RoadRunner started attacking us with a DDoS targetting our MX. Unsure exactly when the DDoS against our MX started, but it began
approximately 2-3 hours ago. A spammer targetted RR customers this evening
with the Pearl Harbor FCU phish. Here is the email header:
Received: from smtp20.orange.fr (HELO smtp-msa-out20.orange.fr)
([80.12.242.27])
by clmboh-mx-05.mgw.rr.com with ESMTP; 24 Nov 2006 18:44:23 -0500
Received: from User (LNeuilly-152-21-126-197.w193-253.abo.wanadoo.fr
[193.253.213.197])
by mwinf2007.orange.fr (SMTP Server) with SMTP id 652621C000C8;
Sat, 25 Nov 2006 00:40:09 +0100 (CET)
The From: address is hservice@castlecops.com.
US-CERT does not have a contact at RR. One of our staff contacted RR
customer service and made it known they are attacking our MX by issuing
bounces:
The following message to <hixgzzl@hawaii.rr.com> was undeliverable.
The reason for the problem:
5.1.0 - Unknown address error 550-'5.1.1 unknown or illegal alias:
hixgzzl@hawaii.rr.com'
So far I've uncovered the following RR blocks sending these bounce backs:
24.28
65.24
66.75
RR said because we are not a customer, they are denying us service.
The DDoS continues.
Contacted my ISP. He initially filtered those three blocks
(moments ago). Then decided to filter on the hservice@castlecops.com To:.
My ISP has bouncing back to RR saying they are spamming us, and to contact
them immediately.
The same staffer above who called RR
also was told we should email security@. It would hit the general queue and
someone would eventually get to it.
So the firewall is blocking this RoadRunner DDoS, but it continues
nonetheless.
FWIW, the phish link goes to http://cha.powweb.com/phfcu/login.htm.
Posted on Friday, 24 November 2006 @ 21:45:07 UTC by Paul (3840 reads) [ Trackback ]
