Re: US DOJ victim letter

On Thu, Feb 02, 2012 at 05:57:23AM -0500, Robert E. Seastrom wrote: > > bmann...@vacation.karoshi.com writes: > > > I missed the part where ARIN turned over its address database > > w/ associatedd registration information to the Fed ... I mean > > I've always advocated for LEO access, but ther ha

Re: US DOJ victim letter

bmann...@vacation.karoshi.com writes: > I missed the part where ARIN turned over its address database > w/ associatedd registration information to the Fed ... I mean > I've always advocated for LEO access, but ther has been > significant pushback fromm the community on unfettered access > to that

Re: US DOJ victim letter

I received one on an IP block that were SWIPed to me. Has anyone written a regular expression which matches the rogue dns server IP ranges in question? - 85.255.112.0 through 85.255.127.255; - 67.210.0.0 through 67.210.15.255; - 93.188.160.0 through 93.188.167.255; - 77.67.83.0 throug

Re: US DOJ victim letter

If the IP list is pointing to DNS servers, they maybe referring to the following: http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf On Jan 31, 2012, at 7:38 PM, Phil Dyer wrote: > On Fri, Jan 27, 2012 at 3:23 PM, Jon Lewis wrote: >> On Fri, 27 Jan 2012, Bryan Horstmann-Allen wrote: >

Re: US DOJ victim letter

1 Jan 2012 20:29:52 -0500 To: Phil Dyer , "nanog@nanog.org" Subject: RE: US DOJ victim letter Folks, I received a DoJ Victim Notification letter yesterday, which was pretty amazing considering the fact that I don't run a network. My letter referenced "United States v. Menach

RE: US DOJ victim letter

ave that right? Ron > -Original Message- > From: Phil Dyer [mailto:p...@cluestick.net] > Sent: Tuesday, January 31, 2012 7:39 PM > To: nanog@nanog.org > Subject: Re: US DOJ victim letter > > On Fri, Jan 27, 2012

Re: US DOJ victim letter

I really enjoyed the fact that I called the number, on what I learned later was a "Sample", and when I picked the option to speak with an agent I got "The mailbox is full" message. I feel safe... Ryan Pavely Director Research And Development Net Access Corporation http://www.nac.ne

Re: US DOJ victim letter

On Fri, Jan 27, 2012 at 3:23 PM, Jon Lewis wrote: > On Fri, 27 Jan 2012, Bryan Horstmann-Allen wrote: >> Bit odd, if it's a phish. Even more odd if it's actually from the Fed. > > > It's definitely real, but seems like they're handling it as incompetently as > possible. Yep. That sounds about r

Re: US DOJ victim letter

Date: Mon, 30 Jan 2012 10:56:10 -0500 To: Jack Bates Cc: "nanog@nanog.org" Subject: Re: US DOJ victim letter - Original Message - > From: "Jack Bates" > To: "Jon Lewis" > Cc: nanog@nanog.org > Sent: Monday, January 30, 2012 10:54:02 AM > S

Re: US DOJ victim letter

- Original Message - > From: "Jack Bates" > To: "Jon Lewis" > Cc: nanog@nanog.org > Sent: Monday, January 30, 2012 10:54:02 AM > Subject: Re: US DOJ victim letter > > On 1/27/2012 2:23 PM, Jon Lewis wrote: > > > > It

Re: US DOJ victim letter

On 1/27/2012 2:23 PM, Jon Lewis wrote: It's definitely real, but seems like they're handling it as incompetently as possible. We got numerous copies to the same email address, the logins didn't work initially. The phone numbers given are of questionable utility. Virtually no useful information w

Re: US DOJ victim letter

The e-mail states it was sent to the specific e-mail address because it was listed as the contact in WHOIS. Although you can opt-out from these notices I believe as part of the DNS Changer case the court ordered the FBI to notify ISPs. On Sat, Jan 28, 2012 at 10:39 AM, John Peach wrote: > On Sat,

Re: US DOJ victim letter

On Sat, 28 Jan 2012 16:30:47 + bmann...@vacation.karoshi.com wrote: > On Fri, Jan 27, 2012 at 10:20:08PM -0500, Martin Hannigan wrote: > > On Fri, Jan 27, 2012 at 1:32 PM, Randy Epstein > > wrote: > > > [snip] > I missed the part where ARIN turned over its address database w/ > associ

Re: US DOJ victim letter

On Fri, Jan 27, 2012 at 10:20:08PM -0500, Martin Hannigan wrote: > On Fri, Jan 27, 2012 at 1:32 PM, Randy Epstein wrote: > > > > > > On 1/27/12 1:23 PM, "valdis.kletni...@vt.edu" > > wrote: > > > >>On Fri, 27 Jan 2012 13:16:27 EST, Bryan Horstmann-Allen said: > >> > >>> Bit odd, if it's a phish.

Re: US DOJ victim letter

On Fri, Jan 27, 2012 at 1:32 PM, Randy Epstein wrote: > > > On 1/27/12 1:23 PM, "valdis.kletni...@vt.edu" > wrote: > >>On Fri, 27 Jan 2012 13:16:27 EST, Bryan Horstmann-Allen said: >> >>> Bit odd, if it's a phish. Even more odd if it's actually from the Fed. >> >>What if it's a phish from a compr

Re: US DOJ victim letter

We get these letters all of the time. They are indeed legit but pretty much worthless. About as good as some of our DMCA letters. Original Message From: Jon Lewis Sent: Fri, Jan 27, 2012 3:23 PM To: Bryan Horstmann-Allen CC: nanog@nanog.org Subject: Re: US DOJ victim

Re: US DOJ victim letter

On Fri, 27 Jan 2012, Bryan Horstmann-Allen wrote: +-- | On 2012-01-27 18:12:16, Carlos Alcantar wrote: | | Today it looks like we have received the letter from the DOJ which gives | us login information, for listing of i

Customer service (was Re: US DOJ victim letter)

On Fri, 27 Jan 2012, Mike wrote: Honestly, I could care less about customer virus infections. I am not going to do anything with the information and am likely to ignore future occurrences from the fbi if this is all they got. Each ISP will makes its own business decision what they want to do.

Re: US DOJ victim letter

http://www.race.com -Original Message- From: Bryan Horstmann-Allen Reply-To: Date: Fri, 27 Jan 2012 13:16:27 -0500 To: Carlos Alcantar Cc: "nanog@nanog.org" Subject: Re: US DOJ victim letter +-- |

Re: US DOJ victim letter

On 1/27/12 1:23 PM, "valdis.kletni...@vt.edu" wrote: >On Fri, 27 Jan 2012 13:16:27 EST, Bryan Horstmann-Allen said: > >> Bit odd, if it's a phish. Even more odd if it's actually from the Fed. > >What if it's a phish from a compromised Fed box? :) We've spoken to folks at various FBI field offi

Re: US DOJ victim letter

On Fri, 27 Jan 2012 13:16:27 EST, Bryan Horstmann-Allen said: > Bit odd, if it's a phish. Even more odd if it's actually from the Fed. What if it's a phish from a compromised Fed box? :) pgpIlK6iR0Hh4.pgp Description: PGP signature

Re: US DOJ victim letter

On 01/27/2012 10:16 AM, Bryan Horstmann-Allen wrote: +-- | On 2012-01-27 18:12:16, Carlos Alcantar wrote: | | Today it looks like we have received the letter from the DOJ which gives | us login information, for listing of

Re: US DOJ victim letter

> >Bit odd, if it's a phish. Even more odd if it's actually from the Fed. > >Cheers. >-- >bdha >cyberpunk is dead. long live cyberpunk. It's for real. Yes, it's really odd and wasteful. Randy

Re: US DOJ victim letter

+-- | On 2012-01-27 18:12:16, Carlos Alcantar wrote: | | Today it looks like we have received the letter from the DOJ which gives | us login information, for listing of ip's within our network that where | affected with da

Re: US DOJ victim letter

. San Francisco, CA. 94080 Phone: +1 415 376 3314 / car...@race.com / http://www.race.com -Original Message- From: Robert Bonomi Date: Fri, 20 Jan 2012 13:08:56 -0600 To: "nanog@nanog.org" Subject: Re: US DOJ victim letter > From nanog-bounces+bonomi=mail.r-bonomi@nanog.org

Re: US DOJ victim letter

> From nanog-bounces+bonomi=mail.r-bonomi@nanog.org Fri Jan 20 08:11:24 > 2012 > Date: Fri, 20 Jan 2012 08:07:10 -0600 > From: -Hammer- > To: nanog@nanog.org > Subject: Re: US DOJ victim letter > > On a less serious note, did anyone notice the numbers on the fbi.gov

Re: US DOJ victim letter

On Fri, Jan 20, 2012 at 08:07:10AM -0600, -Hammer- wrote: > On a less serious note, did anyone notice the numbers on the fbi.gov > link? I'm pretty sure they are implying those are IP addresses. > 123.456.789 and 987.654.321. Must be the same folks that do the Nexus > documentation for Cisco. A

Re: US DOJ victim letter

On a less serious note, did anyone notice the numbers on the fbi.gov link? I'm pretty sure they are implying those are IP addresses. 123.456.789 and 987.654.321. Must be the same folks that do the Nexus documentation for Cisco. -Hammer- "I was a normal American nerd" -Jack Herer On 1/19/20

Re: US DOJ victim letter

They are related to the DNSChanger and Ghostclick malware as ML said. The e-mails to us did come from the DOJ e-mail servers and were legitimate. The phone number is legit as well. On Thu, Jan 19, 2012 at 3:37 PM, Todd Lyons wrote: > On Thu, Jan 19, 2012 at 1:39 PM, Carlos Alcantar wrote: > > >

