Tags:




Who owns the IP address that's sending me viruses?
August 21, 2005 5:50 PM   RSS feed for this thread Subscribe

I get around 80 virus-laden emails a day from the same IP address. This bugs me. How can I find out who controls this IP address so I can ask them to run a damn virus checker on their damn network?

For the last 2-3 months I've been receiving 70-80 emails a day from one IP address, each one with headers spoofed to make it look like a message from my sysadmin, and each one carrying a Zip file with the W32.mytob.HL worm on it, which is a network-infector. The IP address is part of a block owned by a business-oriented ISP on the east coast of America. Emails to "abuse@" etc. either go unanswered or are answered by an autoresponder.

I want this to stop partly because, well, it's annoying, and partly because I'm aware that this is the tip of a submerged island: the network on the other end of the IP address is probably sending out hundreds of thousands of these things every day. Plus there's a sysadmin out there who can't be bothered to run a virus checker on their system, and these days that's almost criminally irresponsible.

I deliberately haven't given the ISP's name or the IP address, but will if it would make identifying the culprit easier.
posted by Hogshead to computers & internet (10 comments total)
Traditional tools are whois to regional IP registries like ARIN/RIPE/APNIC, whois to routing databases like RADB, traceroute to the origin IP, looking glass web pages, queries to route servers, etc. Google Groups searches on the usenet news group NANAE and its related usenet news groups can also sometimes be fruitful. Not every tool is appropriate for every origin, and without the IP address and/or mail headers it is very difficult to tell you what exactly you need to do.

I have a lot of experience with tracking down spammers, so if you prefer to not publicly disclose the IP address or your mail headers, I'd be happy to do the legwork for you. Just copy the complete mail headers from a couple of the virus-laden emails and send them to the e-mail address in my profile. I'll see if I can find you appropriate contact details.
posted by RichardP at 6:16 PM on August 21, 2005


Well, I was going to put the links in, but hit the post button before I finished, and now saw RichardP's answer..

Anyhow, depending on where the IP is coming from, like RichardP says, check ARIN/RIPE/APNIC/AFRINIC or LACNIC. You can find them via Google search. Good luck.
posted by tetsuo at 6:22 PM on August 21, 2005


Can you post a set of headers here?
posted by Ken McE at 7:43 PM on August 21, 2005


RichardP seems to be on the case, but for the rest of you home-sleuths... why not?

Return-path:
Received: from punt-3.mail.demon.net by mailstore for kanp1bavbok2ewrh@erstwhile.demon.co.uk id 1E72Ce-0004pT-EE; Mon, 22 Aug 2005 02:39:04 +0000
Received: from [194.217.242.77] (helo=anchor-hub.mail.demon.net) by punt-3.mail.demon.net with esmtp id 1E72Ce-0004pT-EE for kanp1bavbok2ewrh@erstwhile.demon.co.uk; Mon, 22 Aug 2005 02:38:24 +0000
Received: from [67.94.106.102] (helo=erstwhile.demon.co.uk) by anchor-hub.mail.demon.net with esmtp id 1E72Cc-0006GC-Oc for kanp1bavbok2ewrh@erstwhile.demon.co.uk; Mon, 22 Aug 2005 02:38:24 +0000
From: webmaster@erstwhile.demon.co.uk
To: kanp1bavbok2ewrh@erstwhile.demon.co.uk
Subject: Your password has been successfully updated
Date: Sun, 21 Aug 2005 22:46:01 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0006_76D5579D.1012D874"
X-Priority: 3
X-MSMail-Priority: Normal

I am "@erstwhile.demon.co.uk"; thr troublesome IP address seems to be -- from my reading at least -- [67.94.106.102] which is part of a block controlled by xo.com, presumably on behalf of the company's clients.
posted by Hogshead at 7:48 PM on August 21, 2005


RichardP might get you more information, but meanwhile I noticed that you mentioned trying to send an email to abuse@... Have you also tried calling the technical support number that shows up for xo.com when you run a WHOIS on the IP number? You might actually get a chance to talk to a real person if you call that number...
posted by tuxster at 7:59 PM on August 21, 2005


