Re:hmm -- Get a load of this. Fwd'd

Mailman List Mirror (Read Only)
1

From nanog@merit.edu Mon Nov 17 18:30:54 1997
Received: from www.RVC.CC.IL.US (www.RVC.CC.IL.US [207.142.145.2]) by

mozart.lib.uchicago.edu (8.8.5/8.6.4) with SMTP id SAA21563 for
<marilyn-request@mozart.lib.uchicago.edu>; Mon, 17 Nov 1997 18:30:54 -0600

Received: from merit.edu (166.72.5.121) by www.RVC.CC.IL.US
(EMWAC SMTPRS 0.81) with SMTP id <B0000000018@www.RVC.CC.IL.US>;
Mon, 17 Nov 1997 18:44:02 -0600
Date: Mon, 17 Nov 1997 18:44:02 -0600
Message-ID: <B0000000018@www.RVC.CC.IL.US>
From: NANOG Mailing List <nanog@merit.edu>
Subject: subscribe

In looking at this message that someone forwarded me.. It looks like the
message originated at one of our customers web servers.. I have called
and left messages for the sysadmins of this school.. We do not have any
after hours numbers.

Does anyone else have the bounces with headers so that I can verify or
not that it is this customer?

I will say that it is sorta ironic that I started this thread and it
seems to be originating from one of our customers... :frowning:

2

) >From nanog@merit.edu Mon Nov 17 18:30:54 1997
) >Received: from www.RVC.CC.IL.US (www.RVC.CC.IL.US [207.142.145.2]) by
) mozart.lib.uchicago.edu (8.8.5/8.6.4) with SMTP id SAA21563 for
) <marilyn-request@mozart.lib.uchicago.edu>; Mon, 17 Nov 1997 18:30:54 -0600
) >Received: from merit.edu (166.72.5.121) by www.RVC.CC.IL.US
                             ^^^^^^^^^^^^

) > (EMWAC SMTPRS 0.81) with SMTP id <B0000000018@www.RVC.CC.IL.US>;
) > Mon, 17 Nov 1997 18:44:02 -0600
) >Date: Mon, 17 Nov 1997 18:44:02 -0600
) >Message-ID: <B0000000018@www.RVC.CC.IL.US>
) >From: NANOG Mailing List <nanog@merit.edu>
) >Subject: subscribe
)
) In looking at this message that someone forwarded me.. It looks like the
) message originated at one of our customers web servers.. I have called
) and left messages for the sysadmins of this school.. We do not have any
) after hours numbers.
)
) Does anyone else have the bounces with headers so that I can verify or
) not that it is this customer?
)
) I will say that it is sorta ironic that I started this thread and it
) seems to be originating from one of our customers... :frowning:
It really is too bad people neglect to note that non-mainstream mail
transport agents don't necessarily report messages paths the way
mainstream ones.

root@narnia:~# host 166.72.5.121
121.5.72.166.IN-ADDR.ARPA domain name pointer slip166-72-5-121.il.us.ibm.net
root@narnia:~#

I've already contacted abuse@ibm.net and support@ibm.net about this.
Unless this is a particularly cunning individual, not only sending a fake
host name but also identifying another IP, not associated with that
hostname, so as to throw suspicion onto some other provider, I believe
it's fairly safe to say an ibm.net dialup user is the purpetrator, and
www.RVC.CC.IL.US was used solely as a mail relay.