Thursday, January 29, 2009

Mail Companies Not Receiving in TLS

Postini is now requiring mail companies to receive in TLS in order enforce TLS encryption. The interesting thing was they were advertising they supported TLS encryption and I had added some domains and tested it out and they went through, so I assumed those communications were secure.

Turns out what was really happening is that the messages were sent from the original mail company in TLS but then my mail provider only accepts via SMTP or SSL (which according to Postini is not really for mail but for web servers and I have heard that TLS is a newer, better version of SSL).

So anyway my mail was TLS from the sender to Postini and after that unencrypted - the whole time I thought it was secure.

Time for a new mail provider.

One of these days...someday...I will have secure email. There must be a way.

Tuesday, January 27, 2009

Government Information Technology - Amazing.

So in order to file wage reports for my company I have to fax a letter to the SSA authorizing myself, the owner, to file wage reports for the company before they will set me up in their online system. Does anyone else see how illogical this is? Since when is the owner of a company not allowed to file wage reports for a company?

Oh and they want me to fax it on letterhead. As if that is some kind of security. Isn't that something they used to do 20 years ago in the stone ages of the Internet?

Saturday, January 24, 2009

Spammers 1/24/2009

Road Runner is definitely the champion of spam if you view the traffic from the past few weeks. It seems that whomever is generating the Road Runner spam is randomly generating email addresses to try to find addresses that are not in use. It seems like they take an address that was once valid and alter it slightly to come up a with a new address.

For instance bill@microsoft.com might become ill@microsoft.com or tbill@microsoft.com

This kind of goes back to my idea that someone is trying to find addresses that are NOT valid on a network and send emails around that won't get to a legitimate end user but allows the "spammers" to filter these messages through the Internet. Is this some kind of covert messaging?

Another possible reason I conjured up was that perhaps they are taking previous email addresses that are now being rejected (with the help of Postini) and altering them to try to figure out what the address has changed to. Not sure - just imaging the reasons.

Or perhaps they are looking for unused addresses to try to use those addresses on unsecured mail systems to hijack the business of the other company.

As for Joe's Datacenter - someone responded to one email telling me they have gotten rid of the customer causing the spam. However it seems like the spam is not one customer but filtering through their different customers and IP ranges. Has one master device or computer been hacked? Is someone internally who supports all these systems generating this spam? Are the servers not patched and up to date? Who knows.

At any rate here are some spammers for the week:

75.127.101.248
OrgName: Global Net Access, LLC
NetRange: 75.127.64.0 - 75.127.127.255
Sat, 24 Jan 2009 14:41:37 -0800 (PST)
Sat, 24 Jan 2009 12:18:18 -0800 (PST)
Fri, 23 Jan 2009 09:15:20 -0800 (PST)

66.69.125.73
OrgName: Road Runner HoldCo LLC
NetRange: 66.68.0.0 - 66.69.255.255
Sat, 24 Jan 2009 13:10:33 -0800 (PST)

76.164.209.162
OrgName: R & D Technologies, LLC
NetRange: 76.164.192.0 - 76.164.239.255
Sat, 24 Jan 2009 12:41:39 -0800 (PST)
Sat, 24 Jan 2009 18:16:19 -0800 (PST)
Sat, 24 Jan 2009 22:23:51 -0800 (PST)
Sun, 25 Jan 2009 08:47:30 -0800 (PST)

208.94.240.219
Aarons.Net JOESDATACENTER (NET-208-94-240-0-1)
208.94.240.0 - 208.94.247.255
DataTran Systems, LLC. JDC-CUST-1173-240-209 (NET-208-94-240-208-1)
208.94.240.208 - 208.94.240.223
Sat, 24 Jan 2009 08:16:38 -0800 (PST)

208.94.244.30
Aarons.Net JOESDATACENTER (NET-208-94-240-0-1)
208.94.240.0 - 208.94.247.255
Provectus, Inc JDC-CUST-1101-244-1 (NET-208-94-244-0-1)
208.94.244.0 - 208.94.244.31
Fri, 23 Jan 2009 21:12:19 -0800 (PST)

208.85.3.23
OrgName: Turnkey Internet Inc.
NetRange: 208.85.0.0 - 208.85.7.255
Fri, 23 Jan 2009 21:12:19 -0800 (PST)
Fri, 23 Jan 2009 03:26:19 -0800 (PST)

72.12.80.251
OrgName: Oxford Networks
NetRange: 72.12.64.0 - 72.12.95.255
Thu, 22 Jan 2009 23:29:46 -0800 (PST)

207.36.1.66
Affinity Internet, Inc AFFINITY-207-36-0-0 (NET-207-36-0-0-1)
207.36.0.0 - 207.36.255.255
Affinity Dedicated AFFIN-DED-207-36-0 (NET-207-36-0-0-2)
207.36.0.0 - 207.36.8.255
Sun, 25 Jan 2009 00:33:59 -0800 (PST)

64.38.65.173
OrgName: Curatel, LLC
NetRange: 64.38.64.0 - 64.38.95.255
Sun, 25 Jan 2009 01:25:16 -0800 (PST)

64.150.180.60
OrgName: Abacus America Inc.
NetRange: 64.150.176.0 - 64.150.191.255
Sun, 25 Jan 2009 07:24:03 -0800 (PST)

NOTE: Abacus America has long been in the spammer IP range list - for years I have seen them send spam to my accounts. What is up over there?

38.98.244.88
OrgName: PSINet, Inc.
NetRange: 38.0.0.0 - 38.255.255.255
Sun, 25 Jan 2009 12:20:43 -0800 (PST)

NOTE: Cogentco is another network range that is notoriously generating spam of all kinds - from garbage traffic on my web server using various bots to spam in my in box. They are on the Performance Systems International network.

67.216.82.105
OrgName: Travail Systems, LLC
NetRange: 67.216.80.0 - 67.216.95.255
Sun, 25 Jan 2009 12:22:13 -0800 (PST)

Travail Systems continues to spam - repeatedly.

Mzima Networks, Inc. NETBLK-MZIMA-04 (NET-67-201-0-0-1)
67.201.0.0 - 67.201.63.255
Sirius Telecom MZIMA04-CUST-SIRIUSTELE04 (NET-67-201-20-0-1)
67.201.20.0 - 67.201.20.255


209.250.246.167
OrgName: RackVibe LLC
NetRange: 209.250.224.0 - 209.250.255.255
Sun, 25 Jan 2009 13:48:01 -0800 (PST)

Tuesday, January 20, 2009

Spammers This week

It appears that some spammers in Latin America are somehow targeting Gmail.

What is also interesting - I sent an abuse to Travail Systems below. I bcc'd myself at another email address. I did NOT get a copy of the abuse report.

Also the email address for support@turnkeyinternet.net apparently doesn't work. I sent an abuse message to them and it bounces.

Windstream's abuse email also fails:
This is an automatically generated Delivery Status Notification.
Delivery to the following recipients failed.
abuse@pmxbypass.windstream.com
I sent the abuse notice to abuse@windstream.com as directed by the Arin Windstream records.

