[nsp-sec] Looking for an Admin at Cincinnati Bell Telephone
Hicks, Howard
Howard.Hicks at CenturyLink.com
Mon Apr 9 12:05:21 EDT 2012
Greetings
This traffic came to our attention at approximately 1900 GMT yesterday and has continued non-stop since that time. Reported rates of unsolicited email to non-existent addresses have exceeded 9000 per minute. The exploited mail servers are at 216.68.8.170 & 216.68.8.175. Any help shutting this down would be greatly appreciated.
AS | IP | AS Name
6181 | 216.68.8.175 | FUSE-NET - Cincinnati Bell Telephone
6181 | 216.68.8.170 | FUSE-NET - Cincinnati Bell Telephone
The above two hosts are either compromised, or acting as open relays.
"9Apr2012" "15:21:19" "Alert" "Drop" "smtp" "34630" "216.68.8.175" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:19" "Alert" "Drop" "smtp" "34631" "216.68.8.175" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:24" "Alert" "Drop" "smtp" "41092" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:24" "Alert" "Drop" "smtp" "41093" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:34" "Alert" "Drop" "smtp" "60136" "216.68.8.175" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:34" "Alert" "Drop" "smtp" "60137" "216.68.8.175" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:39" "Alert" "Drop" "smtp" "59915" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:39" "Alert" "Drop" "smtp" "59916" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:39" "Alert" "Drop" "smtp" "59933" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:39" "Alert" "Drop" "smtp" "59934" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:40" "Alert" "Drop" "smtp" "60223" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:40" "Alert" "Drop" "smtp" "60222" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:49" "Alert" "Drop" "smtp" "52082" "216.68.8.175" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:49" "Alert" "Drop" "smtp" "52083" "216.68.8.175" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:55" "Alert" "Drop" "smtp" "47193" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:55" "Alert" "Drop" "smtp" "47194" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:57" "Alert" "Drop" "smtp" "50773" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:57" "Alert" "Drop" "smtp" "50774" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:57" "Alert" "Drop" "smtp" "50961" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:57" "Alert" "Drop" "smtp" "50962" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:22:04" "Alert" "Drop" "smtp" "45464" "216.68.8.175" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:22:04" "Alert" "Drop" "smtp" "45465" "216.68.8.175" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:22:11" "Alert" "Drop" "smtp" "36158" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:22:11" "Alert" "Drop" "smtp" "36157" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
Timestamps are GMT.
--
Howard Hicks
Senior Engineer
CenturyLink
howard.hicks at centurylink.com
612-664-3021
PGP public key BB5ECDA6<http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91D85E81BB5ECDA6> Available at http://pgp.mit.edu/
[cid:image001.png at 01CD1640.A85E6910]
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 5548 bytes
Desc: image001.png
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20120409/0efbef54/attachment-0001.png>
More information about the nsp-security
mailing list