[Tfug] Tracking down a miscreant

Harry McGregor micros at osef.org
Mon Jun 2 22:22:17 MST 2008 

Hi All,

It's funny how things come full circle...

The box in question (as James noticed and let me know) is co-loed on a 
Time Warner Telcom T1 line in Tucson (TW traces are a little strange 
lately, must be using MPLS or something).

The box was sold by John Gruenenfelder to Josh Bernstein quite a number 
of years ago (it's a 1U SUN x86 box), and it looks like a restore that 
Josh did at one point put back some of the config that pointed at John's 
domain.

The issue should be solved now...  Of course John used to be at LPL I 
think, and now Josh sells computers to LPL (penguin computing), and all 
involved go back about 8-10 years...  Whats the chances that a post to 
the TFUG list would actual result in the owner being found.

Trace from cox.net:
traceroute 206.169.90.30
traceroute to 206.169.90.30 (206.169.90.30), 64 hops max, 40 byte packets
 1  DD-WRT (192.168.1.1)  5.507 ms  1.627 ms  1.273 ms
 2  10.240.192.1 (10.240.192.1)  7.768 ms  36.710 ms  10.302 ms
 3  68.0.128.41 (68.0.128.41)  12.403 ms  14.910 ms  8.089 ms
 4  70.169.73.37 (70.169.73.37)  17.844 ms  16.153 ms  19.201 ms
 5  paltbbrj01-ae0.0.r2.pt.cox.net (68.1.0.234)  38.495 ms  41.509 ms  
38.172 ms
 6  206-169-90-30.static.twtelecom.net (206.169.90.30)  80.201 ms  
84.557 ms  76.275 ms

Trace from U of A:
traceroute 206.169.90.30
traceroute to 206.169.90.30 (206.169.90.30), 30 hops max, 40 byte packets
 1  150.135.81.225 (150.135.81.225)  0.452 ms  0.194 ms  0.164 ms
 2  bullseye.telcom.Arizona.EDU (150.135.81.253)  3.292 ms  0.498 ms  
0.451 ms
 3  woody.telcom.arizona.edu (150.135.250.13)  0.511 ms  0.478 ms  0.463 ms
 4  tuco.telcom.Arizona.EDU (128.196.24.167)  0.944 ms  0.954 ms  0.917 ms
 5  morgan.telcom.Arizona.EDU (192.80.43.65)  1.062 ms  0.930 ms  0.954 ms
 6  216-64-190-5.static.twtelecom.net (216.64.190.5)  1.225 ms  1.215 
ms  1.198 ms
 7  206-169-90-30.static.twtelecom.net (206.169.90.30)  35.141 ms  
41.535 ms  35.228 ms

Trace from Qwest.net:
traceroute 206.169.90.30
traceroute to 206.169.90.30 (206.169.90.30), 30 hops max, 38 byte packets
 1  * * *
 2  tcsn-dsl-gw04-196.tcsn.qwest.net (168.103.240.196)  34.221 ms  
30.744 ms  30.871 ms
 3  tcsn-agw1.inet.qwest.net (168.103.240.125)  30.649 ms  31.688 ms  
31.629 ms
 4  tcs-core-01.inet.qwest.net (205.171.212.5)  31.179 ms  31.028 ms  
30.878 ms
 5  los-core-01.inet.qwest.net (67.14.22.10)  42.705 ms  44.491 ms  
44.680 ms
 6  lap-brdr-01.inet.qwest.net (205.171.32.10)  44.219 ms  44.701 ms  
66.094 ms
 7  sl-st20-la-15-0-0.sprintlink.net (144.232.9.17)  44.183 ms  43.929 
ms  45.201 ms
 8  sl-bb21-ana-4-0.sprintlink.net (144.232.8.95)  44.633 ms  45.926 ms  
44.671 ms
 9  sl-gw28-ana-1-0-0.sprintlink.net (144.232.0.120)  44.903 ms  44.928 
ms  45.135 ms
10  sl-inetconn-138746-0.sprintlink.net (160.81.147.90)  45.976 ms  
45.915 ms  45.162 ms
11  206-169-90-30.static.twtelecom.net (206.169.90.30)  66.906 ms  
89.069 ms  87.905 ms


                                                    Harry

John Gruenenfelder wrote:
> Hello all,
>
> Okay, maybe not a miscreant.  I don't think there's any ill-will here, just
> some improperly configured software.
>
> Some time ago I posted to TFUG asking for help about some bizarre Exim MTA
> error messages I was getting each day when cron.daily was processed.  I just
> couldn't figure out what was generating them.  I get three subjects daily:
>
> Subject: Cron <mail at foxstar> if [ -x /usr/sbin/exim_tidydb ]; then
>         /usr/sbin/exim_tidydb /var/spool/exim retry >/dev/null; fi
> Subject: Cron <mail at foxstar> if [ -x /usr/sbin/exim_tidydb ]; then
>         /usr/sbin/exim_tidydb /var/spool/exim wait-remote_smtp >/dev/null; fi
> Subject: Cron <root at foxstar> test -x /usr/sbin/anacron || run-parts --report
>         /etc/cron.daily
>
> With short message bodies.  From and To have my machine's name.  There's also
> a fourth one that cron.weekly seems to spit out.
>
> After spending some time with the friendly friends at #debian on IRC, one of
> them suggested looking at the message envelope and... what do you know?  My
> machine isn't making these!  D'oh!
>
> If I had been paying attention, I probably should have noticed that the
> timezone in the Date: header was off by three hours, too.  Anyway, the
> envelope contains this:
>
> Received: from 206-169-90-30.static.twtelecom.net ([206.169.90.30]
>         helo=foxstar) by foxstar.merseine.nu with esmtp (Exim 4.69)
>         (envelope-from <root at foxstar.merseine.nu>) id 1K2RM9-0003vW-EJ for
>         root at foxstar.merseine.nu; Sat, 31 May 2008 09:42:49 -0400
> Received: from root by foxstar with local (Exim 3.36 #1 (Debian))
>         id 1K2RC6-0002nG-00
>         for <root at foxstar.merseine.nu>; Sat, 31 May 2008 06:32:35 -0700
>
> So, somebody has an improperly configured Exim 3.36 with the same hostname as
> my machine.  That's fine.  But, they *also* seem to have their FQDN set the
> same as mine and so these messages leave localhost and find their way to me.
>
> It's not a company, though, just somebody on Time-Warner cable.  How might I
> track this person down?  It would seem that I can't send mail to root or mail
> because it will just end up coming back to me.
>
> I've been deleting these things for many months.  My machine was exhibiting no
> problems and I was just ignoring it.  It would be nice, though, to be able to
> tell this guy to stop nosing in on my free domain.  :)
>
>
>

More information about the tfug mailing list