Since Monday 17th May 2004 the NTL cable modem customer on 81.109.67.128 has been attacking the SUCS email server, bombarding it with virus laden messages for accounts that don't exist. The sheer intensity of this attack can be seen in this graph for the 26th May:
The red shows attempts to deliver mail to users who don't exist. Due to various
spammers and retired addresses there is always a certain amount of this.
However the usual background level is completely dwarfed once the NTL machine
starts sending. 6 times the usual amount of mail is rejected due to
unknown addresses.
In that period this machine has stumbled across legitimate accounts and by brute force has managed to fill my inbox with over 70 W32.Sober.G@mm virus ridden mails.
A port scan found the TCP ports safely firewalled off. Sadly, common UDP ports are wide open and it appears the machine has been backdoored and Back Orifice 2000 installed:
[x@x x]# nmap -sU -F 81.109.67.128 -T4 -P0 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-23 10:28 BST Interesting ports on cpc1-cwma2-6-0-cust128.swan.cable.ntl.com (81.109.67.128): (The 1000 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 135/udp open msrpc 137/udp open netbios-ns 138/udp open netbios-dgm 161/udp open snmp 445/udp open microsoft-ds 520/udp open route 1434/udp open ms-sql-m 54321/udp open bo2k Nmap run completed -- 1 IP address (1 host up) scanned in 56.475 seconds
As of 12:37 Wednesday 2 June 2004 the issue has still not been resolved. Since NTL have seen fit to retire their abuse@ addresses, the only way to report the never ending torrent of emails is via a dreadful web interface.
Despite over 15 reports about this IP address, officially NTL have failed to report any progress on this issue, preferring to issue auto-responder emails which are never followed up. Personal contacts within NTL itself have done all they can to help but are powerless to take the issue further.