The case of the NTL virus email machine

Since Monday 17th May 2004 the NTL cable modem customer on has been attacking the SUCS email server, bombarding it with virus laden messages for accounts that don't exist. The sheer intensity of this attack can be seen in this graph for the 26th May:

Graph showing SUCS mail statitics for the 26th May The red shows attempts to deliver mail to users who don't exist. Due to various spammers and retired addresses there is always a certain amount of this. However the usual background level is completely dwarfed once the NTL machine starts sending. 6 times the usual amount of mail is rejected due to unknown addresses.

In that period this machine has stumbled across legitimate accounts and by brute force has managed to fill my inbox with over 70 W32.Sober.G@mm virus ridden mails.

A port scan found the TCP ports safely firewalled off. Sadly, common UDP ports are wide open and it appears the machine has been backdoored and Back Orifice 2000 installed:

[x@x x]# nmap -sU  -F -T4 -P0
Starting nmap 3.50 ( ) at 2004-05-23 10:28
Interesting ports on
(The 1000 ports scanned but not shown below are in state: closed)
135/udp   open  msrpc
137/udp   open  netbios-ns
138/udp   open  netbios-dgm
161/udp   open  snmp
445/udp   open  microsoft-ds
520/udp   open  route
1434/udp  open  ms-sql-m
54321/udp open  bo2k
Nmap run completed -- 1 IP address (1 host up) scanned in 56.475 seconds

As of 12:37 Wednesday 2 June 2004 the issue has still not been resolved. Since NTL have seen fit to retire their abuse@ addresses, the only way to report the never ending torrent of emails is via a dreadful web interface.

Despite over 15 reports about this IP address, officially NTL have failed to report any progress on this issue, preferring to issue auto-responder emails which are never followed up. Personal contacts within NTL itself have done all they can to help but are powerless to take the issue further.