stopping GWF complaints

Vernon Schryver vjs@calcite.rhyolite.com
Thu Feb 15 17:45:52 UTC 2007


If you run a public DCC server and missives like the enclosed to your
upstream providers might causes questions or concerns, you might want
to firewall 192.188.61.0/29.

Because of similar complaints months ago sent upstrem of several of
the public DCC servers, I added 192.188.61.0/29 to the blacklist used
by the public DCC servers and visible at
http://www.dcc-servers.net/dcc/client-blacklist.html
I think those complaints concerned the DCC/UDP/IP responses to this
person's DCC requests.  Those complaints were equivalent to the ever
popular cry that "Your UDP port 53 is hacking my system!" sent to DNS
server operators.

The Public DCC server blacklist entry stopped most of those complaints,
because they cause the public DCC servers to ignore packets from this
person's DCC clients.

I think these new complaints result from ICMP Port Unreachable messages
sent by public DCC servers when the server process is not listening,
such as when it is turned off some reason.


Vernon Schryver    vjs@rhyolite.com

P.S. Yes, some public DCC server operators contacted this person
directly when he first started sending his complaints.




> From naveed.pasha@fgb.ae  Sat Feb 10 02:17:46 2007
> Received: from fgb-mail.fgb.ae (fgb-mail.fgb.ae [195.229.126.213])
> 	by calcite.rhyolite.com (8.14.0/8.14.0) with ESMTP id l1A9HdNu085211
> 	for <vjs@rhyolite.com> env-from <naveed.pasha@fgb.ae>;
> 	Sat, 10 Feb 2007 02:17:42 -0700 (MST)
> Content-class: urn:content-classes:message
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> 	boundary="----_=_NextPart_001_01C74CF4.535C26F3"
> X-MimeOLE: Produced By Microsoft Exchange V6.5
> Subject: External Incidence Reporting - Incident No -  200702/0127
> Date: Sat, 10 Feb 2007 13:17:44 +0400
> Message-ID: <021FA82E86D339458F0D85C3A47AB13E74623B@homail1.fgb.ae>
> X-MS-Has-Attach: 
> X-MS-TNEF-Correlator: 
> Thread-Topic: External Incidence Reporting - Incident No -  200702/0127
> Thread-Index: AcdM9FKibe5n7u5EScighX8jse4wxA==
> From: "Incidence" <incidence@fgb.ae>
> Sender: "Naveed Pasha" <naveed.pasha@fgb.ae>
> To: <vjs@rhyolite.com>
> Received-SPF: none

> This is a multi-part message in MIME format.
> 
> ------_=_NextPart_001_01C74CF4.535C26F3
> Content-Type: text/plain;
> 	charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> 
> External Incidence reporting
> 
> =20
> 
> Date of reporting - 10 February 2007
> 
> Incident No      -  200702/0127
> 
> Domain Name - fgb.ae
> 
> =20
> 
> Attacker's ip Address: 192.188.61.5
> 
> =20
> 
> ISP e-mail address: vjs@rhyolite.com
> 
> =20
> 
> Country: USA
> 
> =20
> 
> Log details
> 
> 
> Excessive amount of TCP / UDP / ICMP scans were detected from mentioned
> IP.
> 
> =20
> 
> We observed in our system log that the above mentioned ip address had
> tried to make unauthorized access attempt to the web-server.  We hereby
> bring to your notice the unauthorized activity of the user.  Request you
> to provide information of the user to the bank, so that action could be
> initiated against user as per law of UAE or any other countries
> applicable laws.  Further we request you to black list the user for the
> above activities.  Bank reserve its rights to initiate action against
> all parties to this incident directly or indirectly.
> 
> =20
> 
> Any early action in this matter would be highly appreciated.
> 
> =20
> 
> =20
> 
> Signature
> 
> Chief Information Security Officer=20
> 
> =20
> 
> =20
> 
> 
> 
> DISCLAIMER: The information contained in this mail is for the 
> intended addressee only. If you have received this mail by 
> mistake, please note that any disclosure, copying, distribution 
> or taking action in reliance of the contents of this information 
> is strictly prohibited and may be unlawful. Please delete the 
> message and all the copies from your system and notify the sender 
> immediately at administrator@fgb.ae. This mail has been scanned 
> for virus. However for safety purposes, it is recommended that 
> the attachment may be scanned for virus before launching. Any 
> opinions expressed, implied or presented are solely those of the 
> author and do not necessarily represent those of First Gulf Bank.
> ------_=_NextPart_001_01C74CF4.535C26F3
> Content-Type: text/html;
> 	charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> 
> <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
> xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns:x=3D"urn:schemas-microsoft-com:office:excel" =
> xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
> ...



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.