[nsp-sec] Looking for an Admin at Cincinnati Bell Telephone

Mon Apr 9 12:15:10 EDT 2012

Greetings Joel,

This traffic came to our attention at approximately 1900 GMT yesterday and has continued non-stop since that time.  Reported rates of unsolicited email to non-existent addresses have exceeded 9000 per minute.  The exploited mail servers are at 216.68.8.170 & 216.68.8.175.  Any help shutting this down would be greatly appreciated.

AS      | IP               | AS Name
6181    | 216.68.8.175     | FUSE-NET - Cincinnati Bell Telephone
6181    | 216.68.8.170     | FUSE-NET - Cincinnati Bell Telephone

The above two hosts are either compromised, or acting as open relays.
"9Apr2012" "15:21:19" "Alert" "Drop" "smtp" "34630" "216.68.8.175" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:19" "Alert" "Drop" "smtp" "34631" "216.68.8.175" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:24" "Alert" "Drop" "smtp" "41092" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:24" "Alert" "Drop" "smtp" "41093" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:34" "Alert" "Drop" "smtp" "60136" "216.68.8.175" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:34" "Alert" "Drop" "smtp" "60137" "216.68.8.175" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:39" "Alert" "Drop" "smtp" "59915" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:39" "Alert" "Drop" "smtp" "59916" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:39" "Alert" "Drop" "smtp" "59933" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:39" "Alert" "Drop" "smtp" "59934" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:40" "Alert" "Drop" "smtp" "60223" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:40" "Alert" "Drop" "smtp" "60222" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:49" "Alert" "Drop" "smtp" "52082" "216.68.8.175" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:49" "Alert" "Drop" "smtp" "52083" "216.68.8.175" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:55" "Alert" "Drop" "smtp" "47193" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:55" "Alert" "Drop" "smtp" "47194" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:57" "Alert" "Drop" "smtp" "50773" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:57" "Alert" "Drop" "smtp" "50774" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:57" "Alert" "Drop" "smtp" "50961" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:21:57" "Alert" "Drop" "smtp" "50962" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:22:04" "Alert" "Drop" "smtp" "45464" "216.68.8.175" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:22:04" "Alert" "Drop" "smtp" "45465" "216.68.8.175" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:22:11" "Alert" "Drop" "smtp" "36158" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
"9Apr2012" "15:22:11" "Alert" "Drop" "smtp" "36157" "216.68.8.170" "205.171.7.14" "tcp" "4-Standard"
Timestamps are GMT.

--

--

Howard Hicks
> -----Original Message-----
> From: CASEY, JOEL J [mailto:jc3128 at att.com]
> Sent: Monday, April 09, 2012 11:13 AM
> To: Hicks, Howard; NSP-Sec
> Subject: RE: Looking for an Admin at Cincinnati Bell Telephone
>
> Howard,
>
> How can I help you?
>
> Joel Casey
> Principal Technology Security
> AT&T CSO
> joeljcasey at att.com
> Desk:919-319-8115
> Mobile:919-949-5058
>
> This information is the property of AT&T.  It is intended for use only by
> those to whom this e-mail is addressed. If you are not one of the named
> recipients, please delete this message immediately from your computer. Any
> other use, retention
>
>
>
>
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Hicks, Howard
> Sent: Monday, April 09, 2012 12:05 PM
> To: NSP-Sec
> Subject: [nsp-sec] Looking for an Admin at Cincinnati Bell Telephone
>
> ----------- nsp-security Confidential --------

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.