Here are some other spammers:

24.59.64.55
OrgName: Road Runner HoldCo LLC
NetRange: 24.58.0.0 - 24.59.255.255
Tue, 20 Jan 2009 12:19:14 -0800 (PST)

63.223.125.89
OrgName: Beyond The Network America, Inc.
NetRange: 63.216.0.0 - 63.223.255.255
Tue, 20 Jan 2009 09:18:10 -0800 (PST)

64.208.60.90
OrgName: Global Crossing
NetRange: 64.208.0.0 - 64.209.127.255
Tue, 20 Jan 2009 08:41:40 -0800 (PST)

67.216.82.109
OrgName: Travail Systems, LLC
NetRange: 67.216.80.0 - 67.216.95.255
Tue, 20 Jan 2009 07:21:40 -0800 (PST)

67.205.109.27
OrgName: iWeb Technologies Inc.
NetRange: 67.205.64.0 - 67.205.127.255
Tue, 20 Jan 2009 06:55:01 -0800 (PST)

67.218.251.108
CAROLINANET a division of Guilford Communications Inc. GUILFORDCOMM-NETWORK-3 (NET-67-218-224-0-1)
67.218.224.0 - 67.218.255.255
Rashton Management RASHTON-MANAGEMENT (NET-67-218-251-0-1)
67.218.251.0 - 67.218.251.255
Tue, 20 Jan 2009 04:55:57 -0800 (PST)

12.130.137.155
AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
CERFnet ATTENS-SJC1-2 (NET-12-130-128-0-1)
12.130.128.0 - 12.130.191.255
Responsys ATTENS-010369-005186 (NET-12-130-137-0-1)
12.130.137.0 - 12.130.137.255
Tue, 20 Jan 2009 03:34:24 -0800 (PST)

208.85.3.60
OrgName: Turnkey Internet Inc.
NetRange: 208.85.0.0 - 208.85.7.255
Tue, 20 Jan 2009 03:10:55 -0800 (PST)
Mon, 19 Jan 2009 03:05:24 -0800 (PST)

207.29.231.80
OrgName: N.T. Technology, Inc.
NetRange: 207.29.224.0 - 207.29.255.255
Tue, 20 Jan 2009 00:54:57 -0800 (PST)

209.195.71.60
OrgName: Cybersurf Inc.
NetRange: 209.195.64.0 - 209.195.127.255
Mon, 19 Jan 2009 01:05:40 -0800 (PST)

148.84.103.88
OrgName: Lehman College
NetRange: 148.84.0.0 - 148.84.255.255
Tue, 20 Jan 2009 13:12:18 -0800 (PST)

67.213.215.223
OrgName: Hosting Services, Inc.
NetRange: 67.213.208.0 - 67.213.223.255
Mon, 19 Jan 2009 21:27:05 -0800 (PST)

63.223.125.119
OrgName: Beyond The Network America, Inc.
NetRange: 63.216.0.0 - 63.223.255.255
Mon, 19 Jan 2009 07:40:42 -0800 (PST)

208.101.34.32
OrgName: SoftLayer Technologies Inc.
NetRange: 208.101.0.0 - 208.101.63.255
Mon, 19 Jan 2009 06:08:40 -0800 (PST)

72.20.52.112
OrgName: Staminus Communications
NetRange: 72.20.0.0 - 72.20.63.255
Mon, 19 Jan 2009 00:53:04 -0800 (PST)

64.12.143.152
OrgName: America Online, Inc.
NetRange: 64.12.0.0 - 64.12.255.255
Tue, 20 Jan 2009 13:08:28 -0800 (PST)

24.59.64.55
OrgName: Road Runner HoldCo LLC
NetRange: 24.58.0.0 - 24.59.255.255
Tue, 20 Jan 2009 12:19:12 -0800 (PST)
Tue, 20 Jan 2009 12:18:58 -0800 (PST)
Tue, 20 Jan 2009 12:18:43 -0800 (PST)

69.106.224.158
AT&T Internet Services SBCIS-SIS80 (NET-69-104-0-0-1)
69.104.0.0 - 69.111.255.255
PLTN13 internal SBC06910622400020040415130719 (NET-69-106-224-0-1)
69.106.224.0 - 69.106.239.255
Tue, 20 Jan 2009 11:42:17 -0800 (PST)

205.188.249.131
OrgName: America Online, Inc
NetRange: 205.188.0.0 - 205.188.255.255
Tue, 20 Jan 2009 11:20:14 -0800 (PST)

71.218.44.227
OrgName: Qwest Communications Corporation
NetRange: 71.208.0.0 - 71.223.255.255
Tue, 20 Jan 2009 10:27:15 PST

174.130.41.206
OrgName: Windstream Communications Inc
NetRange: 174.130.0.0 - 174.131.255.255
Tue, 20 Jan 2009 15:35:23 -0800 (PST)

67.41.158.60
OrgName: Qwest Communications Corporation
NetRange: 67.40.0.0 - 67.42.255.255
Wed, 21 Jan 2009 21:28:40 -0800 (PST)

70.110.157.188
OrgName: Verizon Internet Services Inc.
NetRange: 70.109.192.0 - 70.111.255.255
Wed, 21 Jan 2009 21:26:29 -0800 (PST)


69.11.145.242
TDS TELECOM NETBLK-TDSNET-BLK (NET-69-11-128-0-1)
69.11.128.0 - 69.11.255.255
Scholars Academy QRTZAZ-SCHOLARS-TDSNET-NETBLK (NET-69-11-145-236-1)
69.11.145.236 - 69.11.145.255
Wed, 21 Jan 2009 20:26:44 -0800 (PST)

67.176.56.235
Comcast Cable Communications, Inc. COMCAST (NET-67-160-0-0-1)
67.160.0.0 - 67.191.255.255
Comcast Cable Communications, Inc COLORADO-14 (NET-67-176-0-0-1)
67.176.0.0 - 67.176.127.255
Wed, 21 Jan 2009 19:42:58 -0800 (PST)

204.133.215.98
Qwest Communications Corporation QWEST-INET-34 (NET-204-131-0-0-1)
204.131.0.0 - 204.134.255.255
ALLEN PARTNERS LLC Q0102-204-133-215-96 (NET-204-133-215-96-1)
204.133.215.96 - 204.133.215.103
Wed, 21 Jan 2009 19:23:20 -0800 (PST)

69.7.202.226
CIMCO Communications, Inc. CIMCO (NET-69-7-192-0-1)
69.7.192.0 - 69.7.223.255
Mr Bult's Inc MRBULTS1 (NET-69-7-202-224-1)
69.7.202.224 - 69.7.202.255
Wed, 21 Jan 2009 17:48:04 -0800 (PST)

74.67.167.126
OrgName: Road Runner HoldCo LLC
NetRange: 74.64.0.0 - 74.79.255.255
Wed, 21 Jan 2009 17:16:52 -0800 (PST)

70.251.240.31
AT&T Internet Services SBCIS-SIS80 (NET-70-240-0-0-1)
70.240.0.0 - 70.255.255.255
PPPoX Pool - Bras17 RCSNTX.912658 SBC07025124000023050815184827 (NET-70-251-240-0-1)
70.251.240.0 - 70.251.241.255

