atom feed46 messages in edu.merit.nanogRe: US DOJ victim letter
FromSent OnAttachments
Jay HenniganJan 19, 2012 12:59 pm 
Michael HareJan 19, 2012 1:01 pm 
Tim JacksonJan 19, 2012 1:02 pm 
Dave EllisJan 19, 2012 1:03 pm 
Jay HenniganJan 19, 2012 1:04 pm 
Michael J McCaffertyJan 19, 2012 1:04 pm 
MLJan 19, 2012 1:05 pm 
Randy CarpenterJan 19, 2012 1:05 pm 
Alan CleggJan 19, 2012 1:08 pm 
Andrew D. DibbleJan 19, 2012 1:15 pm 
Chris AdamsJan 19, 2012 1:16 pm 
Chris AdamsJan 19, 2012 1:18 pm 
Lane PowersJan 19, 2012 1:27 pm 
PCJan 19, 2012 1:33 pm 
Carlos AlcantarJan 19, 2012 1:34 pm 
Simon LockhartJan 19, 2012 1:35 pm 
Todd LyonsJan 19, 2012 1:37 pm 
Ryan GelobterJan 19, 2012 2:36 pm 
-Hammer-Jan 20, 2012 6:06 am 
Mike AndrewsJan 20, 2012 6:55 am 
Robert BonomiJan 20, 2012 11:05 am 
Carlos AlcantarJan 27, 2012 10:11 am 
Bryan Horstmann-AllenJan 27, 2012 10:16 am 
Randy EpsteinJan 27, 2012 10:20 am 
MikeJan 27, 2012 10:21 am 
Vald...@vt.eduJan 27, 2012 10:22 am 
Randy EpsteinJan 27, 2012 10:31 am 
Carlos AlcantarJan 27, 2012 10:45 am 
Sean DonelanJan 27, 2012 10:52 am 
Jon LewisJan 27, 2012 12:22 pm 
Harry HoffmanJan 27, 2012 12:29 pm 
Martin HanniganJan 27, 2012 7:19 pm 
bman...@vacation.karoshi.comJan 28, 2012 8:30 am 
John PeachJan 28, 2012 8:39 am 
Ryan GelobterJan 28, 2012 7:11 pm 
Jack BatesJan 30, 2012 7:53 am 
Matthew S. CrockerJan 30, 2012 7:55 am 
Carlos AlcantarJan 31, 2012 2:30 pm 
Phil DyerJan 31, 2012 4:38 pm 
Ryan PavelyJan 31, 2012 4:43 pm 
Ronald BonicaJan 31, 2012 5:29 pm 
Carlos AlcantarJan 31, 2012 6:52 pm 
TFMLFeb 1, 2012 7:32 am 
PCFeb 1, 2012 11:53 am 
Robert E. SeastromFeb 2, 2012 2:57 am 
bman...@vacation.karoshi.comFeb 2, 2012 3:22 am 
Subject:Re: US DOJ victim letter
From:Andrew D. Dibble (adib@quantcast.com)
Date:Jan 19, 2012 1:15:05 pm
List:edu.merit.nanog

Operation Ghost Click - someone in your AS has malware which changes their DNS
server to an evil IP. ICANN (IIRC) replaced these servers with clean ones
around November 2011 and now it seems like the FBI is trying to contact everyone
who is still talking to that server.

FBI seems to have a list of netblocks hosting rogue DNS servers here: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

So if one of the computers inside your network is talking to one of those IPs
for DNS, you probably have malware.

Drew

On Jan 19, 2012, at 1:03 PM, Tim Jackson wrote:

The 3rd email they sent:

This email is intended to provide clarification on a previous email sent to you. You will be receiving a letter by U.S. Postal Service in the coming days. In the meantime, please visit the link below which provides more details on the investigation and identifying you as a possible victim:

www.fbi.gov/news/stories/2011/november/malware_110911