HINET - Taiwanese spam-friendly provider, whose customers scan for open relays and spam Usenet harvested e-mail addresses with immunity. P.S. Also hacking attempts were logged. Firewalled from accessing of any service. hinet.net, [61.216.0.0 - 61.231.255.255], [168.95.0.0 - 168.95.255.255], [218.160.0.0 - 218.175.255.255]: Access denied at the firewall level! === Scanning for open relays to abuse, Sendmail logs (GMT+0300) === Aug 19 06:54:50 orca sendmail[13354]: g7J3sml13354: ruleset=check_rcpt, arg1=, relay=218-162-49-165.HINET-IP.hinet.net [218.162.49.165], reject=550 5.7.1 ... Relaying denied Aug 19 06:54:50 orca sendmail[13354]: g7J3sml13354: lost input channel from 218-162-49-165.HINET-IP.hinet.net [218.162.49.165] to Daemon0 after rcpt -- Aug 20 16:14:44 orca sendmail[24530]: g7KDEal24530: ruleset=check_rcpt, arg1=, relay=218-162-58-32.HINET-IP.hinet.net [218.162.58.32], reject=550 5.7.1 ... Relaying denied Aug 20 16:14:45 orca sendmail[24530]: g7KDEal24530: lost input channel from 218-162-58-32.HINET-IP.hinet.net [218.162.58.32] to Daemon0 after rcpt -- Aug 22 04:59:57 orca sendmail[3103]: g7M1xpG03103: ruleset=check_rcpt, arg1=, relay=218-162-52-141.HINET-IP.hinet.net [218.162.52.141], reject=550 5.7.1 ... Relaying denied Aug 22 04:59:58 orca sendmail[3103]: g7M1xpG03103: from=, size=0, class=0, nrcpts=0, proto=SMTP, daemon=Daemon0, relay=218-162-52-141.HINET-IP.hinet.net [218.162.52.141] -- Aug 22 05:58:14 orca sendmail[3248]: g7M2wDG03248: ruleset=check_rcpt, arg1=, relay=218-162-52-141.HINET-IP.hinet.net [218.162.52.141], reject=550 5.7.1 ... Relaying denied Aug 22 05:58:15 orca sendmail[3248]: g7M2wDG03248: from=, size=0, class=0, nrcpts=0, proto=SMTP, daemon=Daemon0, relay=218-162-52-141.HINET-IP.hinet.net [218.162.52.141] -- Aug 22 06:24:53 orca sendmail[3336]: g7M3OqG03336: ruleset=check_rcpt, arg1=, relay=218-162-52-141.HINET-IP.hinet.net [218.162.52.141], reject=550 5.7.1 ... Relaying denied Aug 22 06:24:54 orca sendmail[3336]: g7M3OqG03336: from=, size=0, class=0, nrcpts=0, proto=SMTP, daemon=Daemon0, relay=218-162-52-141.HINET-IP.hinet.net [218.162.52.141] -- Aug 24 18:31:41 orca sendmail[19363]: g7OFVdG19363: ruleset=check_rcpt, arg1=, relay=218-162-48-86.HINET-IP.hinet.net [218.162.48.86], reject=550 5.7.1 ... Relaying denied Aug 24 18:31:41 orca sendmail[19363]: g7OFVdG19363: lost input channel from 218-162-48-86.HINET-IP.hinet.net [218.162.48.86] to Daemon0 after rcpt === Spamming attempts (Usenet harvest), Sendmail logs (GMT+0300) === Aug 17 01:37:17 orca sendmail[22340]: g7GMbGl22340: ... User unknown Aug 17 01:37:18 orca sendmail[22340]: g7GMbGl22340: from=<064359@2002.dolphinwave.org>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=Daemon0, relay=61-230-103-17.HINET-IP.hinet.net [61.230.103.17] -- Aug 21 22:42:14 orca sendmail[32051]: g7LJgCl32051: ... User unknown Aug 21 22:42:15 orca sendmail[32051]: g7LJgCl32051: ... User unknown Aug 21 22:42:15 orca sendmail[32051]: g7LJgCl32051: from=<034955@2002.dolphinwave.org>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=Daemon0, relay=61-230-79-192.HINET-IP.hinet.net [61.230.79.192] -- Aug 24 11:20:22 orca sendmail[17704]: g7O8KMG17704: ... User unknown