[SANOG] Botnet IPs & NLNOG RING Introduction

Sander Smeenk ssmeenk at freshdot.net
Thu Apr 18 10:04:27 UTC 2013

Hello list! I'm from the Netherlands, AS12859, NL-BIT,

A week or two ago an account was compromised on one of my servers.
'They' abused it to relay spam through my MTA. The issue was fixed
quickly, but ever since, i have been the target of some sort of

Right now i have a list of 2040 unique IPs that tried to authenticate
to my SMTP server, only ~10% of these IPs tried authenticating more
than once, all other IPs have only tried once so far.
The behaviour is identical: one try per IP and only one try per
minute, all of them use the same account name which was compromised

A large number of IPs in this list are registered to south american
based ISPs according to my AS/CC lookups. I was wondering if there is
anyone on this list interested in this data and what would be the best
way to disclose this to the responsible parties. I have data for 512
unique ASes in 90 countries: https://8n1.org/8968/9258 (pastebin, the
number on the left is the amount of IPs from that AS)

Please let me know if you want logs & IP-information for your AS!

I'd also like to use this mail to introduce the NLNOG Ring to any AS
operators reading this. Please see https://ring.nlnog.net/ for the
official website.

There is no commercial aspect in the ring. Basically, participants
provide a VM (or physical server) in their network to the ring project
free of charge and in doing so, gain access to the nodes already in the
ring: https://ring.nlnog.net/participants/

This provides participants with extensive means of testing connectivity
to and from their own network(s) from various places around the world.
It also brings together the technical people from AS'es around the
world, making it easier to communicate with oneanother!

Some success stories / informative links:

If you want to join or want more information please contact us!

With kind regards,
-Sander Smeenk.
| /dev/sda1 has been checked 20 times without being mounted, mount forced
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.sanog.org/pipermail/sanog/attachments/20130418/3788f4f7/attachment.bin>

More information about the sanog mailing list