Speaking of "Underground"...

While I was doing some logspotting yesterday I discovered a couple of accesses that came from some hosts that looked like a lot of open proxies or a botnet or something. Someone was likely abusing them for scraping mail addresses off web sites. One of them rang a "Bell": I had seen the name "NorTel" in the book "Underground" (see this post). Even thouth the IP didn't have a reverse DNS entry, the "whois" showed it belonging to "Bell-Northern Research" aka "Nortel Networks". In the book, the "hacker" kids find a way into one of Nortel's telephone exchanges and later into their company network. So maybe one of the researchers set up a test server and forgot to lock it down? ...and now some "hackers" got into it?...

Looked more like "spammers" to me then. Looking at the senderbase report for the IP I noticed quite some activity there:

   Report on IP address: 47.234.Χ.ΥΖ
   Volume Statistics for this IP
                Magnitude Vol Change vs. Average
   Last day     3.2       23830%
   Last 30 days 1.4       363%
   Average      0.7

(This is for today, yesterday the increase of mail out sending was "only" 18618%.) Fired off a mail to their abuse@ address and to hostmaster@, because that's what the "whois" says. The abuse@ address bounced, because it tells me that I should use @nortel.com instead of @nortelnetworks.com -- maybe they should update their ARIN / whois contact info?

Of course I haven't heard back from hostmaster@ today either. I'll fire off a second mail today, this time to the "other" abuse@ address. Could be I should tell them that they have a "hacker" in their network, maybe that would wake them up?