Aug 24 11:20:23 orca sendmail[17704]: g7O8KMG17704: ... User unknown Aug 24 11:20:25 orca sendmail[17704]: g7O8KMG17704: from=<162818@2002.dolphinwave.org>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=Daemon0, relay=61-230-74-161.HINET-IP.hinet.net [61.230.74.161] === Other people report the same Hinet spammers abusing them, too === From spamtrap@cricalix.net Fri Aug 23 01:28:24 2002 Path: uni-berlin.de!fu-berlin.de!newsfeed.news2me.com!newsfeed-west.nntpserver.com!hub1.meganetnews.com!nntpserver.com!telocity-west!TELOCITY!sn-xit-03!sn-xit-01!sn-post-01!supernews.com!corp.supernews.com!not-for-mail From: Duncan Hill Newsgroups: news.admin.net-abuse.email Subject: Don't you just love hinet.net? Date: Thu, 22 Aug 2002 12:25:33 -0000 Organization: Posted via Supernews, http://www.supernews.com Message-ID: User-Agent: slrn/0.9.7.4 (Linux) X-Complaints-To: newsabuse@supernews.com Lines: 49 Xref: uni-berlin.de news.admin.net-abuse.email:1784940 Every single day I see machines in hinet's network pulling the same shit. HELO outland.org to the outland.org mail server. Oh well, what do I care, the mail never makes it past the HELO stage really. Not that service, sales, tech, info, faq, hr, sales ans support would have worked anyway. And yes, this block method would have blocked abuse@ and postmaster@. I honestly wouldn't have cared - direct to MX spam from a faked HELO for my role accounts isn't welcome. Aug 22 06:14:23 tarterus postfix/smtpd[20282]: reject: RCPT from 61-230-79-192.HINET-IP.hinet.net[61.230.79.192]: 550 : Helo command rejected: You can't be serious; from=<182318 AT outland.org> to= Aug 22 06:14:24 tarterus postfix/smtpd[20282]: reject: RCPT from 61-230-79-192.HINET-IP.hinet.net[61.230.79.192]: 550 : Helo command rejected: You can't be serious; from=<182318 AT outland.org> to= Aug 22 06:14:26 tarterus postfix/smtpd[20282]: reject: RCPT from 61-230-79-192.HINET-IP.hinet.net[61.230.79.192]: 550 : Helo command rejected: You can't be serious; from=<182318 AT outland.org> to= Aug 22 06:14:27 tarterus postfix/smtpd[20282]: reject: RCPT from 61-230-79-192.HINET-IP.hinet.net[61.230.79.192]: 550 : Helo command rejected: You can't be serious; from=<182318 AT outland.org> to= Aug 22 06:14:28 tarterus postfix/smtpd[20282]: reject: RCPT from 61-230-79-192.HINET-IP.hinet.net[61.230.79.192]: 550 : Helo command rejected: You can't be serious; from=<182318 AT outland.org> to= Aug 22 06:14:30 tarterus postfix/smtpd[20282]: reject: RCPT from 61-230-79-192.HINET-IP.hinet.net[61.230.79.192]: 550 : Helo command rejected: You can't be serious; from=<182318 AT outland.org> to= Aug 22 06:14:31 tarterus postfix/smtpd[20282]: reject: RCPT from 61-230-79-192.HINET-IP.hinet.net[61.230.79.192]: 550 : Helo command rejected: You can't be serious; from=<182318 AT outland.org> to=