Re: US DOJ victim letter

On Thu, Jan 19, 2012 at 1:39 PM, Carlos Alcantar wrote: > > +1 on these emails we have received 3 of them. Three here as well. -- SOPA: Any attempt to [use legal means to] reverse technological advances is doomed.  --Leo Leporte

Re: US DOJ victim letter

On Thu Jan 19, 2012 at 01:15:28PM -0800, Andrew D. Dibble wrote: > So if one of the computers inside your network is talking to one of those IPs > for DNS, you probably have malware. Show me an ISP which doesn't have end-user PCs infected with malware :) Simon

Re: US DOJ victim letter

+1 on these emails we have received 3 of them. Carlos Alcantar Race Communications / Race Team Member 101 Haskins Way, So. San Francisco, CA. 94080 Phone: +1 415 376 3314 / car...@race.com / http://www.race.com Once upon a time, Alan Clegg said: > I was amused to discover that to proceed on

Re: US DOJ victim letter

Knowing it's JS, I looked at the source, and here's the "rogue" ranges: var IP_RANGES = [ [[85, 255, 112, 0], [85, 255, 127, 255]], [[67, 210, 0, 0], [67, 210, 15, 255]], [[93, 188, 160, 0], [93, 188, 167, 255]], [[77, 67, 83, 0], [77, 67, 83, 255]], [[213, 109, 64, 0], [213, 1

Re: US DOJ victim letter

We took the CIDR blocks listed here; http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-ma lware.pdf And ran them against net flow data from our external links and were able to generate a list of subscriber IP addresses that were using the rogue DNS servers. Lane -- Lane P

Re: US DOJ victim letter

Once upon a time, Andrew D. Dibble said: > FBI seems to have a list of netblocks hosting rogue DNS servers here: > https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS So should I try to type in all the IPs on my network, one at a time? Oh wait, that page requires Javascript to

Re: US DOJ victim letter

Once upon a time, Alan Clegg said: > I was amused to discover that to proceed on the web, I had to enter my > last name as "Representative" -- as in "Dear Business Representative". > Yep, really. me too After I got yet more such generic and useless info, I lost interest. I tried to go back an

Re: US DOJ victim letter

Operation Ghost Click - someone in your AS has malware which changes their DNS server to an evil IP. ICANN (IIRC) replaced these servers with clean ones around November 2011 and now it seems like the FBI is trying to contact everyone who is still talking to that server. FBI seems to have a lis

Re: US DOJ victim letter

On 1/19/2012 4:04 PM, Jay Hennigan wrote: > The body of the email indeed reads like a poorly-executed phish > including elements such as "null" and "" but > headers seem legit. I asked a local contact if it was legit and he confirmed that it is. Wait for the paper mail. I was amused to discover

Re: US DOJ victim letter

Same here. No idea who the intended recipient organization is, as it was sent to our generic tech contact email address that is used for a bunch of ASes, ARIN accounts, domains, etc. There are pretty much no details in the message. -Randy - Original Message - > AS2381 has also received

Re: US DOJ victim letter

On 01/19/2012 04:01 PM, Michael Hare wrote: AS2381 has also received them, we are no further along in this than you are. On 1/19/2012 2:59 PM, Jay Hennigan wrote: We have received three emails from the US Department of Justice Victim Notification System to our ARIN POC address advising us that

Re: US DOJ victim letter

We've been getting them too. I haven't event thought to follow up. DOJ won't email you with a do not reply. On Thu, 2012-01-19 at 12:59 -0800, Jay Hennigan wrote: > We have received three emails from the US Department of Justice Victim > Notification System to our ARIN POC address advising us th

Re: US DOJ victim letter

On 1/19/12 1:01 PM, Dave Ellis wrote: > I've also received the emails, I assumed they were fake as our normal > contacts haven't mentioned anything. The body of the email indeed reads like a poorly-executed phish including elements such as "null" and "" but headers seem legit. -- Jay Hennigan -

Re: US DOJ victim letter

We've also received the emails and ignored them. If the US DOJ needs to contact us they use the postal service. On 01/19/2012 03:01 PM, Michael Hare wrote: AS2381 has also received them, we are no further along in this than you are. On 1/19/2012 2:59 PM, Jay Hennigan wrote: We have received

Re: US DOJ victim letter

The 3rd email they sent: This email is intended to provide clarification on a previous email sent to you. You will be receiving a letter by U.S. Postal Service in the coming days. In the meantime, please visit the link below which provides more details on the investigation and identifying you as

Re: US DOJ victim letter

AS2381 has also received them, we are no further along in this than you are. On 1/19/2012 2:59 PM, Jay Hennigan wrote: We have received three emails from the US Department of Justice Victim Notification System to our ARIN POC address advising us that we may be the victim of a crime. Headers loo

US DOJ victim letter

We have received three emails from the US Department of Justice Victim Notification System to our ARIN POC address advising us that we may be the victim of a crime. Headers look legit. We have been frustrated in trying to follow the rabbit hole to get any useful information. we've jumped through