99.194.184.117
OrgName: CenturyTel Internet Holdings, Inc.
NetRange: 99.194.0.0 - 99.195.255.255
Wed, 21 Jan 2009 15:36:43 -0800 (PST)

97.82.255.36
Charter Communications NETBLK-CHARTER-NET (NET-97-80-0-0-1)
97.80.0.0 - 97.95.255.255
Charter Communications HCK-NC-97-82-192 (NET-97-82-192-0-1)
97.82.192.0 - 97.82.255.255
Wed, 21 Jan 2009 12:48:10 -0800 (PST)


69.109.163.215
AT&T Internet Services SBCIS-SIS80 (NET-69-104-0-0-1)
69.104.0.0 - 69.111.255.255
PLTNCA internal SBC06910916000020040526144923 (NET-69-109-160-0-1)
69.109.160.0 - 69.109.175.255
Wed, 21 Jan 2009 12:37:19 -0800 (PST)

68.16.221.212
OrgName: BellSouth.net Inc.
NetRange: 68.16.0.0 - 68.19.255.255
Wed, 21 Jan 2009 11:15:32 -0800 (PST)

67.14.243.208
OrgName: Primecast
NetRange: 67.14.224.0 - 67.14.255.255

69.86.20.17
EarthLink, Inc. ERLK-CBL-TW-NYC (NET-69-86-0-0-1)
69.86.0.0 - 69.86.255.255
EARTHLINK INC ERLK-TW-NYC55 (NET-69-86-16-0-1)
69.86.16.0 - 69.86.23.255
Wed, 21 Jan 2009 07:24:50 -0800 (PST)

71.50.209.121
OrgName: Embarq Corporation
NetRange: 71.48.0.0 - 71.55.255.255
Wed, 21 Jan 2009 05:19:19 -0800 (PST)

Monday, January 19, 2009

Spam Genereted From Contact IP Ranges

Ok so here's the deal. People email me. These are people I'm doing business with, working on projects with, etc. It seems like as soon as I get an email from someone I start getting spam from their mail server. Or perhaps (it seems like) valid mail messages are being swapped out with spam messages.

I've got Postini and set up Google Apps. I just met someone new and the guy tried to send me an email and said it was rejected by Postini due to being on my blocked IP spammer list. The guy sent me the email rejection notice and in it there was a mail server in Toronto Canada - that is not blocked. Later the guy sent me his home IP address. That address is also not blocked. Why the heck is this guy's email getting blocked?

Here's another one - I am working with a couple of guys. One of the guys is using 1 and 1 Internet. Somehow while working with these guys I get spam from 1 and 1 and block out that range, not realizing that this is the range used by the guys I'm working with.

Another one - working with a designer in Colorado. Suddenly I'm getting spam from her network. I block the range not realizing it's someone I'm working with.

Is this all purely coincidental? Really?

I swear it seems like someone is replacing valid messages with spam content. I don't really have the means to pin this down at the moment.

Additionally I keep contacting Google because Google Apps has never worked right with Postini. I swear they are not getting my messages. I've been trying to get this stuff working since November. I'm about to just cancel it.

Storm *bleep* er

So these guys are trying to supposedly protect you from yourselves:

http://blogs.zdnet.com/security/?p=2396&tag=nl.e550

Excuse me, but I'd rather you didn't divert my web traffic without my knowledge or installing things on my computers without my consent.

A better approach might be to somehow notify the users and/or the networks involved who have infected machines.

For instance if there's an infected computer at Internet, Look up the associated domain owner on whois.sc or the affected IP and contact the network from whence the nasty traffic is coming - or somehow otherwise alert the user that their computer is infected.

Additionally more PR could be done to let people know what is going on by contacting major newspapers and TV stations and provide information on how people can determine if their computers are infected.

Those would be a more reasonable steps to resolve this problem.

3.5m Hosts Affected by Conficker

The Conficker worm is spreading fast, as well as variations thereof. Is anyone not aware that they should be updating their software with the latest security patches by now?

Of interest also is that this worm sells supposed security software which in turn affects the computers. How ironic.

This is using the Trojan horse model of so-called security software that actually does the opposite of the purpose for which you purchased it. I mentioned this as a possible problem with security software in general in a previous post.

Friday, January 16, 2009

Bogus Traffic - Google Search Partners

We just turned on some ads for Google Search Partners and as it turns out the search partners generate .12% click rate for some words while Google search was generating a .03% click rate. This traffic was absolutely completely bogus. The words the people were clicking through on were completely unrelated to the site we were advertising for and somehow that word got added in there by one of Google's automated tools. We obviously quickly removed it. I have reported this issue to Google. Hopefully they will do something about it fast and return the money for the bogus clicks.

Thursday, January 15, 2009

premiuminterestscompany.cn - hacker site?

Just got a popup from my virus scanner that this site is hacked and is a "misleading application"

http://www.premiuminterestscompany.cn

Chinese domain.

Tuesday, January 13, 2009

Gmail Email Not Sending Securely

No surprise since Gmail is a free service but I just noticed messages are getting rejected from my other email system because Gmail doesn't sent via TLS and that is a requirement on my other email system - to force emails in to be sent securely.

Sunday, January 11, 2009

Recent Spammer IPs

Not including the international spammers which are easy to block out by blocking out all of Ripe, Apnic, Lacnic and Afrinic using Postini (see previous posts) here are some recent spammers. What is interesting is that over the years I keep seeing the same networks over and over again as primary offenders. Windstream Communications, McLeod, RoadRunner...these names come up over and over in conjunction with my spam logs. Are the spammers living in the areas where these networks exist...or is someone on their network staff the source of, or supporting the spammers? Or do these companies just not have a handle on their networks and are easily hacked by spammers since the spam looks similar to spam coming from all over the world?

71.30.191.140
Windstream Communications Inc WINDSTREAM-COMMUNICATIONS (NET-71-28-0-0-1)
71.28.0.0 - 71.31.255.255
Alltel - Sugar Land 71-30-176-0 (NET-71-30-176-0-1)
71.30.176.0 - 71.30.191.255

24.175.196.120
OrgName: Road Runner HoldCo LLC
NetRange: 24.174.0.0 - 24.175.255.255

75.176.78.236
OrgName: Road Runner HoldCo LLC
NetRange: 75.176.0.0 - 75.191.255.255

72.40.171.22

Earthlink, Inc. ERLK-CBL-TW-SOUTHEAST (NET-72-40-0-0-1)
72.40.0.0 - 72.40.255.255
EARTHLINK,INC ERLK-TW-TAMPABAY02 (NET-72-40-160-0-1)
72.40.160.0 - 72.40.175.255

71.160.116.227

Verizon Internet Services Inc.
VIS-BLOCK (NET-71-160-0-0-1)
71.160.0.0 - 71.161.63.255
VANESSA, KIM DSL (NET-71-160-116-224-1)
71.160.116.224 - 71.160.116.231

