As I understand it, on Mon, 21 Feb 2005 19:08:10 +0000, cupra reported
this:

Geoff F. wrote:
As I understand it, on Mon, 21 Feb 2005 18:53:07 +0000, cupra reported
this:

Geoff F. wrote:
As I understand it, on Mon, 21 Feb 2005 17:31:20 +0000, cupra
reported this:

Although some may see this as responding to the attacker and hence
making it worse, I've had a look and some other uk groups have
experienced attacks recently and thought I'd post my observations:

- They seem to start soon after 9am and end around 5pm.

- The attacker will be monitoring posts and modifies his/her bot to
get around message rules (keywords/message length/size etc)

- The from field seems to repeat so it may be possible to block
senders successfully to reduce the volume (although he/she may add
more)

- news.individual.net seems to quickly block messages on their server
so disruption is kept to a minimum

- the attack seems to last for 2/3 days, so expect more disruption

By the looks of it if this ng 'toughs it out' the attack will end.

p.s Does anyone know of a good filter add on for OE users?

FYI:
these are Hipcrime bots flooding the newsgroup.
http://c2.com/cgi/wiki?HipcrimeFloods

It's possible the headers are forgeries.
http://www.geocities.com/hcfaq/

Who is Hipcrime?
http://www.killfile.org/dungeon/why/hipcrime.html

HTH.

If the flood originates in the EU, is there anything the authorities
can do?

It's hard to say *where* they are originating from, & what authorities
are you referring to?

UK Police.... (*Computer misuse act ) - not sure how it covers spam, but
this seems more of a DOS attack (in that it's making the ng unusable for
some)

"Hipcrime" abuse has been going on since 1996, & ther have been numerous
discussions in newgroups about it.
http://groups.google.co.uk/groups?q=...l&start=0&sa=N

As I said before, it's unlikely this originated in the EU, let alone the
UK. Ergo Uk police forces wouldn't be interested IMHO. It should be up to
Newsgoups providers to filter it,IMO.
OTOH, as you're using windows you can use Nfilter, though I don't know how
it works, or what it will kill on.

If anyone reading this is using linux, I'm use Leafnode, which can kill on
virtually any header, including *any* part of the Path: header. Because
he's injecting (perhaps a bot telnetting) into the path, you'll note an IP
& "MISMATCH!" following. ATM I'm killing on the ^Path:.*MISMATCH! part.

As I understand it, on Mon, 21 Feb 2005 19:08:10 +0000, cupra reported
this:

Geoff F. wrote:
As I understand it, on Mon, 21 Feb 2005 18:53:07 +0000, cupra reported
this:

Geoff F. wrote:
As I understand it, on Mon, 21 Feb 2005 17:31:20 +0000, cupra
reported this:

Although some may see this as responding to the attacker and hence
making it worse, I've had a look and some other uk groups have
experienced attacks recently and thought I'd post my observations:

- They seem to start soon after 9am and end around 5pm.

- The attacker will be monitoring posts and modifies his/her bot to
get around message rules (keywords/message length/size etc)

- The from field seems to repeat so it may be possible to block
senders successfully to reduce the volume (although he/she may add
more)

- news.individual.net seems to quickly block messages on their server
so disruption is kept to a minimum

- the attack seems to last for 2/3 days, so expect more disruption

By the looks of it if this ng 'toughs it out' the attack will end.

p.s Does anyone know of a good filter add on for OE users?

FYI:
these are Hipcrime bots flooding the newsgroup.
http://c2.com/cgi/wiki?HipcrimeFloods

It's possible the headers are forgeries.
http://www.geocities.com/hcfaq/

Who is Hipcrime?
http://www.killfile.org/dungeon/why/hipcrime.html

HTH.

If the flood originates in the EU, is there anything the authorities
can do?

It's hard to say *where* they are originating from, & what authorities
are you referring to?

UK Police.... (*Computer misuse act ) - not sure how it covers spam, but
this seems more of a DOS attack (in that it's making the ng unusable for
some)

"Hipcrime" abuse has been going on since 1996, & ther have been numerous
discussions in newgroups about it.
http://groups.google.co.uk/groups?q=...l&start=0&sa=N

As I said before, it's unlikely this originated in the EU, let alone the
UK. Ergo Uk police forces wouldn't be interested IMHO. It should be up to
Newsgoups providers to filter it,IMO.
OTOH, as you're using windows you can use Nfilter, though I don't know how
it works, or what it will kill on.

If anyone reading this is using linux, I'm use Leafnode, which can kill on
virtually any header, including *any* part of the Path: header. Because
he's injecting (perhaps a bot telnetting) into the path, you'll note an IP
& "MISMATCH!" following. ATM I'm killing on the ^Path:.*MISMATCH! part.