Aug 22 06:14:32 tarterus postfix/smtpd[20282]: reject: RCPT from 61-230-79-192.HINET-IP.hinet.net[61.230.79.192]: 550 : Helo command rejected: You can't be serious; from=<182318 AT outland.org> to= Aug 22 06:14:34 tarterus postfix/smtpd[20282]: reject: RCPT from 61-230-79-192.HINET-IP.hinet.net[61.230.79.192]: 550 : Helo command rejected: You can't be serious; from=<182318 AT outland.org> to= Aug 22 06:14:35 tarterus postfix/smtpd[20282]: reject: RCPT from 61-230-79-192.HINET-IP.hinet.net[61.230.79.192]: 550 : Helo command rejected: You can't be serious; from=<182318 AT outland.org> to= === Another report from other people === Path: uni-berlin.de!fu-berlin.de!cox.net!newshosting.com !news-xfer1.atl.newshosting.com!uunet!dca.uu.net!ash.uu.net!prodigy.com !newsmst01.news.prodigy.com!prodigy.com!postmaster.news.prodigy.com !newssvr13.news.prodigy.com.POSTED!57786773!not-for-mail From: Norman Miller Newsgroups: news.admin.net-abuse.email Subject: Someone at Hinet is very busy Followup-To: news.admin.net-abuse.email Keywords: TENKODAA Organization: Sahara Specific Lumbar Co. Reply-To: nor9245mill296@hotmail.com Message-ID: X-Newsreader: Forte Free Agent 1.92/32.572 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Lines: 49 NNTP-Posting-Host: 64.174.89.66 X-Complaints-To: abuse@prodigy.net X-Trace: newssvr13.news.prodigy.com 1030508912 ST000 64.174.89.66 (Wed, 28 Aug 2002 00:28:32 EDT) NNTP-Posting-Date: Wed, 28 Aug 2002 00:28:32 EDT X-UserInfo1: TSU[@I_AOPUUSPLXBBHLZZUDEB\@PD\MNPWZKB]MPXHZUYICD^RAQBKZQTZTX\_I[^G_KGFNON[ZOE _AZNVO^\XGGNTCIRPIJH[@RQKBXLRZ@CD^HKANYVW@RLGEZEJN@\_WZJBNZYYKVIOR]T]MNMG_Z[YVW SCH_Q[GPC_A@CARQVXDSDA^M]@DRVUM@RBM Date: Wed, 28 Aug 2002 04:28:32 GMT Xref: uni-berlin.de news.admin.net-abuse.email:1790162 So I am a "GBF"; big deal! Router logs from SOHO routers on home systems probably aren't wholly useful. I have no packets captured. Time to hook up the spare router and computer on the wire from the router to the ADSL modem (it's really only a bridge, yes?) and sniff the packets before the Barricade sees them; maybe... A wad of entries going back a week, anyway. Just a small sample of what I am seeing: | Monday, August 12, 2002 20:38:05 - Unrecognized access from 218.162.54.101:1698 to TCP port 25 ( 2002/08/13 - 03:38:05 GMT ) | Monday, August 19, 2002 02:57:48 - Unrecognized access from 218.162.55.141:1806 to TCP port 25 ( 2002/08/19 - 09:57:48 GMT ) | Monday, August 19, 2002 04:23:07 - Unrecognized access from 218.162.55.193:1600 to TCP port 25 ( 2002/08/19 - 11:23:07 GMT ) | Monday, August 19, 2002 19:53:50 - Unrecognized access from 218.162.54.207:2069 to TCP port 25 ( 2002/08/20 - 02:53:50 GMT ) | Monday, August 19, 2002 23:37:41 - Unrecognized access from 218.162.55.240:1762 to TCP port 25 ( 2002/08/20 - 06:37:41 GMT ) | Tuesday, August 20, 2002 02:06:48 - Unrecognized access from 218.162.52.154:1518 to TCP port 25 ( 2002/08/20 - 09:06:48 GMT ) | Tuesday, August 20, 2002 18:50:45 - Unrecognized access from 218.162.48.147:1919 to TCP port 25 ( 2002/08/21 - 01:50:45 GMT ) | Wednesday, August 21, 2002 16:28:16 - Unrecognized access from 218.162.48.39:4993 to TCP port 25 ( 2002/08/21 - 23:28:16 GMT ) | Thursday, August 22, 2002 09:06:25 - Unrecognized access from 218.162.50.43:1477 to TCP port 25 ( 2002/08/22 - 16:06:25 GMT ) | Thursday, August 22, 2002 14:16:54 - Unrecognized access from 218.162.48.26:3280 to TCP port 25 ( 2002/08/22 - 21:16:54 GMT ) | Friday, August 23, 2002 20:14:59 - Unrecognized access from 218.162.51.91:3935 to TCP port 25 ( 2002/08/24 - 03:14:59 GMT ) | Saturday, August 