74.129.71.177
OrgName: INSIGHT COMMUNICATIONS COMPANY, L.P.
NetRange: 74.128.0.0 - 74.143.255.255

69.59.6.2
OrgName: Ygnition Networks, Inc.
NetRange: 69.59.0.0 - 69.59.15.255

70.94.31.189
OrgName: Road Runner HoldCo LLC
NetRange: 70.92.0.0 - 70.95.255.255

72.134.100.178
OrgName: Road Runner HoldCo LLC
NetRange: 72.128.0.0 - 72.135.255.255

24.205.232.15
Charter Communications CHARWR (NET-24-205-0-0-1)
24.205.0.0 - 24.205.255.255
Charter Communications CH-SLO-24-205-224-255 (NET-24-205-224-0-1)
24.205.224.0 - 24.205.255.255

71.72.60.112
OrgName: Road Runner HoldCo LLC
NetRange: 71.64.0.0 - 71.79.255.255

71.190.133.68
OrgName: Verizon Internet Services Inc.
NetRange: 71.181.128.0 - 71.191.255.255

207.191.218.118
OrgName: McLeodUSA Incorporated
NetRange: 207.191.192.0 - 207.191.223.255

72.183.35.81
OrgName: Road Runner HoldCo LLC
NetRange: 72.176.0.0 - 72.191.255.255

71.104.126.19
OrgName: Verizon Internet Services Inc.
NetRange: 71.96.0.0 - 71.127.255.255

98.113.14.251
OrgName: Verizon Internet Services Inc.
NetRange: 98.108.0.0 - 98.119.255.255

207.40.4.37
SprintSPRINTLINK-BLKR (NET-207-40-0-0-1)
207.40.0.0 - 207.43.255.255
Avalon Internet & Networking SPRINTLINK (NET-207-40-4-0-1)
207.40.4.0 - 207.40.4.255

70.127.1.45
OrgName: Road Runner HoldCo LLC
NetRange: 70.112.0.0 - 70.127.255.255

68.161.149.184
OrgName: Verizon Internet Services Inc.
NetRange: 68.160.0.0 - 68.163.255.255

OrgName: Road Runner HoldCo LLC
NetRange: 24.31.32.0 - 24.31.255.255

OrgName: Verizon Internet Services Inc.
NetRange: 71.169.192.0 - 71.173.63.255

64.208.60.7
OrgName: Global Crossing
NetRange: 64.208.0.0 - 64.209.127.255

OrgName: Road Runner HoldCo LLC
NetRange: 75.176.0.0 - 75.191.255.255

69.6.64.151
WholesaleBandwidth, Inc. WHOLE-2 (NET-69-6-0-0-1)
69.6.0.0 - 69.6.79.255
Media Breakaway, LLC MBL-BLK-69-6-64-0 (NET-69-6-64-0-1)
69.6.64.0 - 69.6.64.255

96.3.121.153
OrgName: Midcontinent Media, Inc.
NetRange: 96.2.0.0 - 96.3.255.255

208.82.112.141
OrgName: Network Data Center Host, Inc.
NetRange: 208.82.112.0 - 208.82.119.255

206.135.204.201
OrgName: MegaPath Networks Inc.
NetRange: 206.135.0.0 - 206.135.255.255

66.180.213.25
Martin Strauss Technologies, LLC STRAUSS-NETSPACE (NET-66-180-208-0-1)
66.180.208.0 - 66.180.223.255
TT Technology Partners, LLC. MSTL-UU5-TTTECH-VZ03 (NET-66-180-212-0-1)
66.180.212.0 - 66.180.213.255

207.29.228.146
OrgName: N.T. Technology, Inc.
NetRange: 207.29.224.0 - 207.29.255.255


WholesaleBandwidth, Inc. WHOLE-2 (NET-69-6-0-0-1)
69.6.0.0 - 69.6.79.255
Tekmailer.com TEK-BLK-69-6-19-0 (NET-69-6-19-0-1)
69.6.19.0 - 69.6.19.255

OrgName: CityNet
NetRange: 64.135.224.0 - 64.135.255.255

64.56.67.232
OrgName: Vrtservers, Inc
NetRange: 64.56.64.0 - 64.56.79.255

66.162.220.242
OrgName: tw telecom holdings, inc.
NetRange: 66.162.0.0 - 66.162.255.255

72.18.198.228
A+Hosting, Inc. PREMIANET (NET-72-18-192-0-1)
72.18.192.0 - 72.18.207.255
Blair Multimedia SERVERPOINT-CUSTOMER-BLAIRMULTIMEDIA02 (NET-72-18-198-166-1)
72.18.198.166 - 72.18.198.229

70.42.206.178
Internap Network Services Corporation PNAP-09-2005 (NET-70-42-0-0-1)
70.42.0.0 - 70.42.255.255
Martin Strauss Technologies, LLC INAP-MIA003-STRAUSS-23182 (NET-70-42-204-0-1)
70.42.204.0 - 70.42.207.255
TT Technology Partners, LLC. STRAUSS-INAP-BORDER5-TTTECH (NET-70-42-206-0-1)
70.42.206.0 - 70.42.206.255

207.154.32.89
OrgName: Hosted Solutions Acquisition, LLC
NetRange: 207.154.0.0 - 207.154.63.255

208.85.3.18
OrgName: Turnkey Internet Inc.
NetRange: 208.85.0.0 - 208.85.7.255

69.65.38.60
OrgName: GigeNET
NetRange: 69.65.0.0 - 69.65.63.255

24.55.189.18
Puerto Rico Cable Acquisition Company Inc. CHOICE-CM7 (NET-24-55-160-0-1)
24.55.160.0 - 24.55.191.255
Ponce Site- Choice Cable TV PONCE-NET-CPE-20 (NET-24-55-189-0-1)
24.55.189.0 - 24.55.190.255
64.208.60.5
OrgName: Global Crossing
NetRange: 64.208.0.0 - 64.209.127.255

66.63.178.213
OrgName: OC3 Networks & Web Solutions, LLC
NetRange: 66.63.160.0 - 66.63.191.255

216.185.52.93
OrgName: Alentus Corporation
NetRange: 216.185.32.0 - 216.185.63.255

208.94.243.180
OrgName: Aarons.Net
NetRange: 208.94.240.0 - 208.94.247.255

67.216.80.150
OrgName: Travail Systems, LLC
NetRange: 67.216.80.0 - 67.216.95.255

69.6.10.181
WholesaleBandwidth, Inc. WHOLE-2 (NET-69-6-0-0-1)
69.6.0.0 - 69.6.79.255
Media Breakaway, LLC MBL-BLK-69-6-10-0 (NET-69-6-10-0-1)
69.6.10.0 - 69.6.10.255

207.154.32.110
OrgName: Hosted Solutions Acquisition, LLC
NetRange: 207.154.0.0 - 207.154.63.255

216.139.195.188
OrgName: E Solutions Corporation
NetRange: 216.139.192.0 - 216.139.207.255

206.135.204.194
OrgName: MegaPath Networks Inc.
NetRange: 206.135.0.0 - 206.135.255.255

67.218.251.53
CAROLINANET a division of Guilford Communications Inc. GUILFORDCOMM-NETWORK-3 (NET-67-218-224-0-1)
67.218.224.0 - 67.218.255.255
Rashton Management RASHTON-MANAGEMENT (NET-67-218-251-0-1)
67.218.251.0 - 67.218.251.255

69.30.231.87
OrgName: WholeSale Internet, Inc.
NetRange: 69.30.192.0 - 69.30.255.255

208.91.133.84
NETRIPLEX LLC NETR-AVL-1 (NET-208-91-128-0-1)
208.91.128.0 - 208.91.135.255
Dimension 4 Networks LLC NETRIPLEX-AVL-208-91-133-0 (NET-208-91-133-0-1)
208.91.133.0 - 208.91.133.255

66.165.240.12
OrgName: Cyber World Internet Services, Inc.
NetRange: 66.165.224.0 - 66.165.255.255

207.29.231.72
OrgName: N.T. Technology, Inc.
NetRange: 207.29.224.0 - 207.29.255.255

96.225.229.87
OrgName: Verizon Internet Services Inc.
NetRange: 96.224.0.0 - 96.255.255.255

68.54.123.33
OrgName: Comcast Cable Communications, Inc.
NetRange: 68.32.0.0 - 68.63.255.255

24.103.190.191
OrgName: Road Runner HoldCo LLC
NetRange: 24.103.0.0 - 24.103.255.255

74.60.40.251
OrgName: Clearwire US LLC
NetRange: 74.60.0.0 - 74.61.255.255

68.191.222.48
Charter Communications CHARTER-NET-7BLK (NET-68-184-0-0-1)
68.184.0.0 - 68.191.255.255
Charter Communications DNT-TX-68-191-208 (NET-68-191-208-0-1)
68.191.208.0 - 68.191.223.255

12.186.102.94
AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
HORIZON WEST HEALTHCARE, INC HORIZON-96-102-88 (NET-12-186-102-88-1)
12.186.102.88 - 12.186.102.95

162.89.0.47
OrgName: City of Austin, Texas
NetRange: 162.89.0.0 - 162.89.255.255

71.175.45.36
OrgName: Verizon Internet Services Inc.
NetRange: 71.173.96.0 - 71.180.255.255

24.152.209.113
OrgName: PenTeleData Inc. - Cable
NetRange: 24.152.192.0 - 24.152.255.255

208.181.172.39
TELUS Communications Inc. TELAC-BLK5 (NET-208-181-0-0-1)
208.181.0.0 - 208.181.255.255
Irenyx Data Group Inc. (Digital Ark) IRENYX-CA (NET-208-181-172-0-1)
208.181.172.0 - 208.181.173.255

71.94.2.117
Charter Communications NETBLK-CHARTER-NET (NET-71-80-0-0-1)
71.80.0.0 - 71.95.255.255
Charter Communications REN-NV-71-94-0 (NET-71-94-0-0-1)
71.94.0.0 - 71.94.31.255

76.181.213.174
OrgName: Road Runner HoldCo LLC
NetRange: 76.181.0.0 - 76.181.255.255

65.182.200.112
OrgName: Hosting.com, Inc.
NetRange: 65.182.192.0 - 65.182.223.255

72.236.19.121
Level 3 Communications, Inc. LVLT-ORG-72-236 (NET-72-236-0-0-1)
72.236.0.0 - 72.237.255.255
Sabre Technologies, Inc. TELCOVE-KMCSVNH-SABRE (NET-72-236-19-0-1)
72.236.19.0 - 72.236.19.255

207.158.45.92
American Internet Services, LLC. AIS-WEST2 (NET-207-158-0-0-1)
207.158.0.0 - 207.158.63.255
Quexion LLC AIS-QUEXION-NETBLK1 (NET-207-158-45-0-1)
207.158.45.0 - 207.158.45.255

128.177.32.53
OrgName: Abovenet Communications, Inc
NetRange: 128.177.0.0 - 128.177.255.255

208.86.252.174
OrgName: NEXCESS.NET L.L.C.
NetRange: 208.86.248.0 - 208.86.255.255

71.34.22.123
OrgName: Qwest Communications Corporation
NetRange: 71.32.0.0 - 71.39.255.255

69.107.113.62
AT&T Internet Services SBCIS-SIS80 (NET-69-104-0-0-1)
69.104.0.0 - 69.111.255.255
PLTN13 internal SBC06910711200020040415135102 (NET-69-107-112-0-1)
69.107.112.0 - 69.107.127.255

67.79.170.12
OrgName: Road Runner HoldCo LLC
NetRange: 67.78.0.0 - 67.79.255.255

138.89.215.194
OrgName: Verizon Internet Services Inc.
NetRange: 138.89.0.0 - 138.89.255.255

74.211.85.199
OrgName: Baja Broadband
NetRange: 74.211.0.0 - 74.211.95.255

65.35.64.243
OrgName: Road Runner HoldCo LLC
NetRange: 65.35.0.0 - 65.35.255.255

70.106.208.125
OrgName: Verizon Internet Services Inc.
NetRange: 70.106.0.0 - 70.109.127.255

96.36.137.107
Charter Communications NETBLK-CHARTER-NET (NET-96-32-0-0-1)
96.32.0.0 - 96.42.255.255
Charter Communications CMP-NC-96-36-128 (NET-96-36-128-0-1)
96.36.128.0 - 96.36.159.255

63.243.120.2
PaeTec Communications, Inc. PAETECCOMM (NET-63-243-0-0-1)
63.243.0.0 - 63.243.127.255
Netacie Inc NET47656 (NET-63-243-120-0-1)
63.243.120.0 - 63.243.121.255

76.171.214.56
OrgName: Road Runner HoldCo LLC
NetRange: 76.168.0.0 - 76.175.255.255

207.119.71.188
OrgName: CenturyTel Internet Holdings, Inc.
NetRange: 207.118.0.0 - 207.119.255.255

141.157.241.56
Verizon Internet Services Inc. VIS-141-149 (NET-141-149-0-0-1)
141.149.0.0 - 141.158.255.255
Verizon Internet Services VZ-DSLDIAL-NYCMNY-14 (NET-141-157-192-0-1)
141.157.192.0 - 141.157.255.255

67.166.95.53
Comcast Cable Communications, Inc. COMCAST (NET-67-160-0-0-1)
67.160.0.0 - 67.191.255.255
Comcast Cable Communications, Inc. OREGON-12 (NET-67-166-80-0-1)
67.166.80.0 - 67.166.95.255

69.14.214.163
OrgName: WideOpenWest Finance LLC
NetRange: 69.14.0.0 - 69.14.255.255

76.251.95.218
AT&T Internet Services SBCIS-SBIS-6BLK (NET-76-192-0-0-1)
76.192.0.0 - 76.255.255.255
ACTIVE ATHLETE MEDIA-070925215520 SBC-76-251-95-216-29-0709255532 (NET-76-251-95-216-1)
76.251.95.216 - 76.251.95.223

