From owner-freebsd-security Sun May 23 20:45:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from mta2.snfc21.pbi.net (mta2.snfc21.pbi.net [206.13.28.123]) by hub.freebsd.org (Postfix) with ESMTP id DE40E14D74 for ; Sun, 23 May 1999 20:45:18 -0700 (PDT) (envelope-from out-door@pacbell.net) Received: from pacbell.net ([209.78.212.2]) by mta2.snfc21.pbi.net (8.8.8/8.7.1+antispam) with ESMTP id UAA03748; Sun, 23 May 1999 20:40:03 -0700 (PDT) Message-ID: <3748C9E0.FEF70C3@pacbell.net> Date: Sun, 23 May 1999 20:39:12 -0700 From: Alex X-Mailer: Mozilla 4.51 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Roger Marquis Cc: security@FreeBSD.ORG, firewall-wizards@nfr.net Subject: you should post this on ntsecurity@iss.net References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I think you will find some friends there, the good kind. Alex Roger Marquis wrote: > On Sat, May 22, 1999 at 06:40:20PM -0700, David Babler wrote: > > > On Sat, May 22, 1999 at 11:05:28AM -0600, Brett Glass wrote: > > > > This morning, someone at the domain "imagelock.com" apparently launched a > > > > denial of service attack against a Web server I administer. The abuser was > > > imagelock.com has been banned from my web servers ever since they > > > initiated a DoS attack against me a few months ago. Basically, they > > > download every accessible file on a website. The company's MO is to > > > > Their web client also gleefully ignores robots.txt as well, and spent 2 > > hours here chasing web poisoned pages - apparently quitting only when it > > didn't find any images to fingerprint. So they're now blocked here at the > > firewall too - thanks for the heads-up. Wonder how much they can sell > > their service for when they find they don't have access to poke around? > > Great information! Thanks Brett. I checked our httpd logs and > immediately found several thousand hits from this subnet, which is now > filtered. > > Imagelock could be another name for Cyveillance.com. We saw an > identical pattern 2 months ago from another IP which had/has no reverse > DNS. The domain turned out to be Cyveillance and their ISP was (at the > time) Digex.net who forwarded our complaint and followed up twice. > Thank you Digex! > > After 3 complaints to Digex and Cyveillance we finally received this > response from Cyveillance: > > > Recently Digex, our internet provider, forwarded your inquiry regarding > > visits to your site from 207.87.178.66. > > > > We provide companies with brand protection services on the internet. To > > accomplish this goal we employ search engines / web crawlers to scan the > > internet. We are in no way involved with the creation of unsolicited > > commercial email. Please see our web site at http://www.cyveillance.com > > where you can learn more about our company and what we do. > > > > It appears we crawled your web site as part of our general web search, and > > crawled your mailto directories as part of that search. We hope we didn't > > cause you any inconvenience. > > > > If you have any questions, don't hesitate to contact me. > > > > Paul K. Witting > > Manager of Information Systems > > Cyveillance - Intelligent Internet Surveillance > > PWitting@Cyveillance.com > > (703) 519-4212 > > However they never did stop scanning our subnets until we filtered > their subnet at 207.87.178. > > This subnet still has no reverse DNS however `whois` shows Cyveillance > is now a customer of imaphost.com and namesecure.com. "imaphost.com" > is already in our IP filter list (all 27 lines of it) for previous HTTP > abuses however namesecure.com is not. > > Call me paraniod but it sure looks like another Cyveillance attempt to > cover their tracks. > > -- > Roger Marquis > Roble Systems Consulting > http://www.roble.com/ > > - > [To unsubscribe, send mail to majordomo@lists.gnac.net with > "unsubscribe firewalls" in the body of the message.] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message