Unallocated doesn't mean non-routed. All a spammer needs is a willing/non-filtering provider doing BGP with them, and they can announce any space they like, send out some spam, and then pull the announcement. Next morning, when you see the spam and try to figure out who to send complaints to, you're either going to complain to the wrong people or find that whois is of no help.

On Tue, 27 Oct 2009, Church, Charles wrote:

This is puzzling me.  If it's from non-announced space, at some point some 
router should report no route to it.  How is the TCP handshake performed to 
allow a sync to turn into spam?


Chuck Church
Network Planning Engineer, CCIE #8776
Harris Information Technology Services
DOD Programs
1210 N. Parker Rd. | Greenville, SC 29609
Office: 864-335-9473 | Cell: 864-266-3978
Sent using BlackBerry

----- Original Message -----
From: Jon Lewis <jle...@lewis.org>
To: Leslie <les...@craigslist.org>
Cc: NANOG <nanog@nanog.org>
Sent: Tue Oct 27 21:08:12 2009
Subject: Re: dealing with bogon spam ?

On Tue, 27 Oct 2009, Leslie wrote:

I failed to mention we're seeing this from an unallocated /20 whose parent /8
is allocated to ARIN (and is partially in use)

What /20 would that be?  If you're sure it's unallocated, and see nothing
but spam from it, block it at your border.

 Jon Lewis                   |  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

 Jon Lewis                   |  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

Reply via email to