76.120.202.3
Comcast Cable Communications, Inc. JUMPSTART-5 (NET-76-96-0-0-1)
76.96.0.0 - 76.127.255.255
Comcast Cable Communications, Inc. E-TENNESSEE-11 (NET-76-120-192-0-1)
76.120.192.0 - 76.120.255.255

64.150.158.153
HTC Communications, LLC HTCC (NET-64-150-128-0-1)
64.150.128.0 - 64.150.159.255
HTC - DSL Modem Pool HTC-64-150-158-0-24 (NET-64-150-158-0-1)
64.150.158.0 - 64.150.158.255

96.246.121.182
OrgName: Verizon Internet Services Inc.
NetRange: 96.224.0.0 - 96.255.255.255

74.95.150.81
Comcast Business Communications, Inc. CBC-CM-4 (NET-74-92-0-0-1)
74.92.0.0 - 74.95.255.255
Comcast Business Communications, Inc. HOUSTON-CBC-1 (NET-74-95-148-0-1)
74.95.148.0 - 74.95.151.255
Paloma Resources PALOMA-RESOURCES (NET-74-95-150-80-1)
74.95.150.80 - 74.95.150.87

67.204.201.242
PERSONA COMMUNICATIONS INC. PERS-CENTRAL (NET-67-204-192-0-1)
67.204.192.0 - 67.204.255.255
Persona Communications PERSONA-CEN-SUDBURY (NET-67-204-192-0-2)
67.204.192.0 - 67.204.207.255

151.213.146.241
OrgName: Windstream Communications Inc
NetRange: 151.213.0.0 - 151.213.255.255

216.254.239.75
PrairieWave Telecommunications, Inc. 216-254-224-0-1 (NET-216-254-224-0-1)
216.254.224.0 - 216.254.255.255
PrairieWave Cable Modem DHCP CMDB-216-254-239-0 (NET-216-254-239-0-1)
216.254.239.0 - 216.254.239.255

207.102.144.67
WestNet, Inc. WESTNET-W5 (NET-206-206-0-0-1)
206.206.0.0 - 206.207.255.255
Arizona Tri-University Network (ASU, UA, NAU) WEST-206-207-128-ARIZ (NET-206-207-128-0-1)
206.207.128.0 - 206.207.255.255
Embry-Riddle Aeronautical Univeristy ERAU (NET-206-207-155-0-1)
206.207.155.0 - 206.207.159.255

71.194.215.247
Comcast Cable Communications, Inc. ATT-COMCAST (NET-71-192-0-0-1)
71.192.0.0 - 71.207.255.255
Comcast Cable Communications, Inc. ILLINOIS-24 (NET-71-194-0-0-1)
71.194.0.0 - 71.194.255.255

67.214.82.158
TEL WEST COMMUNICATIONS LLC TELWEST-BLK (NET-67-214-64-0-1)
67.214.64.0 - 67.214.95.255
Lustig Orthodontics - FT Worth TELWE-CUST-67-214-82-156 (NET-67-214-82-156-1)
67.214.82.156 - 67.214.82.159

98.27.246.240
OrgName: Road Runner HoldCo LLC
NetRange: 98.24.0.0 - 98.31.255.255

206.253.55.111
OrgName: Pioneer Long Distance
NetRange: 206.253.32.0 - 206.253.63.255

71.134.247.244
AT&T Internet Services SBCIS-SIS80 (NET-71-128-0-0-1)
71.128.0.0 - 71.159.255.255
PPPoX Pool - bras18a.pltnca SBCIS-111705083239 (NET-71-134-240-0-1)
71.134.240.0 - 71.134.255.255

216.14.119.83
OrgName: EBOUNDHOST.com
NetRange: 216.14.112.0 - 216.14.127.255

64.221.90.86
OrgName: XO Communications
NetRange: 64.220.0.0 - 64.221.255.255

75.77.96.168
OrgName: NuVox Communications, Inc.
NetRange: 75.77.0.0 - 75.77.255.255

173.110.223.103
OrgName: Sprint PCS
NetRange: 173.96.0.0 - 173.117.255.255

75.91.239.21
OrgName: Windstream Communications Inc
NetRange: 75.88.0.0 - 75.91.255.255

69.65.38.60
OrgName: GigeNET
NetRange: 69.65.0.0 - 69.65.63.255

216.49.123.172
OrgName: Perry-Spencer Communications, Inc.
NetRange: 216.49.96.0 - 216.49.127.255

iWeb Technologies Inc. IWEB-BLK-03 (NET-72-55-128-0-1)
72.55.128.0 - 72.55.191.255
iWeb Dedicated CL IWEB-CL-T058-01SH (NET-72-55-156-32-1)
72.55.156.32 - 72.55.156.63

72.20.52.118
OrgName: Staminus Communications
NetRange: 72.20.0.0 - 72.20.63.255

66.197.221.69
OrgName: Network Operations Center Inc.
NetRange: 66.197.128.0 - 66.197.255.255

69.50.84.151
OrgName: Cynergycomm.net, Inc
NetRange: 69.50.80.0 - 69.50.95.255

74.189.93.50
OrgName: BellSouth.net Inc.
NetRange: 74.160.0.0 - 74.191.255.255

99.225.236.10
OrgName: Rogers Cable Communications Inc.
NetRange: 99.224.0.0 - 99.255.255.255

68.121.242.112
OrgName: AT&T Internet Services
NetRange: 68.120.0.0 - 68.127.255.255

24.27.25.212
OrgName: Road Runner HoldCo LLC
NetRange: 24.24.0.0 - 24.29.255.255

Rogers Cable Communications Inc. ROGERS-CAB-100 (NET-208-97-64-0-1)
208.97.64.0 - 208.97.127.255
REMAX York Mills REMAX (NET-208-97-88-120-1)
208.97.88.120 - 208.97.88.127

76.83.124.83
OrgName: Road Runner HoldCo LLC
NetRange: 76.80.0.0 - 76.95.255.255

76.17.193.148
Comcast Cable Communications, Inc. WESTERN-1 (NET-76-16-0-0-1)
76.16.0.0 - 76.31.255.255
Comcast Cable Communications, Inc. MINNESOTA-10 (NET-76-17-128-0-1)
76.17.128.0 - 76.17.255.255

173.67.18.140
OrgName: Verizon Internet Services Inc.
NetRange: 173.64.0.0 - 173.79.255.255

207.225.26.53
OrgName: Qwest Communications Corporation
NetRange: 207.224.0.0 - 207.225.255.255

216.139.100.115
OrgName: Grand River Mutual Telephone Corporation
NetRange: 216.139.96.0 - 216.139.127.255

64.12.143.152
OrgName: America Online, Inc.
NetRange: 64.12.0.0 - 64.12.255.255

216.96.105.218
Windstream Communications Inc WINDSTREAM (NET-216-96-0-0-1)
216.96.0.0 - 216.96.127.255
Elyria Ford 216-96-105-216 (NET-216-96-105-216-1)
216.96.105.216 - 216.96.105.223