That hadn't occurred to me. I'll give it a shot tomorrow.
posted by Hogshead at 8:02 PM on August 21, 2005


Plop the originating IP into samspade and it will tell you who the netblock owner is, with their contact.
posted by mathowie at 8:12 PM on August 21, 2005


Since Hogshead has decided to reveal his mail headers and th suspect IP address, I'll post the information I sent him privately. My search wasn't has fruitfull as I would have hoped, but here is what I found out about IP address 67.94.106.102 using some UNIX tools.
> host 67.94.106.102

102.106.94.67.in-addr.arpa domain name pointer psr2906693.z106-94-67.customer.algx.net.

> whois 67.94.106.102

OrgName: XO Communications
OrgID: XOXO
Address: Corporate Headquarters
Address: 11111 Sunset Hills Road
City: Reston
StateProv: VA
PostalCode: 20190-5339
Country: US

ReferralServer: rwhois://rwhois.eng.xo.com:4321/

NetRange: 67.88.0.0 - 67.95.255.255
CIDR: 67.88.0.0/13
NetName: IALG-ALGX-9
NetHandle: NET-67-88-0-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.XO.COM
NameServer: NS2.XO.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-09-26
Updated: 2005-08-09

OrgAbuseHandle: XCNV-ARIN
OrgAbuseName: XO Communications, Network Violations
OrgAbusePhone: +1-866-285-6208
OrgAbuseEmail: abuse@xo.com

OrgTechHandle: XCIA-ARIN
OrgTechName: XO Communications, IP Administrator
OrgTechPhone: +1-703-547-2000
OrgTechEmail: ipadmin@eng.xo.com

# ARIN WHOIS database, last updated 2005-08-21 19:10

> whois -h rwhois.eng.xo.com -p 4321 67.94.106.102

%rwhois V-1.5:003fff:00 rwhois.eng.xo.com (by Network Solutions, Inc. V-1.5.9)
network:Class-Name:network
network:ID:NET-XO-NET-435e6a64
network:Auth-Area:67.88.0.0/13
network:Network-Name:XO-NET-435e6a64
network:Organization;I:COMPUTECH (ALGX)
network:IP-Network:67.94.106.100/30
network:Admin-Contact;I:XCIA-ARIN
network:Tech-Contact;I:XCIA-ARIN
network:Created:20030825
network:Updated:20030825
network:Updated-By:ipadmin@eng.xo.com

> traceroute -I 67.94.106.102

traceroute to 67.94.106.102 (67.94.106.102), 64 hops max, 60 byte packets
1 gateway (192.168.0.1) 3.609 ms 3.128 ms 3.075 ms
2 ip68-101-96-1.oc.oc.cox.net (68.101.96.1) 14.974 ms * 13.711 ms
3 * 68.4.15.65 (68.4.15.65) 23.870 ms 13.802 ms
4 * ip68-4-14-93.oc.oc.cox.net (68.4.14.93) 16.812 ms 37.249 ms
5 * rsmtdsrj01-ge704.rd.oc.cox.net (68.4.14.253) 13.829 ms *
6 so-4-0.hsa2.tustin1.level3.net (65.59.168.1) 18.908 ms * 14.847 ms
7 4.68.114.21 (4.68.114.21) 21.208 ms 17.540 ms 18.878 ms
8 as-0-0.bbr2.losangeles1.level3.net (209.247.8.113) 24.458 ms
9 ge-0-0-0-53.gar2.losangeles1.level3.net (4.68.102.81) 67.350 ms
10 xo-level3-oc12.losangeles1.level3.net (209.0.227.34) 20.099 ms 18.329 ms 22.142 ms
11 p4-0-0.rar2.la-ca.us.xo.net (65.106.5.49) 20.619 ms * 103.170 ms
12 p6-0-0.rar1.dallas-tx.us.xo.net (65.106.0.13) 71.228 ms 48.954 ms *
13 p0-0-0d0.rar2.dallas-tx.us.xo.net (65.106.1.38) 54.884 ms 49.171 ms 50.923 ms
14 p6-0-0.rar1.atlanta-ga.us.xo.net (65.106.0.9) 81.589 ms 82.113 ms 80.586 ms
15 p0-0-0d0.rar2.atlanta-ga.us.xo.net (65.106.1.26) 84.866 ms 93.252 ms 82.010 ms
16 p1-0-0.rar2.washington-dc.us.xo.net (65.106.0.5) 86.888 ms 81.716 ms 80.830 ms
17 * p7-0-0.mar2.washington5-dc.us.xo.net (65.106.3.206) 83.076 ms *
18 fe4-0-0.clr11.washington5-dc.us.xo.net (71.5.190.174) 83.907 ms 84.196 ms 86.803 ms
19 psr2906693.z106-94-67.customer.algx.net (67.94.106.102) 94.735 ms 89.955 ms 146.535 ms

> whois -h whois.abuse.net xo.net

abuse@xo.com (for xo.net)

> whois -h whois.abuse.net algx.net

abuse@xo.net (for algx.net)

> telnet 67.94.106.102

Trying 67.94.106.102...
Connected to psr2906693.z106-94-67.customer.algx.net.
Escape character is '^]'.

TA 616 Gen3
Taking the above information, it appears IP address is

psr2906693.z106-94-67.customer.algx.net[67.94.106.102]

A Google search reveals that Allegiance Internet (algx.net) went backrupt several years ago and its assets were purchased by XO Communications (xo.com/xo.net). The customer name appears to be COMPUTECH, but that isn't enough information since that is a very common company name in the US. Here is how I would go about reporting this issue.

First, start with reporting the virus problem to abuse@xo.com or abuse@xo.net (or call +1-866-285-6208). Wait a week. If the problem hasn't been corrected, escalate the problem. I'd try contacting your employer's ISP's Network Operations Center (NOC). Or if that doesn't work, you could try the XO Communications NOC (Generally you should contact your ISP's NOC, not someone elses, since NOCs have procedures for dealing with each other). NOC's don't usually handle abuse problems, but if you can convice them that the network abuse team hasn't responded to your complaints, they likely can help you. Here is XO's NOC contact details:

866-XONTWRK (I believe the US toll-free 866 prefix from outside the USA is +1 883)
xonoc@xo.com

If that doesn't work I'd try to track down which COMPUTECH is the source of the virus laden e-mails. Since the traceroute implies that the company is near Washington, D.C. I think the most likely one is computechinc.com.

Computech
7735 Old Georgetown Road
12th Floor
Bethesda, Maryland 20814
Voice: (301) 656-4030
Fax: (301) 656-7060

If you contact them you may have to be persistent to find someone there who knows what their ISP is and what IP address they are using (use this information to verify if they are the correct company). In the above information, you'll notice that the source of the viruses appears to connect to their ISP using an ADTRAN Total Access 616. That is a small office integrated access device so the correct Computech is probably a small company or a small satellite office of a bigger company.
posted by RichardP at 8:34 PM on August 21, 2005


RichardP is awesome. Also a shout-out here to user92371 who probably isn't reading this but who suggested I try AskMeFi to find the answer. I was initially skeptical. Clearly, I was wrong.
posted by Hogshead at 8:58 PM on August 21, 2005


My office uses XO for our DSL service, and I've never had a problem with getting them to respond to either voice calls or to trouble tickets submitted online. They have also just recently gone through a rearranging/renaming of their smtp servers to be able to easier figure out who the offenders are in cases like spam and virus attacks.

It is in their best interest to get this taken care of, so I would definitely second calling them directly. You might also try submitting an online request/feedback through their general contact form. If you can't get them to respond at all, then you ISP's NOC is the way to go, like RichardP said.

GL.
posted by gemmy at 9:28 PM on August 21, 2005


« Older Can I access other countries' ...   |   I have a question that has bee... Newer »
This thread is closed to new comments.