From: security curmudgeon (jericho@attrition.org) To: abuse@dsl-verizon.net, christian.andersen@verizon.com, abuse@verizon.net Cc: Declan McCullagh (declan@well.com) Date: Thu, 11 Sep 2003 00:01:16 -0400 (EDT) Subject: Daily CGI Formmail Spam Attempts DSL-VERIZON.NET: The following IP address has been responsible for near daily attempts to relay spam through us. My first complaints to you began before 7-21-03 and went unanswered. The spam attempts did not stop, and I put a note in our files blocking any SMTP traffic from that server. Almost two months later, and this IP is still responsible for attempting to spam through us. In the past, several complaints were bounced back to us because you failed to maintain the appropriate IETF standard mailboxes (abuse/postmaster). Once that was resolved, the mailboxes would routinely bounce to them being "full". You have been made aware of this repeatedly, to the tune of several times a week. Not once has anyone replied or taken action. The spam relay attempts from your network are a persistant problem that you fail to address. It is crystal clear that dsl-verizon.net/verizon.net supports spammers that pay them money. I am CCing one journalist who takes an interest in these types of issues, and BCCing a dozen more that cover technology/security. I hate resorting to this type of mail but you leave me no other choice. For the last time, please deal with your customers violating the Verizon AUP. lsanca2-ar36-4-63-162-008.lsanca2.dsl-verizon.net - - [10/Sep/2003:03:57:17 -0400] "GET /cgi-bin/formmail.cgi?realname=cxnrs%20rtmimb&recipient=piscesali@aol.com&email=WantDis@aol.com&subject=http://www.attrition.org/cgi-bin/formmail.cgi&message=ihprs%20obifxopznqx%20cmtngtfesjr%20kmznsp HTTP/1.1" 403 372 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" lsanca2-ar36-4-63-162-008.lsanca2.dsl-verizon.net - - [10/Sep/2003:03:57:17 -0400] "GET /cgi-bin/FormMail.pl?realname=qoalx%20trxfny&recipient=piscesali@aol.com&email=WantDis@aol.com&subject=http://www.attrition.org/cgi-bin/FormMail.pl&message=rwifu%20vlvycxnrsrt%20fimbhhprsob%20ifxopz HTTP/1.1" 404 1883 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" lsanca2-ar36-4-63-162-008.lsanca2.dsl-verizon.net - - [10/Sep/2003:03:57:18 -0400] "GET /cgi-bin/formmail/FormMail.cgi?realname=gfiae%20hqddlg&recipient=piscesali@aol.com&email=WantDis@aol.com&subject=http://www.attrition.org/cgi-bin/formmail/FormMail.cgi&message=hdpet%20sjdojelqihb%20bptznxnzioi%20henlxp HTTP/1.1" 404 1863 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" lsanca2-ar36-4-63-162-008.lsanca2.dsl-verizon.net - - [10/Sep/2003:03:57:18 -0400] "GET /cgi-bin/formmail/FormMail.pl?realname=llfyl%20xdkbjc&recipient=piscesali@aol.com&email=WantDis@aol.com&subject=http://www.attrition.org/cgi-bin/formmail/FormMail.pl&message=erlkh%20qpalxayegny%20zdigucmwfcx%20nssrum HTTP/1.1" 404 1872 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" lsanca2-ar36-4-63-162-008.lsanca2.dsl-verizon.net - - [10/Sep/2003:03:57:18 -0400] "GET /cgi-bin/formmail/formmail.pl?realname=svkrr%20zacyks&recipient=piscesali@aol.com&email=WantDis@aol.com&subject=http://www.attrition.org/cgi-bin/formmail/formmail.pl&message=ogxyi%20xzglwcwpdon%20bsbuwjwcyig%20scpljp HTTP/1.1" 404 1836 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" Past dsl-verizon.net offenders. Between 03/03 and 07/03 we stopped taking note of these probes, but the continued abuse from this specific IP address made us take note. lsanca2-ar36-4-63-162-008.lsanca2.dsl-verizon.net - (07-21-03) lsanca2-ar34-4-62-254-176.lsanca2.dsl-verizon.net - (03-15-03) evrtwa1-ar10-4-40-153-186.evrtwa1.dsl-verizon.net - (02-28-03) evrtwa1-ar10-4-61-234-048.evrtwa1.dsl-verizon.net - (01-16-03) tamqfl1-ar9-4-46-177-017.tamqfl1.dsl-verizon.net - (01-09-03) (01-10-03) tamqfl1-ar2-4-63-174-059.tamqfl1.dsl-verizon.net - (01-07-03) (01-08-03) (01-11-03) (01-12-03)