12.214.181.116
AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
Mediacom Communications Corp MEDIACOMCC-12-214-128-0-ILLINOIS (NET-12-214-128-0-1)
12.214.128.0 - 12.214.191.255

204.188.164.91
Savvis SAVVIS (NET-204-188-144-0-1)
204.188.144.0 - 204.188.191.255
Cable & Wireless Antigua CW-204-188-160 (NET-204-188-160-0-1)
204.188.160.0 - 204.188.175.255
Cable & Wiresles Tortola CWAG-204-188-164-0 (NET-204-188-164-0-1)
204.188.164.0 - 204.188.164.255

66.235.61.5
Broadstripe MDM-BLOCK-1 (NET-66-235-0-0-1)
66.235.0.0 - 66.235.63.255
Millennium Digital Media SEATTLE-MILLENNIUM-DIGITAL-MEDIA (NET-66-235-61-0-1)
66.235.61.0 - 66.235.61.255

66.152.140.5
OrgName: PenTeleData Inc.
NetRange: 66.152.128.0 - 66.152.159.255

204.186.29.156
OrgName: PenTeleData Inc.
NetRange: 204.186.0.0 - 204.186.255.255

66.76.20.130
OrgName: Suddenlink Communications
NetRange: 66.76.0.0 - 66.76.255.255

66.249.52.10
OrgName: Mebtel Communications
NetRange: 66.249.32.0 - 66.249.63.255

70.135.126.124
AT&T Internet Services SBCIS-SIS80 (NET-70-128-0-0-1)
70.128.0.0 - 70.143.255.255
PPPoX Pool - bras4.skt2ca SBCIS-110205121845 (NET-70-135-112-0-1)
70.135.112.0 - 70.135.127.255

68.115.160.210
Charter Communications CHARTER-NET-6BLK (NET-68-112-0-0-1)
68.112.0.0 - 68.119.255.255
Charter Communications ASH-CBN-68-115-160-0-20 (NET-68-115-160-0-1)
68.115.160.0 - 68.115.175.255

72.87.168.208
OrgName: Verizon Internet Services Inc.
NetRange: 72.87.64.0 - 72.92.127.255

98.140.80.65
OrgName: Cavalier Telephone
NetRange: 98.140.0.0 - 98.141.255.255

208.53.136.239
FDCservers.net
NetRange: 208.53.128.0 - 208.53.191.255

Liberty Cablevision of Puerto Rico LTD LIBERTYPR (NET-24-138-192-0-1)
24.138.192.0 - 24.138.255.255
Liberty Cablevision - Caguas LIBERTYPR (NET-24-138-192-0-2)
24.138.192.0 - 24.138.203.255

Thursday, January 08, 2009

OpenSSL Hack - SSL Spoofing

More SSL certificate problems: http://secunia.com/advisories/33338/

OpenSSL hack allows spoofing a secure web site would be possible. In other words you think you're logging into a secure site but you're actually logging into an impostor...

Redhat published a fix for OpenSSL:

http://secunia.com/advisories/33442/

So did FreeBSD:

http://secunia.com/advisories/33445/

Saturday, January 03, 2009

Microsoft Password Expiration Issue

I have figured out that when your password is expiring, each time you logout via Terminal Services, it decrements the days until you have to reset the password, instead of decrementing it at the end of each day.

What that means is, if I have a time limit on remote logins and I'm logging in and out all day long then it keeps decrementing the password expiration days so I have to create a new password sooner than should actually be required.

Weird Referral Links in Web Requests

We're getting weird sites referring us traffic. Today I got some traffic from this url:

http://salondirectory.com

Apparently this site is linking to our site which has absolutely nothing to do with salons. I believe the links are being put there for search engine spam reasons - maybe to get rankings via linking to credible sites. Otherwise - I have no idea why a salon web site is linking to a totally unrelated type of site.

The traffic came from Comcast:
24.22.220.185 at 1/3/2009 8:50:07 PM PST

We got another request referred by this site:
http://quick-cash-secret.votelah.com
from 202.184.124.13 at 1/3/2009 7:59:34 PM PST

Here's a really odd one:
stream://1/
from 216.231.44.147 at 1/3/2009 9:18:40 AM

And this one
http://www.alivelocal.com/jump2

We are not putting our site on all these other weird sites - not sure how it is getting there or why.

NaverBot - BadBot

NaverBot is a bad bot that is not obeying robots.txt.

http://help.naver.com/customer_webtxt_02.jsp

WebDataCentreBot - Bad Bot

WebDataCentreBot does not obey robots.txt.

AISearchBot - Bad Bot

This is what the AISearchBot looks like:

AISearchBot (Email: aisearchbot@gmail.com; If your web site doesn't want to be crawled, please send us a email.)

This is a bad bot because rather than post a page where you can find out how to exclude them from hitting your site in a standard web through robots.txt, they try to get you to send them your email address and by so doing reveal your IP address as well. Hopefully they will fix this and provide standard instructions for robots.txt in the near future.

December 2008 Bots

Seems like we had quite a few bots hitting our web sites last month. Taking a look at some prior months it turns out the number of bot-like user agents seems to go up and down a lot as shown below. This may be due to updating the user agent file periodically to tell certain bots to go away but not sure without further tracking and analysis. I would guess that some bot makers simply rename their bots and send out new ones when too many of their bots end up in user agent files.

Bot Count - month - year
1138 12 2008
932 11 2008
1068 10 2008
683 9 2008
1032 8 2008
859 7 2008
783 6 2008
1553 5 2008
894 4 2008
1057 3 2008
439 2 2008

Here's a run down of last month's bot-ish traffic:

430 Moozilla
289 Mozilla/4.0 (compatible;)
65 Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com)
41 SurveyBot/2.3 (Whois Source)
36 MSR-ISRCCrawler
34 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12; ips-agent) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7
32 Mozilla/5.0 (compatible; DBLBot/1.0; +http://www.dontbuylists.com/)
24 Mozilla/5.0 (compatible; WebDataCentreBot/1.0; +http://WebDataCentre.com/)
21 libwww-perl/5.814
15 Mozilla/5.0 (compatible; DotBot/1.1; http://www.dotnetdotcom.org/, crawler@dotnetdotcom.org)
14 Gigabot/3.0 (http://www.gigablast.com/spider.html)
10 AISearchBot (Email: aisearchbot@gmail.com; If your web site doesn't want to be crawled, please send us a email.)
9 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Alexa Toolbar)
9 REAP-crawler Nutch/Nutch-1.0-dev (Reap Project; http://reap.cs.cmu.edu/REAP-crawler/; Reap Project)
9 CazoodleBot/0.0.2 (http://www.cazoodle.com/contact.php; cbot@cazoodle.com)
8 Mozilla/5.0 (compatible; OpenX Spider; http://www.openx.org)
8 Mozilla/5.0 (compatible; LocalBot/2.1; +http://www.seattlekit.com)
6 libwww-perl/5.805
6 libwww-perl/5.803
5 Java/1.6.0_07
5 Axonize-bot
4 kalooga/KaloogaBot (Kalooga; http://www.kalooga.com/info.html?page=crawler)
3 Mozilla/5.0 (compatible; OnTownsBot/1.2; +http://www.ontowns.com/)
3 Snoopy v1.2
3 Java/1.5.0_11
3 ecxi/Nutch-1.0-dev (esCERT-UPC-ecxi; http://escert.upc.edu/; admin escert edu)
3 Site-Perf.com performance testing bot
3 libwww-perl/5.806
3 Mozilla/5.0 (compatible; LocalBot/2.1; +http://www.None)
2 BobCrawl/Nutch-0.9 (Test/Development crawler; http://notavalable.com; notavailable@notavailable.com)
2 SapphireWebCrawler/1.0 (Sapphire Web Crawler using Nutch; http://boston.lti.cs.cmu.edu/crawler/; mhoy@cs.cmu.edu)
2 Gaisbot/3.0+(robot06@gais.cs.ccu.edu.tw;+http://gais.cs.ccu.edu.tw/robot.php)
2 Mozilla/5.0 (compatible; del.icio.us-thumbnails/1.0; FreeBSD) KHTML/4.3.2 (like Gecko)
2 Mozilla/5.0 (compatible; Snappybot/0.1)
2 Mozilla/5.0 (compatible; SuchbaerBot/0.4; +http://bot.suchbaer.de/info.html)
2 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/0829 SeaMonkey/1.1.12
2 Mozilla/3.0 (compatible; WebCapture 2.0; Auto; Windows)
2 libwww-perl/5.820
2 Yanga WorldSearch Bot v1.1/beta (http://www.yanga.co.uk/)
2 Horny Sex Search/Nutch-0.9 (HornySexSearch.com Crawler; http://www.hornysexsearch.com; Contact HornySexSearch.com)
2 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; TuneUp HTML Client Embedded Web Browser from: http://bsalsa.com/; SLCC1; .NET CLR 2.0.50727; Media
1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/052906 Firefox/3.0/Nutch-0.9
1 USCity Link Checker - libwww-perl/5.65
1 Wget/1.5.3.1
1 libwww-perl/5.79
1 Crawler for Sika Solutions (http://www.sika-sol.co.uk/)
1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Embedded Web Browser from: http://bsalsa.com/; .NET CLR 2.0.50727; InfoPath.2)
1 MSRBOT (http://research.microsoft.com/research/sv/msrbot/
1 Netintelligence LiveAssessment - www.netintelligence.com
1 Jakarta Commons-HttpClient/3.1
1 Mozilla/5.0 (compatible; http://www.whoisde.de/2.1; +http://www.whoisde.de)
1 betaBot
1 SapphireWebCrawler/Nutch-1.0-dev (Sapphire Web Crawler using Nutch; http://boston.lti.cs.cmu.edu/crawler/; mhoy@cs.cmu.edu)
1 Isidorus/2.0 (Isidorus; http://www.isidorus.com; crawler@isidorus.com)

Friday, January 02, 2009

Unpatched IE 6 Bugs

Here are a list of unpatched or "partially fixed" bugs in IE6 according to Secunia.com. Some of these date back to 2003. Though some of considered only slightly problematic or slight chance and hence seems like they were not patched, some of the bugs in this list could cause a lot of problems if they happen to a particular user.

Additionally I found it interesting that Secunia lists a higher percentage of "advisories" unpatched in IE7. However going through the whole list of items for IE7 there are only 9 unpatched items compared to over 20 below. I would conclude based on that, the traffic I have mentioned in previous posts that looks a bit odd, and just by comparing the different types of bugs outstanding that IE7 is a much better browser choice if concerned about security.

Unpatched IE6 Bug - FTP Injection

IE 6 may disclose sensitive information with OnKeyDown event

Printing table of links from IE6 or IE7

IE6 and IE7 FTP credentials exposure

IE6 allows faking a URL in the address bar

Internet Explorer 6 or 7 File Upload Form Keystroke Event Cancel Vulnerability

IE6 hidden network share weakness

IE5 and IE6 Drag and Drop Vulnerability

IE6 - Trick a use to go to a malicious site

IE6 - XMLHTTP HTTP Request Injection

IE6 - Microsoft Internet Explorer Dialog Origin Spoofing Vulnerability


IE6 Microsoft Internet Explorer Popup Title Bar Spoofing Weakness



IE6 Internet Explorer Global Variables Local File Detection Weakness


IE6 - Window Injection Vulernability

IE6 - save as picture download spoofing - trick users into downloading malicious files

IE6 - cookie vulnerability
Note this bug says partially fixed.

IE6 - bypass file download security warning and save as displays different file extension than actual


Internet Explorer Flash/Excel Content Status Bar Spoofing Weakness


IE6 - Detect the presence of local files
(partial fix)

IE6 - cross domain cookie vulnerability

IE5 & IE6 address bar - faking urls
(partial fix)

IE6 - create popup content overlay
(partial fix)

IE6 bug - fake urls (partial fix)

IE6 - Cross frame scripting restriction bypass

IE6 - Internet Explorer File Identification Variant

IE6 - Exposure of Installed Components

IE6 - Internet Explorer Custom HTTP Error Script Injection Vulnerability (partial fix)

IE6 - Exposes sensitive information (partial fix)

Dell Ships with IE6

This is interesting - Dell ships XP computers with IE6 that is known to be far less secure than IE7. Why? Don't they care about the security of their customers?

Dell ships with insecure browser

IE6 Traffic - Not from IE6 Browser

Something odd happened today. A person reported getting a message we display to people who have old browsers. The person sent the error message in question. When I looked up the traffic in our logs the traffic indicated the user was visiting the site with an IE6 browser. However the person says she doesn't use IE and doesn't want to use IE. The only traffic from this particular IP address was all from IE browsers and nothing else.

So what is going on here? Potentially we have a bug in our software, however I have not seen this error myself before. What I think is probably happening is that there's some sort of caching software on the network this person is using and when they came to the site they got some page that was cached by some previous visitor who was using an IE6 browser. The other option is that this person has some sort of malware or web add-on that is somehow making her traffic look like it's coming from an IE6 browser when it is not.

If there was actually caching software that was causing this problem, however, then why was I able to find in my logs the exact request matching hers that resulted in this message? If the page was cached somewhere I shouldn't be seeing her request in my logs at all would I?

So was there a computer between her computer and my server that is intercepting requests, passing it to our server, viewing the content, and then passing it back to the user's machine? That seems like what is probably happening but how can I know for sure? In that case, let's say you were contacting your bank. This intermediary would be doing screen shots of every web page you visit. If this intermediary software was one machine intercepting all the requests, I would also expect to only see one user agent coming to that site from that IP address - but I saw multiple - and they were all IE browsers. This person says she doesn't use IE because she doesn't like it.

Hmmm. What's up? More evidence of very suspicious IE6 traffic and doubtful that most of the IE traffic out there is legit.