Mailing List SIMS@mail.stalker.com Message #10334
From: Bill Cole <listbill@scconsult.com>
Subject: Re: hijacked domain, suggestions?
Date: Tue, 26 Feb 2002 14:35:48 -0500
To: SIMS Discussions <SIMS@mail.stalker.com>
At 9:51 AM -0700 2/26/02, Lane Roathe  imposed structure on a stream of electrons, yielding:
Hello all,

For many years my domain, IFD.COM, has been hijacked by Swiss Bank (now
known as ubswarburg). Beyond the few emails containing confidential
financial information and some interesting love letters the traffic was
fairly small, and since Swiss Bank refused to even talk to me about it I
basically put up with it, and once I started using SIMS I no longer got
the email into my inbox so it was pretty much invisible.

Until a few weeks ago when my Centris 610 (which ran DNS and email for
me) started crashing often. This weekend it crashed and wouldn't start
back up, kept crashing as soon as a network connection was established. I
finally startup up w/o networking and noticed that the SIMS logs were
several MB each (I am used to 22K sized logs, and I log very little
normally). Examination of the logs revealed that I was getting 100 to 200
emails per minute from Swiss Bank! So, I took down my development machine
(an 8500 w/a 400Mhz G3 and SCSI RAID array) and made it my email server.
Complete overkill, but it's handling the load now.

My question is how to I get Swiss Bank to stop using my domain? Here are
the relavent details:

1. Internic and Dotster both say there is nothing they can do because
Swiss Bank has not actually "stolen" the domain, it's still registered to me.

2. Swiss Bank seems to be using my domain internally, and for years only
a few emails leaked out. Now, it seems they are using it for mailing
lists, including UCE with invalid return addresses (within usbwarburg.com).

3. Here are some log entries, there are thousands in my logs:

- normal logging -
06:16:10 1 SMTP-564(gate.chi.ubswarburg.com) SPAM? Recipient '<SH-OCADM-
Team@ifd.com>' rejected: user unknown
02:03:13 1 SMTP-225(gate.ldn.swissbank.com) SPAM? Recipient '<SH-GGL-
BATCH-DEVELOPMENT@ifd.com>' rejected: user unknown
[snip]

All the sending machines seem to be Swiss Bank/UBS Warburg machines. That's good. You should be able to do a few DNS lookups and a bit of ARIN/RIPE whois work to find all their network space. This is the sort of thing firewalls are made for, and you SHOULD block the traffic. The less involvement you have in their idiotic misconfiguration and resulting mail fiasco, the better. Note that all of this internal mail aimed at ifd.com addresses is definitely bouncing somewhere, even if they eventually route it all to /dev/null.


NOTE: the "blacklist" seems to be a SIMS thing, I do not have a blacklist
setup (ie, not using ORBS, etc.)

Yes. SIMS temporarily bans any host which attempts to send to too many bogus addresses. It's a great protection against 'dictionary attack' harvesting and spamming.


All emails to support/abuse/postmaster/webmaster @ ubsw/swissbank/
ubswarburg have been ignored, or at least not a single response. Any help
appriciated, like to get my bandwidth back!

Go postal. Hire a lawyer to send their legal department a real physical 'cease and desist' letter outlining what this is doing to your system and explaining what you've tried to do online to get them to stop.

You might also be able to get law enforcement interested in this. This company is effectively mounting a denial-of-service attack on you across the Internet, and that is a felony in the US. The fact that they are a big banking company whose ultimate parent is in .ch makes no difference: they are attacking your machine in Colorado, USA and so they are committing a felony in Colorado, USA. Besides which, they have US operations (big ones) so they are quite accessible. It looks like 'gate.chi.ubswarburg.com' is actually in Chicago.

Another option: talk to their upstream provider(s) about this. It looks like Cable & Wireless (sadly, better known as Clueless & Witless in net-abuse circles) for the Chicago machine, and PSI-UK (try abuse@uk.psi.com) for the London one.

And of course, Dale's suggestion about going public is a fine idea. Even if you can't get "real" media interested, Slashdot is always there and a surprising number of people in "real" media use it as a place to sniff out good 'net' stories.

--
Bill Cole
bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster