From MAILER-DAEMON Fri Nov 15 09:52:49 2002 Date: 15 Nov 2002 09:52:49 -0500 From: Mail System Internal Data Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA X-IMAP: 1037371969 0000000000 Status: RO This text is part of the internal format of your mail folder, and is not a real message. It is created automatically by the mail system software. If deleted, important folder data will be lost, and it will be re-created with the data reset to initial values. From MAILER-DAEMON@stout.engsoc.carleton.ca Fri Nov 15 00:20:43 2002 Return-Path: Received: from c009.snv.cp.net (h033.c009.snv.cp.net [209.228.34.109]) by stout.engsoc.carleton.ca (8.11.6/8.9.3) with SMTP id gAF5Khi32722 for ; Fri, 15 Nov 2002 00:20:43 -0500 Received: (cpmta 250 invoked from network); 14 Nov 2002 21:20:42 -0800 Delivered-To: canada.com%Rob.Russell@canada.com Received: (cpmta 247 invoked from network); 14 Nov 2002 21:20:42 -0800 Received: from 206.46.170.222 (HELO mta017.verizon.net) by smtp.c009.snv.cp.net (209.228.34.109) with SMTP; 14 Nov 2002 21:20:42 -0800 X-Received: 15 Nov 2002 05:20:42 GMT To: Rob.Russell@Canada.Com From: Mail Administrator Reply-To: Mail Administrator Subject: Mail System Delivery Report Date: Thu, 14 Nov 2002 23:20:42 -0600 Message-ID: <20021115052042.CCYM6172.mta017.verizon.net@mta017> MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; Boundary="===========================_ _= 784301(6172)1037337642" Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=0.0 required=5.0 tests= version=2.20 X-Spam-Level: Status: RO X-Status: X-Keywords: --===========================_ _= 784301(6172)1037337642 Content-Type: text/plain Your message was successfully delivered to its final destination. This is a notification of that fact, as you requested. Please reply to Postmaster@gte.net if you feel this message to be in error. --===========================_ _= 784301(6172)1037337642 Content-Type: message/delivery-status Reporting-MTA: dns; mta017.verizon.net Arrival-Date: Thu, 14 Nov 2002 23:20:41 -0600 Received-From-MTA: dns; stout.engsoc.carleton.ca (134.117.69.22) Final-Recipient: RFC822; Action: delivered Status: 2.1.5 --===========================_ _= 784301(6172)1037337642 Content-Type: text/rfc822-headers Received: from stout.engsoc.carleton.ca ([134.117.69.22]) by mta017.verizon.net (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with ESMTP id <20021115052041.CCYI6172.mta017.verizon.net@stout.engsoc.carleton.ca> for ; Thu, 14 Nov 2002 23:20:41 -0600 Received: from lager (lager.engsoc.carleton.ca [134.117.69.26]) by stout.engsoc.carleton.ca (8.11.6/8.9.3) with ESMTP id gAF5Kei32716; Fri, 15 Nov 2002 00:20:40 -0500 Date: Fri, 15 Nov 2002 00:20:39 -0500 (EST) From: Rob.Russell@Canada.Com X-X-Sender: colonel@lager.engsoc.carleton.ca To: victims: ; Subject: Attempted network compromise. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII --===========================_ _= 784301(6172)1037337642-- From MAILER-DAEMON@stout.engsoc.carleton.ca Fri Nov 15 00:21:02 2002 Return-Path: Received: from c009.snv.cp.net (h031.c009.snv.cp.net [209.228.34.111]) by stout.engsoc.carleton.ca (8.11.6/8.9.3) with SMTP id gAF5L2i32764 for ; Fri, 15 Nov 2002 00:21:02 -0500 Received: (cpmta 10067 invoked from network); 14 Nov 2002 21:21:01 -0800 Delivered-To: canada.com%Rob.Russell@canada.com Received: (cpmta 10053 invoked from network); 14 Nov 2002 21:21:00 -0800 