As I understand it, on Mon, 21 Feb 2005 19:08:10 +0000, cupra reported
this:

Geoff F. wrote:
As I understand it, on Mon, 21 Feb 2005 18:53:07 +0000, cupra reported
this:

Geoff F. wrote:
As I understand it, on Mon, 21 Feb 2005 17:31:20 +0000, cupra
reported this:

Although some may see this as responding to the attacker and hence
making it worse, I've had a look and some other uk groups have
experienced attacks recently and thought I'd post my observations:

- They seem to start soon after 9am and end around 5pm.

- The attacker will be monitoring posts and modifies his/her bot to
get around message rules (keywords/message length/size etc)

- The from field seems to repeat so it may be possible to block
senders successfully to reduce the volume (although he/she may add
more)

- news.individual.net seems to quickly block messages on their server
so disruption is kept to a minimum

- the attack seems to last for 2/3 days, so expect more disruption

By the looks of it if this ng 'toughs it out' the attack will end.

p.s Does anyone know of a good filter add on for OE users?

FYI:
these are Hipcrime bots flooding the newsgroup.
http://c2.com/cgi/wiki?HipcrimeFloods

It's possible the headers are forgeries.
http://www.geocities.com/hcfaq/

Who is Hipcrime?
http://www.killfile.org/dungeon/why/hipcrime.html

HTH.

If the flood originates in the EU, is there anything the authorities
can do?

It's hard to say *where* they are originating from, & what authorities
are you referring to?

UK Police.... (*Computer misuse act ) - not sure how it covers spam, but
this seems more of a DOS attack (in that it's making the ng unusable for
some)

"Hipcrime" abuse has been going on since 1996, & ther have been numerous
discussions in newgroups about it.
http://groups.google.co.uk/groups?q=...l&start=0&sa=N

As I said before, it's unlikely this originated in the EU, let alone the
UK. Ergo Uk police forces wouldn't be interested IMHO. It should be up to
Newsgoups providers to filter it,IMO.
OTOH, as you're using windows you can use Nfilter, though I don't know how
it works, or what it will kill on.

If anyone reading this is using linux, I'm use Leafnode, which can kill on
virtually any header, including *any* part of the Path: header. Because
he's injecting (perhaps a bot telnetting) into the path, you'll note an IP
& "MISMATCH!" following. ATM I'm killing on the ^Path:.*MISMATCH! part.

Geoff F. wrote:
As I understand it, on Mon, 21 Feb 2005 19:08:10 +0000, cupra
reported this:

Geoff F. wrote:
As I understand it, on Mon, 21 Feb 2005 18:53:07 +0000, cupra
reported this:

Geoff F. wrote:
As I understand it, on Mon, 21 Feb 2005 17:31:20 +0000, cupra
reported this:

Although some may see this as responding to the attacker and
hence making it worse, I've had a look and some other uk groups
have experienced attacks recently and thought I'd post my
observations:

- They seem to start soon after 9am and end around 5pm.

- The attacker will be monitoring posts and modifies his/her bot
to get around message rules (keywords/message length/size etc)

- The from field seems to repeat so it may be possible to block
senders successfully to reduce the volume (although he/she may
add more)

- news.individual.net seems to quickly block messages on their
server so disruption is kept to a minimum

- the attack seems to last for 2/3 days, so expect more
disruption

By the looks of it if this ng 'toughs it out' the attack will
end.

p.s Does anyone know of a good filter add on for OE users?

FYI:
these are Hipcrime bots flooding the newsgroup.
http://c2.com/cgi/wiki?HipcrimeFloods

It's possible the headers are forgeries.
http://www.geocities.com/hcfaq/

Who is Hipcrime?
http://www.killfile.org/dungeon/why/hipcrime.html

HTH.

If the flood originates in the EU, is there anything the
authorities can do?

It's hard to say *where* they are originating from, & what
authorities are you referring to?

UK Police.... (*Computer misuse act ) - not sure how it covers
spam, but this seems more of a DOS attack (in that it's making the
ng unusable for some)

"Hipcrime" abuse has been going on since 1996, & ther have been
numerous discussions in newgroups about it.

http://groups.google.co.uk/groups?q=...l&start=0&sa=N

As I said before, it's unlikely this originated in the EU, let alone
the UK. Ergo Uk police forces wouldn't be interested IMHO.

Maybe so - I'm merely interested in the response should it be proved that it
originated in the UK.

It should
be up to Newsgoups providers to filter it,IMO.
OTOH, as you're using windows you can use Nfilter, though I don't
know how it works, or what it will kill on.


NIN seems to be doing it quite well - I'm certainly leaning toward paying
them when the free service expires!

