Please enable IIS logging and reproduced the issue (sync with the SBS ...
    (microsoft.public.windows.server.sbs)
Loading