Received: from 64.83.1.17 (HELO richexch01.cavalier.com) by smtp.c009.snv.cp.net (209.228.34.111) with SMTP; 14 Nov 2002 21:21:00 -0800 X-Received: 15 Nov 2002 05:21:00 GMT Received: by richexch01.cavalier.com with Internet Mail Service (5.5.2653.19) id <48FCWRKP>; Fri, 15 Nov 2002 00:21:00 -0500 Message-ID: <891F958D45AFCC419E8BB75971246635053894B8@richexch01.cavalier.com> From: System Administrator To: Rob.Russell@Canada.Com Subject: Undeliverable: Attempted network compromise. Date: Fri, 15 Nov 2002 00:20:59 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) X-MS-Embedded-Report: Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C28C66.C84EA14C" X-Spam-Status: No, hits=2.5 required=5.0 tests=MIME_NULL_BLOCK,EXCUSE_1 version=2.20 X-Spam-Level: ** Status: RO X-Status: X-Keywords: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C28C66.C84EA14C Content-Type: text/plain; charset="iso-8859-1" Your message Subject: Attempted network compromise. Sent: Fri, 15 Nov 2002 00:20:39 -0500 did not reach the following recipient(s): IHALLEY@cavaliertelephone.com on Fri, 15 Nov 2002 00:20:58 -0500 The recipient name is not recognized The MTS-ID of the original message is: c=us;a= ;p=cavalier;l=RICHEXCH01021115052048FCWRKN MSEXCH:IMS:Cavalier:Richmond:RICHEXCH01 0 (000C05A6) Unknown Recipient ------_=_NextPart_000_01C28C66.C84EA14C Content-Type: message/rfc822 Message-ID: From: Rob.Russell@Canada.Com To: Subject: Attempted network compromise. Date: Fri, 15 Nov 2002 00:20:39 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) X-MS-Embedded-Report: Content-Type: text/plain; charset="iso-8859-1" Hello there. For your reference, I am sending this EMail to the following addresses: security[at]gte.net, tudor[at]pcnet.ro, mihai[at]pcnet.ro, IHALLEY[at]cavaliertelephone.com, jberry[at]NETACS.NET, abuse[at]verizon.net, JuppP[at]ottawapolice.ca, nipc.watch[at]fbi.gov At [14/Nov/2002:22:24:40 -0500], I noticed a network intrusion attempt on my IP address 66.12.48.142. You are receiving this EMail because I believe that the attack originated from within your network, from a compromised computer within your scope of responsibility, or because I believe you to be an interested party. If I am in error, please accept my apologies. Based on my preliminary investigation, I believe that the culprit resides in Romania, on the PCNET network. I believe that the culprit is in the process of building a network of compromised hosts for resale for the purposes of distributed denial of service attacks, anonymous network intrusions, and other forms of childish fun. I have catalogued the intrusion attempt at http://administra.tion.ca/moron - with my server logs, including 3 IP addresses used in the attempt. One of these IP addresses, I believe to be the attacker's true source IP address, and the other two of compromised systems used as a staging point for further attacks. My contact information is as follows: Robert Russell 807-1725 Riverside Dr. Ottawa, ON, Canada K1G 0E6 (613) 261-7541 Please don't heasitate to contact me for further information or assistance. Thanks, -- Rob.Russell@Canada.Com, Unicorn of Usenet & Bastard of Bandwidth "If my son wants to be a pimp when he grows up, that's fine with me. I hope he's a good one and enjoys it and doesn't get caught. I'll support him in this. But if he wants to be a network administrator, he's out of the house and not part