[nsp-sec] Ping: Google/GMail

Krista Hickey Krista.Hickey at cogeco.com
Fri Feb 29 10:08:16 EST 2008 

On Feb 28, 2008, John Fraizer wrote:

>Can I share this information internally here with the restriction of it
not leaving the company?

Yup, go nuts. Anything you/we can do to shut these guys done is A-OK
with me. If you guys want more on this or want me to go more in-depth
about our experience and the magic words I said to my company to get
them agree to aggressive filtering let me know either on or off list.

They say a picture is worth a thousand words so I've attached a snapshot
of our monthly view of mail stats (sorry, I removed the X/Y definitions
to avoid having to arm wrestle the business to let me share), midway
through the graph you can see the obvious effects of filtering those
ASNs from touching our webmail.

Krista
7992

-----Original Message-----
From: John Fraizer [mailto:john at op-sec.us] 
Sent: Thursday, February 28, 2008 11:46 PM
To: Seth Hall
Cc: Krista Hickey; nsp-security at puck.nether.net
Subject: Re: [nsp-sec] Ping: Google/GMail

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Seth and Krista,

Can I share this information internally here with the 
restriction of it not leaving the company?  I'll redact your 
names/companies and any identifying information of course.

Seth Hall wrote:
> 
> 
> 
> On Feb 28, 2008, at 4:54 PM, John Fraizer wrote:
> 
>> Looks like 81.199.0.0/16 is eat up, huh?
>> Seth, are you seeing similar?
> 
> Yep.
> 
> After checking activity against our webmail server with the ASNs 
> Krista mentioned, I found a compromised account here that had been 
> logged into from the following addresses today, it matches what you 
> were seeing on
> 81.199.0.0/16 too.
> 
> 3352    | 80.30.243.77     | TELEFONICA-DATA-ESPANA Internet Access
> Network of TDE
> 12491   | 81.199.43.174    | IPPLANET-AS IPPlanet
> 12491   | 81.199.48.147    | IPPLANET-AS IPPlanet
> 12491   | 81.199.172.188   | IPPLANET-AS IPPlanet
> 22351   | 80.255.59.243    | INTELSAT Intelsat Global BGP 
Routing Policy
> 
> Thanks for the naughty webmailers AS list Krista!
> 
>   .Seth
> 
> ---
> Seth Hall
> Network Security - Office of the CIO
> The Ohio State University
> Phone: 614-292-9721
> 
> 
> 
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org

iD8DBQFHx44E+16lRpJszIgRAqISAJwOMB2WUiJj+eS4WTFS25267HHE4gCfdm3n
loPEi+z29KgYvEQe2UB957s=
=q0h7
-----END PGP SIGNATURE----- 
 
Do you really need to print this email? Help preserve our environment! Devez-vous vraiment imprimer ce courriel? Pensons a l'environnement!
__________________________________________________________
 
The information in this message, including in all attachments, is confidential or privileged. In the event you have received this message in error and are not the intended recipient, you are hereby advised that any use, copying or reproduction of this document is strictly forbidden. Please notify immediately the sender of this error and destroy this message, including its attachments, as the case may be.
 
L'information apparaissant dans ce message electronique et dans les documents qui y sont joints est de nature confidentielle ou privilegiee. Si ce message vous est parvenu par erreur et que vous n'en etes pas le destinataire vise, vous etes par les presentes avise que toute utilisation, copie ou distribution de ce message est strictement interdite. Vous etes donc prie d'en informer immediatement l'expediteur et de detruire ce message, ainsi que les documents qui y sont joints, le cas echeant.

__________________________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: month_mail.jpg
Type: image/jpeg
Size: 51664 bytes
Desc: month_mail.jpg
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080229/c0cc224a/attachment-0001.jpg>

More information about the nsp-security mailing list