If anyone reading this is using linux, I'm use Leafnode, which can
kill on virtually any header, including *any* part of the Path:
header. Because he's injecting (perhaps a bot telnetting) into the
path, you'll note an IP & "MISMATCH!" following. ATM I'm killing on
the ^Path:.*MISMATCH! part.

Can't use linux for work reasons unfortunately!

Geoff F. wrote:
As I understand it, on Mon, 21 Feb 2005 19:08:10 +0000, cupra
reported this:

Geoff F. wrote:
As I understand it, on Mon, 21 Feb 2005 18:53:07 +0000, cupra
reported this:

Geoff F. wrote:
As I understand it, on Mon, 21 Feb 2005 17:31:20 +0000, cupra
reported this:

Although some may see this as responding to the attacker and
hence making it worse, I've had a look and some other uk groups
have experienced attacks recently and thought I'd post my
observations:

- They seem to start soon after 9am and end around 5pm.

- The attacker will be monitoring posts and modifies his/her bot
to get around message rules (keywords/message length/size etc)

- The from field seems to repeat so it may be possible to block
senders successfully to reduce the volume (although he/she may
add more)

- news.individual.net seems to quickly block messages on their
server so disruption is kept to a minimum

- the attack seems to last for 2/3 days, so expect more
disruption

By the looks of it if this ng 'toughs it out' the attack will
end.

p.s Does anyone know of a good filter add on for OE users?

FYI:
these are Hipcrime bots flooding the newsgroup.
http://c2.com/cgi/wiki?HipcrimeFloods

It's possible the headers are forgeries.
http://www.geocities.com/hcfaq/

Who is Hipcrime?
http://www.killfile.org/dungeon/why/hipcrime.html

HTH.

If the flood originates in the EU, is there anything the
authorities can do?

It's hard to say *where* they are originating from, & what
authorities are you referring to?

UK Police.... (*Computer misuse act ) - not sure how it covers
spam, but this seems more of a DOS attack (in that it's making the
ng unusable for some)

"Hipcrime" abuse has been going on since 1996, & ther have been
numerous discussions in newgroups about it.

http://groups.google.co.uk/groups?q=...l&start=0&sa=N

As I said before, it's unlikely this originated in the EU, let alone
the UK. Ergo Uk police forces wouldn't be interested IMHO.

Maybe so - I'm merely interested in the response should it be proved that it
originated in the UK.

It should
be up to Newsgoups providers to filter it,IMO.
OTOH, as you're using windows you can use Nfilter, though I don't
know how it works, or what it will kill on.


NIN seems to be doing it quite well - I'm certainly leaning toward paying
them when the free service expires!

If anyone reading this is using linux, I'm use Leafnode, which can
kill on virtually any header, including *any* part of the Path:
header. Because he's injecting (perhaps a bot telnetting) into the
path, you'll note an IP & "MISMATCH!" following. ATM I'm killing on
the ^Path:.*MISMATCH! part.

Can't use linux for work reasons unfortunately!

Geoff F. wrote:
As I understand it, on Mon, 21 Feb 2005 19:08:10 +0000, cupra
reported this:

Geoff F. wrote:
As I understand it, on Mon, 21 Feb 2005 18:53:07 +0000, cupra
reported this:

Geoff F. wrote:
As I understand it, on Mon, 21 Feb 2005 17:31:20 +0000, cupra
reported this:

Although some may see this as responding to the attacker and
hence making it worse, I've had a look and some other uk groups
have experienced attacks recently and thought I'd post my
observations:

- They seem to start soon after 9am and end around 5pm.

- The attacker will be monitoring posts and modifies his/her bot
to get around message rules (keywords/message length/size etc)

- The from field seems to repeat so it may be possible to block
senders successfully to reduce the volume (although he/she may
add more)

- news.individual.net seems to quickly block messages on their
server so disruption is kept to a minimum

- the attack seems to last for 2/3 days, so expect more
disruption

By the looks of it if this ng 'toughs it out' the attack will
end.

p.s Does anyone know of a good filter add on for OE users?

FYI:
these are Hipcrime bots flooding the newsgroup.
http://c2.com/cgi/wiki?HipcrimeFloods

It's possible the headers are forgeries.
http://www.geocities.com/hcfaq/

Who is Hipcrime?
http://www.killfile.org/dungeon/why/hipcrime.html

HTH.

If the flood originates in the EU, is there anything the
authorities can do?

It's hard to say *where* they are originating from, & what
authorities are you referring to?

UK Police.... (*Computer misuse act ) - not sure how it covers
spam, but this seems more of a DOS attack (in that it's making the
ng unusable for some)

"Hipcrime" abuse has been going on since 1996, & ther have been
numerous discussions in newgroups about it.

http://groups.google.co.uk/groups?q=...l&start=0&sa=N

As I said before, it's unlikely this originated in the EU, let alone
the UK. Ergo Uk police forces wouldn't be interested IMHO.

Maybe so - I'm merely interested in the response should it be proved that it
originated in the UK.

It should
be up to Newsgoups providers to filter it,IMO.
OTOH, as you're using windows you can use Nfilter, though I don't
know how it works, or what it will kill on.


NIN seems to be doing it quite well - I'm certainly leaning toward paying
them when the free service expires!

If anyone reading this is using linux, I'm use Leafnode, which can
kill on virtually any header, including *any* part of the Path:
header. Because he's injecting (perhaps a bot telnetting) into the
path, you'll note an IP & "MISMATCH!" following. ATM I'm killing on
the ^Path:.*MISMATCH! part.

Can't use linux for work reasons unfortunately!

Geoff F. wrote:
As I understand it, on Mon, 21 Feb 2005 19:08:10 +0000, cupra
reported this:

Geoff F. wrote:
As I understand it, on Mon, 21 Feb 2005 18:53:07 +0000, cupra
reported this:

Geoff F. wrote:
As I understand it, on Mon, 21 Feb 2005 17:31:20 +0000, cupra
reported this:

Although some may see this as responding to the attacker and
hence making it worse, I've had a look and some other uk groups
have experienced attacks recently and thought I'd post my
observations:

- They seem to start soon after 9am and end around 5pm.

- The attacker will be monitoring posts and modifies his/her bot
to get around message rules (keywords/message length/size etc)

- The from field seems to repeat so it may be possible to block
senders successfully to reduce the volume (although he/she may
add more)

- news.individual.net seems to quickly block messages on their
server so disruption is kept to a minimum

- the attack seems to last for 2/3 days, so expect more
disruption

By the looks of it if this ng 'toughs it out' the attack will
end.

p.s Does anyone know of a good filter add on for OE users?

FYI:
these are Hipcrime bots flooding the newsgroup.
http://c2.com/cgi/wiki?HipcrimeFloods

It's possible the headers are forgeries.
http://www.geocities.com/hcfaq/

Who is Hipcrime?
http://www.killfile.org/dungeon/why/hipcrime.html

HTH.

If the flood originates in the EU, is there anything the
authorities can do?

It's hard to say *where* they are originating from, & what
authorities are you referring to?

UK Police.... (*Computer misuse act ) - not sure how it covers
spam, but this seems more of a DOS attack (in that it's making the
ng unusable for some)

"Hipcrime" abuse has been going on since 1996, & ther have been
numerous discussions in newgroups about it.

http://groups.google.co.uk/groups?q=...l&start=0&sa=N

As I said before, it's unlikely this originated in the EU, let alone
the UK. Ergo Uk police forces wouldn't be interested IMHO.

Maybe so - I'm merely interested in the response should it be proved that it
originated in the UK.

It should
be up to Newsgoups providers to filter it,IMO.
OTOH, as you're using windows you can use Nfilter, though I don't
know how it works, or what it will kill on.


NIN seems to be doing it quite well - I'm certainly leaning toward paying
them when the free service expires!

If anyone reading this is using linux, I'm use Leafnode, which can
kill on virtually any header, including *any* part of the Path:
header. Because he's injecting (perhaps a bot telnetting) into the
path, you'll note an IP & "MISMATCH!" following. ATM I'm killing on
the ^Path:.*MISMATCH! part.

Can't use linux for work reasons unfortunately!

cupra wrote:


Perhaps the server to which he posted (wherever that was) might know
the real IP of the sender, but that assumes the operators of said
server cared, keep a log of connections, is in a place covered by
misuse laws, etc. etc.



Again, I'm no expert but wouldn't ISPs have to keep logs in the UK?
(granted, the spammer could be anywhere in the world).



His ISP might well have ... but it is the news server he posted to that
would need to have done so.

--
Gianna Stefani

www.buchan-meteo.org.uk

cupra wrote:


Perhaps the server to which he posted (wherever that was) might know
the real IP of the sender, but that assumes the operators of said
server cared, keep a log of connections, is in a place covered by
misuse laws, etc. etc.



Again, I'm no expert but wouldn't ISPs have to keep logs in the UK?
(granted, the spammer could be anywhere in the world).



His ISP might well have ... but it is the news server he posted to that
would need to have done so.

--
Gianna Stefani

www.buchan-meteo.org.uk

cupra wrote:


Perhaps the server to which he posted (wherever that was) might know
the real IP of the sender, but that assumes the operators of said
server cared, keep a log of connections, is in a place covered by
misuse laws, etc. etc.



Again, I'm no expert but wouldn't ISPs have to keep logs in the UK?
(granted, the spammer could be anywhere in the world).



His ISP might well have ... but it is the news server he posted to that
would need to have done so.

--
Gianna Stefani

www.buchan-meteo.org.uk