of my family." Steve Wozniak, http://www.woz.org ------_=_NextPart_000_01C28C66.C84EA14C-- From MAILER-DAEMON@stout.engsoc.carleton.ca Fri Nov 15 00:21:22 2002 Return-Path: Received: from c009.snv.cp.net (h030.c009.snv.cp.net [209.228.34.110]) by stout.engsoc.carleton.ca (8.11.6/8.9.3) with SMTP id gAF5LMi00311 for ; Fri, 15 Nov 2002 00:21:22 -0500 Received: (cpmta 2811 invoked from network); 14 Nov 2002 21:21:21 -0800 Delivered-To: canada.com%Rob.Russell@canada.com Received: (cpmta 2803 invoked from network); 14 Nov 2002 21:21:21 -0800 Received: from 134.117.69.22 (HELO stout.engsoc.carleton.ca) by smtp.c009.snv.cp.net (209.228.34.110) with SMTP; 14 Nov 2002 21:21:21 -0800 X-Received: 15 Nov 2002 05:21:21 GMT Received: from localhost (localhost) by stout.engsoc.carleton.ca (8.11.6/8.9.3) id gAF5LKi32718; Fri, 15 Nov 2002 00:21:20 -0500 Date: Fri, 15 Nov 2002 00:21:20 -0500 From: Mail Delivery Subsystem Message-Id: <200211150521.gAF5LKi32718@stout.engsoc.carleton.ca> To: MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="gAF5LKi32718.1037337680/stout.engsoc.carleton.ca" Subject: Return receipt Auto-Submitted: auto-generated (return-receipt) X-Spam-Status: No, hits=0.0 required=5.0 tests= version=2.20 X-Spam-Level: Status: RO X-Status: X-Keywords: This is a MIME-encapsulated message --gAF5LKi32718.1037337680/stout.engsoc.carleton.ca The original message was received at Fri, 15 Nov 2002 00:20:40 -0500 from lager.engsoc.carleton.ca [134.117.69.26] ----- The following addresses had successful delivery notifications ----- (relayed to non-DSN-aware mailer) (relayed to non-DSN-aware mailer) (relayed to non-DSN-aware mailer) (relayed to non-DSN-aware mailer) ----- Transcript of session follows ----- ... relayed; expect no further notifications ... relayed; expect no further notifications ... relayed; expect no further notifications ... relayed; expect no further notifications --gAF5LKi32718.1037337680/stout.engsoc.carleton.ca Content-Type: message/delivery-status Reporting-MTA: dns; stout.engsoc.carleton.ca Received-From-MTA: DNS; lager.engsoc.carleton.ca Arrival-Date: Fri, 15 Nov 2002 00:20:40 -0500 Final-Recipient: RFC822; tudor@pcnet.ro Action: relayed (to non-DSN-aware mailer) Status: 2.0.0 Remote-MTA: DNS; mx1.pcnet.ro Diagnostic-Code: SMTP; 250 2.1.5 ... Recipient ok Last-Attempt-Date: Fri, 15 Nov 2002 00:20:57 -0500 Final-Recipient: RFC822; mihai@pcnet.ro Action: relayed (to non-DSN-aware mailer) Status: 2.0.0 Remote-MTA: DNS; mx1.pcnet.ro Diagnostic-Code: SMTP; 250 2.1.5 ... Recipient ok Last-Attempt-Date: Fri, 15 Nov 2002 00:20:57 -0500 Final-Recipient: RFC822; jberry@NETACS.NET Action: relayed (to non-DSN-aware mailer) Status: 2.0.0 Remote-MTA: DNS; mail.zoominternet.net Diagnostic-Code: SMTP; 250 ok Last-Attempt-Date: Fri, 15 Nov 2002 00:20:59 -0500 Final-Recipient: RFC822; JuppP@ottawapolice.ca Action: relayed (to non-DSN-aware mailer) Status: 2.0.0 Remote-MTA: DNS; mail.ottawapolice.ca Diagnostic-Code: SMTP; 250 ...Recipient OK. Last-Attempt-Date: Fri, 15 Nov 2002 00:21:19 -0500 --gAF5LKi32718.1037337680/stout.engsoc.carleton.ca Content-Type: text/rfc822-headers Return-Path: Received: from lager (lager.engsoc.carleton.ca [134.117.69.26]) by stout.engsoc.carleton.ca (8.11.6/8.9.3) with ESMTP id gAF5Kei32716; Fri, 15 Nov 2002 00:20:40 -0500 Date: Fri, 15 Nov 2002 00:20:39 -0500 (EST) From: Rob.Russell@Canada.Com X-X-Sender: colonel@lager.engsoc.carleton.ca To: victims: ; Subject: Attempted network compromise. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII --gAF5LKi32718.1037337680/stout.engsoc.carleton.ca-- From MAILER-DAEMON@stout.engsoc.carleton.ca Fri Nov 15 00:21:22 2002 Return-Path: Received: from c009.snv.cp.net (h029.c009.snv.cp.net [209.228.34.142]) by stout.engsoc.carleton.ca (8.11.6/8.9.3) with SMTP id gAF5LMi00312 for ; Fri, 15 Nov 2002 00:21:22 -0500 Received: (cpmta 2252 invoked from network); 14 Nov 2002 21:21:21 -0800 Delivered-To: canada.com%Rob.Russell@canada.com Received: (cpmta 2249 invoked from network); 14 Nov 2002 21:21:21 -0800 Received: from 32.97.166.43 (HELO prserv.net) by smtp.c009.snv.cp.net (209.228.34.142) with SMTP; 14 Nov 2002 21:21:21 -0800 X-Received: 15 Nov 2002 05:21:21 GMT Received: from prserv.net ([127.0.0.1]) by prserv.net (in3) with ESMTP id <2002111505212010306r1kj2e>; Fri, 15 Nov 2002 05:21:20 +0000 From: Mailer-Daemon@prserv.net To: Rob.Russell@canada.com Subject: Delivery Notification Date: Fri, 15 Nov 2002 05:21:20 +0000 Message-id: <20021115052120103013gu5ce> Content-Type: multipart/report; report-type=delivery-status; boundary=2002111505212010 MIME-Version: 1.0 X-Spam-Status: No, hits=3.4 required=5.0 tests=INVALID_MSGID,MSGID_HAS_NO_AT,NO_REAL_NAME version=2.20 X-Spam-Level: *** Status: RO X-Status: X-Keywords: --2002111505212010 Content-Type: text/plain; charset=us-ascii Your message was successfully delivered to: nipc.watch@fbi.gov --2002111505212010 Content-Type: message/delivery-status Reporting-MTA: dns; prserv.net Final_Recipient: rfc822;nipc.watch@fbi.gov Action: delivered Status: 2.0.0 --2002111505212010 Content-Type: text/rfc822-headers Received: from stout.engsoc.carleton.ca ([134.117.69.22]) by prserv.net (in3) with ESMTP id <2002111505211910304vpkhme>; Fri, 15 Nov 2002 05:21:20 +0000 Received: from lager (lager.engsoc.carleton.ca [134.117.69.26]) by stout.engsoc.carleton.ca (8.11.6/8.9.3) with ESMTP id gAF5Kei32716; Fri, 15 Nov 2002 00:20:40 -0500 Date: Fri, 15 Nov 2002 00:20:39 -0500 (EST) From: Rob.Russell@Canada.Com X-X-Sender: colonel@lager.engsoc.carleton.ca To: victims: ; Subject: Attempted network compromise. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII --2002111505212010-- From security@verizon.net Fri Nov 15 00:24:27 2002 Return-Path: Received: from c009.snv.cp.net (h031.c009.snv.cp.net [209.228.34.111]) by stout.engsoc.carleton.ca (8.11.6/8.9.3) with SMTP id gAF5ORi00398 for ; Fri, 15 Nov 2002 00:24:27 -0500 Received: (cpmta 11898 invoked from network); 14 Nov 2002 21:24:27 -0800 Delivered-To: canada.com%Rob.Russell@canada.com Received: (cpmta 11896 invoked from network); 14 Nov 2002 21:24:26 -0800 Received: from 206.46.170.94 (HELO out017.verizon.net) by smtp.c009.snv.cp.net (209.228.34.111) with SMTP; 14 Nov 2002 21:24:26 -0800 X-Received: 15 Nov 2002 05:24:26 GMT Received: from verizon.net ([199.180.2.15]) by out017.verizon.net (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with SMTP id <20021115052426.NRBC3572.out017.verizon.net@verizon.net> for ; Thu, 14 Nov 2002 23:24:26 -0600 Date: Fri, 15 Nov 2002 05:26:06 GMT From: security@verizon.net Subject: Attempted network compromise. [T2002111501ML] To: Rob.Russell@Canada.Com MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit Message-Id: <20021115052426.NRBC3572.out017.verizon.net@verizon.net> X-Spam-Status: No, hits=0.6 required=5.0 tests=NO_REAL_NAME version=2.20 X-Spam-Level: Status: RO X-Status: X-Keywords: Thank you for helping us combat Internet Security Violations. If you have any questions regarding your report, please refer to the tracking number provided in the subject line of this e-mail. Please address any questions or additional reports to security@verizon.net Regretfully, due to the number of reports we receive, we are not able to provide a personalized response to each report. However, be assured that we investigate every report made in which a Verizon Internet Services customer has violated our Acceptable Use Policy. Please note that we cannot take action if the offender is not a Verizon Internet Services customer. However, we do make an attempt to forward your report to the correct party or notify you so that you may send the necessary information to the correct party. In order to assure that your case is investigated, please address all Verizon Internet Services security-related concerns, questions, and reports (with full logs) to security@verizon.net. Visit the following website for additional information on Verizon Internet Services policies: http://www.gte.net/contact/security.html If you are reporting issues regarding Spam or other e-mail abuse problems, please e-mail abuse@verizon.net. Finally, If this issue is related to a recent worm or virus outbreak and the IP address falls within our IP space, please be assured that will contact the owner of that space to let them know of the possible compromised machine. However, we can only take action within our own address space. You may determine the owner of the IP address at http://whois.arin.net/ or by using the Sam Spade client, available at http://www.samspade.org. Sincerely, Security and Abuse Administration Verizon Internet Services security@verizon.net From MAILER-DAEMON@stout.engsoc.carleton.ca Fri Nov 15 00:24:48 2002 Return-Path: Received: from c009.snv.cp.net (h032.c009.snv.cp.net [209.228.34.108]) by stout.engsoc.carleton.ca (8.11.6/8.9.3) with SMTP id gAF5Omi00414 for ; Fri, 15 Nov 2002 00:24:48 -0500 Received: (cpmta 1465 invoked from network); 14 Nov 2002 21:24:47 -0800 Delivered-To: canada.com%Rob.Russell@canada.com Received: (cpmta 1460 invoked from network); 14 Nov 2002 21:24:47 -0800 Received: from 206.46.170.42 (HELO mta020.verizon.net) by smtp.c009.snv.cp.net (209.228.34.108) with SMTP; 14 Nov 2002 21:24:47 -0800 X-Received: 15 Nov 2002 05:24:47 GMT To: Rob.Russell@Canada.Com From: Mail Administrator Reply-To: Mail Administrator Subject: Mail System Delivery Report Date: Thu, 14 Nov 2002 23:24:46 -0600 Message-ID: <20021115052446.VNPT105.mta020.verizon.net@mta020> MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; Boundary="===========================_ _= 6856079(105)1037337886" Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=0.0 required=5.0 tests= version=2.20 X-Spam-Level: Status: RO X-Status: X-Keywords: --===========================_ _= 6856079(105)1037337886 Content-Type: text/plain Your message was successfully delivered to its final destination. This is a notification of that fact, as you requested. Please reply to Postmaster@verizon.net if you feel this message to be in error. --===========================_ _= 6856079(105)1037337886 Content-Type: message/delivery-status Reporting-MTA: dns; mta020.verizon.net Arrival-Date: Thu, 14 Nov 2002 