cancel
Showing results for 
Search instead for 
Did you mean: 

Is it possible to get an e-mail addy for a PN user from IP?

N/A

Is it possible to get an e-mail addy for a PN user from IP?

Is there any way of getting an e-mail contact from a public IP for PN users whose PC's are port scanning my network? I know PN don't have the resources available to deal with every incident, but I figure these infected PC's must be hitting hundreds/thousands of PN customers computers and I'd like to at least send them an e-mail saying 'hey, did you know your PC is infected?' as I figure they have no idea they're infected in the first place.

At least then *something* would be done to help keep on top of this problem instead of the belief that we have enough bandwidth so don't worry about it....

SteveC
8 REPLIES
N/A

Is it possible to get an e-mail addy for a PN user from IP?

Hi there,

using reverse DNS lookup such as this

http://remote.12dt.com/rns/

should identify the user name.

However you may find that of limited worth as many of these people wont or dont pick up email from the default email address.

Regards

Mark
Proclus
Grafter
Posts: 47
Registered: 31-07-2007

Is it possible to get an e-mail addy for a PN user from IP?

Are you talking about the fact that there seems to be "attacks" at your firewall from plus.net members ips. I dont know why but i get "attacks" from various different plus.net ips listed in my firewall log i dont know why they are there and im not 100% but im sure that there is nothing sinister to it although i could be wrong. :twisted:

If someone could explain why you get these "attacks" on your firewll from plusnet customers all the time that would be brillant.

i dont about your firewall but mine displays the host name aswell although if not use reverse dns like pcsni says. Then you will have the hostname ie anything.plus.com then just send off an email to postmaster@anything.plus.com and that wil go to there default email account..

There are some excellent dns tools at http://dnsstuff.com there are alot on the main page but there are extras in the testbed and expert links at the bottom of the page.
N/A

Is it possible to get an e-mail addy for a PN user from IP?

Matrox,
Not attacks, but port scans looking for known vunrabilities. Typically 135-137 (NetBIOS - Open shares), a couple of 524 (who the hell would scan for NCP - Novell traffic??), 1433 (MS SQL servers) and lots on 1026/1027.

I figure these are infected PC's and the users don't even know what's going on so I just wanted to see if I could do some good and let these people know their PC has been infected.

SteveC
shermans
Rising Star
Posts: 1,052
Thanks: 27
Fixes: 1
Registered: 07-09-2007

Is it possible to get an e-mail addy for a PN user from IP?

How can you tell if you are inected ? I run AV scans and spyware checks regularly but is there any other way of knowing ?
N/A

Is it possible to get an e-mail addy for a PN user from IP?

Not really.
You could block those destination ports on your firewall in the LAN - WAN rules and log them, so you could then see if any of your machines where trying to access these ports.
I actually have a default block everything rule for both inbound and outbound, and only allow the ports for services I know about through (ftp, http(s), smtp etc). This way I control exactly what's coming and going through my router. This is one big difference between the Draytek/ZyXEL routers as compared to NetGear, D-Link, Linksys etc that typically don't come with a proper firewall implementation and simply allow all outbound traffic and block only externally initiated inbound traffic which only solves 1/2 the problem (as with WinXP's firewall). At least if any of my PC's do get infected they can't spread through the net as it's all blocked off.

SteveC
Proclus
Grafter
Posts: 47
Registered: 31-07-2007

Is it possible to get an e-mail addy for a PN user from IP?

I sent a support ticket to plus.net along time ago with details of the some of the scans i was geting here is what i said and what they siad in reply.

Ive altered only the IP's and HOST addresses when i sent it to plus.net i included thefull ips and host names.

Quote

2004-10-10
13:50:29

Could you tell me why i get so many requests form other people on plus net to access port 445 on my computer.

Eg:
80.229.x.x XXX.plus.com
80.229.x.x XXX.plus.com
80.229.x.x XXX.plus.com
80.229.x.x XXX.plus.com
80.229.x.x XXX.plus.com
80.229.x.x XXX.plus.com
80.229.x.x XXX.plus.com

All with between plus others 1.15pm and 1.30pm on 10.10.04

Why is this happening hears an extract from ny firewall:

A computer at peterpump.plus.com has attempted to access one of your system ports (TCP port 445). If you want to allow this traffic, you should either Trust the IP address or open the port in the System Services Tool.

TCP port 445 is commonly used by the "Microsoft-DS" service or program. This port is used by Windows 2000 and XP to access File sharing services. The firewall has blocked a potential attempt to access this port

Plaese can you expalin as far i can see there is no such reason for this happenHuh?

-----------------------------------------REPLY-------------------------------------------------------

2004-10-10
14:13:52
link:CSA Removed
Customer Support Centre Actioned : Dear Customer,

This is because the users you specified above will be infected with a virus of some sort. This virus is trying to send itself out to other users on similar IP addresses.
As your firewall is blocking these then I can say you will be sage. If you wish us to investigate further then simply email copies of the firewall logs to "abuse@plus.net".

Regards,
link:CSA Removed


stephen1ntheuk.
Why dont you take it up with plus.net send them your firewall records and see what they can do. I suddenly i remeber that i had asked in the past about these issues so i thought id post what was said.

Post back and let me know what happened. :wink

[Moderator's note (by Chris P.): Customer Support Agent's name removed - please do not post these details without permission, as per the Forum Guidelines]
N/A

Is it possible to get an e-mail addy for a PN user from IP?

There is an e-mail address for these sort of issues, abuse@plus.net

It's best to information Plus Net using this e-mail address rather than raising a ticket.

You can e-mail these people by using postmaster@username.plus.com

but in reality it generally makes little difference.

Most of these people aren't aware that their machines are infect, and they often don't check their e-mails and thus their machines stay infected.

Unless your getting 100's of attacks a min, then it's best just to accept these hits as internet noise and not worry about them.

Aaron
N/A

Is it possible to get an e-mail addy for a PN user from IP?

This is driving me insane,

I have just gone back on the logs on my firewall and I can only list the last 1000 attacks,

I have had approx 800 hits from other plusnet users on ports 445 , 137, 6129 , 1433, 139, since yesterday ( 8\1\2005 )

also, I just got one from port 9108 from host msnntm1b.level3.net, anyone know what this isHuh

this is crazy, I never got anymore than maybe 5 logs a day with my previous isp, I come to plusnet and my logs are out of control

the point is, apart from the annyance, do I have anything to worry about?

thanks in advance