24, 2002 11:44:36 - Unrecognized access from 218.162.50.246:4548 to TCP port 25 ( 2002/08/24 - 18:44:36 GMT ) | Saturday, August 24, 2002 18:37:05 - Unrecognized access from 218.162.48.132:3278 to TCP port 25 ( 2002/08/25 - 01:37:05 GMT ) | Saturday, August 24, 2002 23:59:44 - Unrecognized access from 218.162.56.118:1465 to TCP port 25 ( 2002/08/25 - 06:59:44 GMT ) | Sunday, August 25, 2002 08:56:51 - Unrecognized access from 218.162.48.107:4259 to TCP port 25 ( 2002/08/25 - 15:56:51 GMT ) | Sunday, August 25, 2002 20:59:00 - Unrecognized access from 218.162.52.204:2735 to TCP port 25 ( 2002/08/26 - 03:59:00 GMT ) | Monday, August 26, 2002 18:10:08 - Unrecognized access from 218.162.52.74:1179 to TCP port 25 ( 2002/08/27 - 01:10:08 GMT ) | Monday, August 26, 2002 22:38:53 - Unrecognized access from 218.162.54.88:4270 to TCP port 25 ( 2002/08/27 - 05:38:53 GMT ) | Tuesday, August 27, 2002 09:17:49 - Unrecognized access from 218.162.48.179:3710 to TCP port 25 ( 2002/08/27 - 16:17:49 GMT ) I am using MyNetWatchman, and there are incidents logged here: http://www.mynetwatchman.com/LID.asp?IID=7128986 http://www.mynetwatchman.com/LID.asp?IID=7352111 http://www.mynetwatchman.com/LID.asp?IID=7371171 http://www.mynetwatchman.com/LID.asp?IID=7375595 http://www.mynetwatchman.com/LID.asp?IID=7411133 I am on a PacBell ADSL connection with dynamic IP assignment. I am guessing a fellow customer with an insecure server lived in this IP for a spell. I have no SMTP service here, and a PFW which only allows port 25 connections to the SMTP servers I am authorized to use (a few SBC/Prodigy servers, CompuServe and MyRrealBox). Norman Miller "At the far end of the tunnel, a mysterious town... Will Chihiro get back her name? Will she be able to return to the world of humans?" Prepare to be "Spirited Away"... http://bventertainment.go.com/movies/spiritedaway/index.html === And they are still trying even after being blocked (GMT+0300) === Aug 25 04:36:47 orca sendmail[31343]: g7P1akG31343: ruleset=check_relay, arg1=218-162-48-132.HINET-IP.hinet.net, arg2=218.162.48.132, relay=218-162-48-132.HINET-IP.hinet.net [218.162.48.132], reject=550 5.0.0 Access denied - Spammers-infested network and ignoring complaints - http://www.DolphinWave.org/spam/hinet.net.txt Aug 25 04:36:47 orca sendmail[31343]: NOQUEUE: 218-162-48-132.HINET-IP.hinet.net [218.162.48.132] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0 -- Aug 25 04:38:34 orca sendmail[31346]: g7P1cXG31346: ruleset=check_relay, arg1=218-162-48-132.HINET-IP.hinet.net, arg2=218.162.48.132, relay=218-162-48-132.HINET-IP.hinet.net [218.162.48.132], reject=550 5.0.0 Access denied - Spammers-infested network and ignoring complaints - http://www.DolphinWave.org/spam/hinet.net.txt Aug 25 04:38:35 orca sendmail[31346]: NOQUEUE: 218-162-48-132.HINET-IP.hinet.net [218.162.48.132] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0 -- Aug 25 12:36:34 orca sendmail[314]: g7P9aTG00314: ruleset=check_relay, arg1=61-230-75-251.HINET-IP.hinet.net, arg2=61.230.75.251, relay=61-230-75-251.HINET-IP.hinet.net [61.230.75.251], reject=550 5.0.0 Access denied - Spammers-infested network and ignoring complaints - http://www.DolphinWave.org/spam/hinet.net.txt Aug 25 12:36:34 orca sendmail[314]: NOQUEUE: 61-230-75-251.HINET-IP.hinet.net [61.230.75.251] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0 Aug 26 06:58:24 orca sendmail[5119]: g7Q3wNL05119: ruleset=check_relay, arg1=218-162-52-204.HINET-IP.hinet.net, arg2=218.162.52.204, relay=218-162-52-204.HINET-IP.hinet.net [218.162.52.204], reject=550 5.0.0 Access denied - Spammers-infested network and ignoring complaints - http://www.DolphinWave.org/spam/hinet.net.txt Aug 26 06:58:24 orca sendmail[5119]: NOQUEUE: 218-162-52-204.HINET-IP.hinet.net [218.162.52.204] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0 -- Aug 26 07:05:26 orca sendmail[5164]: g7Q45QL05164: ruleset=check_relay, arg1=218-162-52-204.HINET-IP.hinet.net, arg2=218.162.52.204, relay=218-162-52-204.HINET-IP.hinet.net [218.162.52.204], reject=550 5.0.0 Access denied - Spammers-infested network and ignoring complaints - http://www.DolphinWave.org/spam/hinet.net.txt Aug 26 07:05:28 orca sendmail[5164]: NOQUEUE: 218-162-52-204.HINET-IP.hinet.net [218.162.52.204] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0 -- Aug 27 04:15:45 orca sendmail[15844]: g7R1FiL15844: ruleset=check_mail, arg1=<12nisan99@ms35.hinet.net>, relay=[212.117.155.34], reject=550 5.0.0 <12nisan99@ms35.hinet.net>... Access denied - Spammers-infested network and ignoring complaints - http://www.DolphinWave.org/spam/hinet.net.txt Aug 27 04:15:45 orca sendmail[15844]: g7R1FiL15844: from=<12nisan99@ms35.hinet.net>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=Daemon0, relay=[212.117.155.34] -- Aug 28 05:06:07 orca sendmail[23025]: g7S266L23025: ruleset=check_relay, arg1=218-162-54-101.HINET-IP.hinet.net, arg2=218.162.54.101, relay=218-162-54-101.HINET-IP.hinet.net [218.162.54.101], reject=550 5.0.0 Access denied - Spammers-infested network and ignoring complaints - http://www.DolphinWave.org/spam/hinet.net.txt Aug 28 05:06:07 orca sendmail[23025]: NOQUEUE: 218-162-54-101.HINET-IP.hinet.net [218.162.54.101] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0 -- Aug 28 05:11:12 orca sendmail[23044]: g7S2BBL23044: ruleset=check_relay, arg1=218-162-54-101.HINET-IP.hinet.net, arg2=218.162.54.101, relay=218-162-54-101.HINET-IP.hinet.net [218.162.54.101], reject=550 5.0.0 Access denied - Spammers-infested network and ignoring complaints - http://www.DolphinWave.org/spam/hinet.net.txt Aug 28 05:11:13 orca sendmail[23044]: NOQUEUE: 218-162-54-101.HINET-IP.hinet.net [218.162.54.101] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0 === And the spam stil flows from Hinet networks === Return-Path: Received: from ash.idv.tw ([218.166.25.94]) by mail.tursiops.org (8.11.6/8.11.6) with ESMTP id h0N08u400757 for <###>; Wed, 22 Jan 2003 17:09:01 -0700 Received: from 1Cust93.tnt28.dfw9.da.uu.net (mail.zapo.net [67.234.73.93]) by ash.idv.tw (ISMail v1.2.5) with SMTP; Fri, 13 Dec 2002 02:32:39 +0800 Message-ID: <00006b2a2d7a$00000ccb$0000289c@mail.zapo.net> To: From: "OneSource" Subject: How do you Supercharge your Sales? Date: Thu, 12 Dec 2002 12:40:43 -1800 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Reply-To: OneSource@zapo.net X-Priority: 3 X-MSMail-Priority: Normal MIME-Version: 1.0 X-Mailer: AOL 4.0 for Windows 95 sub 15 Sensitivity: Confidential X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 [stock1.gif] Our network delivers business critical information to millions of current viewing addresses worldwide.[stock2.gif] Who we are: There are 500 million people online worldwide. How many of them have you contacted? For 5 years we have been helping institutions and individuals market their products, services, and business opportunities via email safely and consistently. [divider.gif] What makes us different: Just jamming e-mails into inboxes isn't the answer. Our advanced system tracks the interests and preferences of online users and supercharges your marketing efforts with the power to send personalized, relevant emails. With us, you can choose your target audience from a strategic prospective. [divider.gif] What we do: Our specialist will consult with you before we make any recommendations and then quote a campaign tailored to meet your needs and fit your budget. To review your firms needs with an associate and to discuss our services, simply fill in the appropriate information below: [FormSub.jpg] A professional consultant from our staff can contact you immediately, or according to your schedule... * You chose to be an Administrator Notices, Newsletter or Developer Announcement recipient. We are excited to bring you exclusive access to great content and specials plus other convenient tools and services. We also respect your right to privacy, If you feel that this service is no longer of benefit to you, and you do not want to be notified along with the other subscribers on this service, Simply CLICK HERE to change your preferences. Before you do, however please remember we are providing you with services for financial success and valuable information about opportunities on an absolutely free basis. === Hacking attempts: connecting to the range of services simultaneously === === (GMT+0200) === Feb 26 22:52:32 orca xinetd[893]: START: ftp pid=14997 from=61.222.92.254 Feb 26 22:52:32 orca xinetd[893]: START: pop3 pid=14998 from=61.222.92.254 Feb 26 22:52:33 orca xinetd[893]: EXIT: pop3 pid=14998 duration=1(sec) Feb 26 22:52:38 orca xinetd[893]: EXIT: ftp pid=14997 duration=6(sec) LogWatch records: ================= Failed FTP Logins: 61-222-92-254.HINET-IP.hinet.net (61.222.92.254) - 1 Time(s) <...> 61-222-92-254.HINET-IP.hinet.net: connected: IDLE[14997]: lost connection to 61-222-92-254.HINET-IP.hinet.net [61.222.92.254] Connections: Service pop3: 61.222.92.254: 1 Time(s) === Hacking follows in an hour === Feb 27 01:02:59 orca xinetd[893]: START: ftp pid=16890 from=61.222.92.254 Feb 27 01:02:59 orca xinetd[893]: START: pop3 pid=16891 from=61.222.92.254 Feb 27 01:03:00 orca xinetd[893]: EXIT: pop3 pid=16891 duration=1(sec) Feb 27 01:03:06 orca xinetd[893]: EXIT: ftp pid=16890 duration=7(sec) LogWatch records: ================= Failed FTP Logins: 61-222-92-254.HINET-IP.hinet.net (61.222.92.254) - 1 Time(s) <...> 61-222-92-254.HINET-IP.hinet.net: connected: IDLE[16890]: lost connection to 61-222-92-254.HINET-IP.hinet.net [61.222.92.254] Connections: Service pop3: 61.222.92.254: 1 Time(s)