Speaking of "Underground"...
While I was doing some logspotting yesterday I discovered a couple of accesses that came from some hosts that looked like a lot of open proxies or a botnet or something. Someone was likely abusing them for scraping mail addresses off web sites. One of them rang a "Bell": I had seen the name "NorTel" in the book "Underground" (see this post). Even thouth the IP didn't have a reverse DNS entry, the "whois" showed it belonging to "Bell-Northern Research" aka "Nortel Networks". In the book, the "hacker" kids find a way into one of Nortel's telephone exchanges and later into their company network. So maybe one of the researchers set up a test server and forgot to lock it down? ...and now some "hackers" got into it?...
Looked more like "spammers" to me then. Looking at the senderbase report for the IP I noticed quite some activity there:
Report on IP address: 47.234.Χ.ΥΖ
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day 3.2 23830%
Last 30 days 1.4 363%
Average 0.7
(This is for today, yesterday the increase of mail out sending was "only" 18618%.) Fired off a mail to their abuse@ address and to hostmaster@, because that's what the "whois" says. The abuse@ address bounced, because it tells me that I should use @nortel.com instead of @nortelnetworks.com -- maybe they should update their ARIN / whois contact info?
Of course I haven't heard back from hostmaster@ today either. I'll fire off a second mail today, this time to the "other" abuse@ address. Could be I should tell them that they have a "hacker" in their network, maybe that would wake them up?