23:20:59 -0600 Received-From-MTA: dns; stout.engsoc.carleton.ca (134.117.69.22) Final-Recipient: RFC822; Action: delivered Status: 2.1.5 --===========================_ _= 6856079(105)1037337886 Content-Type: text/rfc822-headers Received: from stout.engsoc.carleton.ca ([134.117.69.22]) by mta020.verizon.net (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with ESMTP id <20021115052059.VLSA105.mta020.verizon.net@stout.engsoc.carleton.ca> for ; Thu, 14 Nov 2002 23:20:59 -0600 Received: from lager (lager.engsoc.carleton.ca [134.117.69.26]) by stout.engsoc.carleton.ca (8.11.6/8.9.3) with ESMTP id gAF5Kei32716; Fri, 15 Nov 2002 00:20:40 -0500 Date: Fri, 15 Nov 2002 00:20:39 -0500 (EST) From: Rob.Russell@Canada.Com X-X-Sender: colonel@lager.engsoc.carleton.ca To: victims: ; Subject: Attempted network compromise. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII --===========================_ _= 6856079(105)1037337886-- Return-Path: Received: from c009.snv.cp.net (h033.c009.snv.cp.net [209.228.34.109]) by stout.engsoc.carleton.ca (8.11.6/8.9.3) with SMTP id gAI3ppi16970 for ; Sun, 17 Nov 2002 22:51:51 -0500 Received: (cpmta 20565 invoked from network); 17 Nov 2002 19:51:50 -0800 Delivered-To: canada.com%Rob.Russell@canada.com Received: (cpmta 20559 invoked from network); 17 Nov 2002 19:51:50 -0800 Received: from 206.46.170.98 (HELO out019.verizon.net) by smtp.c009.snv.cp.net (209.228.34.109) with SMTP; 17 Nov 2002 19:51:50 -0800 X-Received: 18 Nov 2002 03:51:50 GMT Received: from verizon.net ([199.180.2.15]) by out019.verizon.net (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with SMTP id <20021118035149.ESJE13276.out019.verizon.net@verizon.net> for ; Sun, 17 Nov 2002 21:51:49 -0600 Date: Mon, 18 Nov 2002 03:53:24 GMT From: abuse@verizon.net Subject: Attempted network compromise. [T2002111801KE] To: Rob.Russell@Canada.Com MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit Message-Id: <20021118035149.ESJE13276.out019.verizon.net@verizon.net> X-Spam-Status: No, hits=0.6 required=5.0 tests=NO_REAL_NAME version=2.20 X-Spam-Level: Thank you for bringing this matter to our attention. We are sorry for any inconvenience it has caused you. Because we receive a large number of complaints each day at Abuse@verizon.net, regretfully, a personalized response to each message is not possible. Please be assured that Verizon investigates each reported occurrence of unsolicited e-mail or spamming. We maintain a zero-tolerance policy in regard to spamming and will take the appropriate action as permitted by Verizon's Acceptable Use Policy. To view our policy, please refer to one of the two following links: Former Bell Atlantic users: http://www.bellatlantic.net/help/faqs/#faqpolicies Former GTE users: http://www.gte.net/hotlinks/policies/agreement.html To better understand the problems with unsolicited e-mail, we have provided information about filtering Spam with your e-mail software, answers to several frequently asked questions and links to some useful online information about Spam at the following link: http://www.gte.net/announcements/spam.html You may also link directly to our page about unsolicited e-mail: http://www.gte.net/contact/spam.html If you are reporting an issue of hacking or other security issues not related to e-mail abuse, please submit your report to security@verizon.net for investigation. Sincerely, Verizon Internet Services