williams spamhaus blacklist

[Len Rose]

gateway.wcg.com (65.77.117.10) is being blacklisted by the
spamhaus service.

Can someone at Williams Communications get this taken care of? 

Your mail server is being blocked by everyone who uses spamhaus
and it's delaying important mail from your company to one of our 
customers.

Re: williams spamhaus blacklist

[alex]

> gateway.wcg.com (65.77.117.10) is being blacklisted by the spamhaus
> service.
> 
> Can someone at Williams Communications get this taken care of?
> 
> Your mail server is being blocked by everyone who uses spamhaus and it's
> delaying important mail from your company to one of our customers.
Customers who use blacklists compiled by vengeance-oriented folk deserve 
what they get: No email.

Suggested solutions:
a) whitelist williams
b) stop using SBLs similar to spamhaus.

It is a question of trust: Do you trust spamhaus to block 'evil' spammers? 

Do you trust them after they blocked important mails to your clients that
could -not- -possibly- have been spam?

Make your own conclusions.

-alex

Re: williams spamhaus blacklist

[Len Rose]

Maybe I've missed something but since when did spamhaus become
vengeance oriented? All we try to do is eliminate as much spam
as we can using a wide variety of blacklists at the same time.

Thanks

[EMAIL PROTECTED] wrote:

> Customers who use blacklists compiled by vengeance-oriented folk deserve 
> what they get: No email.
> 
> Suggested solutions:
> a) whitelist williams
> b) stop using SBLs similar to spamhaus.
> 
> It is a question of trust: Do you trust spamhaus to block 'evil' spammers? 
> 
> Do you trust them after they blocked important mails to your clients that
> could -not- -possibly- have been spam?
> 
> Make your own conclusions.
> 
> -alex

Re: williams spamhaus blacklist

[alex]

> Maybe I've missed something but since when did spamhaus become vengeance
> oriented? All we try to do is eliminate as much spam as we can using a
> wide variety of blacklists at the same time.
The moment they started blacklisting IPs that never sent spam. (AKA 
williams corporate mail servers).

-alex

Re: williams spamhaus blacklist

[Leo Bicknell]

In a message written on Wed, Sep 24, 2003 at 05:14:04PM -0400, [EMAIL PROTECTED] wrote:
> The moment they started blacklisting IPs that never sent spam. (AKA 
> williams corporate mail servers).

For those who care:

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL10731

I quote:

] WilTel Communications Group's Corporate Mail Relays
] Continued hosting of Eddy Marin spam gang and others have caused this
] listing. Previous warnings and spam reports had no effect.

So, they have decided since WilTil has one (alleged?) spammer
customer none of wiltel should be allowed to send or receive e-mail
anymore.

The complete list of Williams issues is at:

http://www.spamhaus.org/sbl/listings.lasso?isp=wcg

As per usual, no amount of collateral damage is deemed unacceptable.

-- 
   Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - [EMAIL PROTECTED], www.tmbg.org


pgp0.pgp
Description: PGP signature

RE: williams spamhaus blacklist

[McBurnett, Jim]

this is not without precedent.. 
Anyone from Cable and Wireless listening?
If I remember correctly, Cable and Wireless was blocked last year
or earlier this year by a similiar ploy.
And I also seem to remember them making major
complaints over on the SPAM-L list.. 

Later,
J


> -Original Message-
> From: Leo Bicknell [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, September 24, 2003 6:30 PM
> To: [EMAIL PROTECTED]
> Subject: Re: williams spamhaus blacklist
> 
> 
> In a message written on Wed, Sep 24, 2003 at 05:14:04PM 
> -0400, [EMAIL PROTECTED] wrote:
> > The moment they started blacklisting IPs that never sent spam. (AKA 
> > williams corporate mail servers).
> 
> For those who care:
> 
> http://www.spamhaus.org/sbl/sbl.lasso?query=SBL10731
> 
> I quote:
> 
> ] WilTel Communications Group's Corporate Mail Relays
> ] Continued hosting of Eddy Marin spam gang and others have 
> caused this
> ] listing. Previous warnings and spam reports had no effect.
> 
> So, they have decided since WilTil has one (alleged?) spammer
> customer none of wiltel should be allowed to send or receive e-mail
> anymore.
> 
> The complete list of Williams issues is at:
> 
> http://www.spamhaus.org/sbl/listings.lasso?isp=wcg
> 
> As per usual, no amount of collateral damage is deemed unacceptable.
> 
> -- 
>Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440
> PGP keys at http://www.ufp.org/~bicknell/
> Read TMBG List - [EMAIL PROTECTED], www.tmbg.org
> 

Re: williams spamhaus blacklist

[Gary E. Miller]

Yo Leo!

On Wed, 24 Sep 2003, Leo Bicknell wrote:

> So, they have decided since WilTil has one (alleged?) spammer
> customer none of wiltel should be allowed to send or receive e-mail
> anymore.

Works for me.  Zero tolerance for those writing pink contracts with
known spam gangs.

Please send further complaints to WilTel not Nanog.

RGDS
GARY
---
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
[EMAIL PROTECTED]  Tel:+1(541)382-8588 Fax: +1(541)382-8676

Re: williams spamhaus blacklist

[Scott Granados]

Even though this is off topic, I'd have to say that this seems very odd from
SpamHaus.  They never seemed to isolate entire ranges but seemed more
specific.  I can also say they were very fast to remove issues once the
spammers were removed and were also quite helpful.

I wonder does this strategy demonstrate some sort of change or is it just a
one off?

- Original Message - 
From: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, September 24, 2003 2:14 PM
Subject: Re: williams spamhaus blacklist


>
> > Maybe I've missed something but since when did spamhaus become vengeance
> > oriented? All we try to do is eliminate as much spam as we can using a
> > wide variety of blacklists at the same time.
> The moment they started blacklisting IPs that never sent spam. (AKA
> williams corporate mail servers).
>
> -alex
>
>

Re: williams spamhaus blacklist

[Leo Bicknell]

In a message written on Wed, Sep 24, 2003 at 07:42:39PM -0400, Richard Welty wrote:
> there's nothing alleged about it. the Eddy Marin spam gang in Boca Raton is
> one of the nastiest bunches of vile spamming slime you will ever see. this
> is all extremely well documented. go see the spamhaus site for
> documentation, it's all there.

What you're missing in my argument is that it doesn't matter.  I
have no idea who Eddy Marin is, nor do I care.  Blocking wcg's
corporate mail servers is not the solution.  Sure, it may get
someone's attention at wcg, but it may also harm a lot of "innocent"
communications, sales talking to clients, other wiltel customers
requesting support, heck, the secretary ordering lunch to be
delivered.

There are laws against spam.  If you have evidence, sue in civil
court, or get a DA to go for it in criminal court.  Don't lob a
hand grenade in the general direction of the spammer and hope it
all comes out ok.

Osama and his followers told us for years they didn't like what we
were doing, and then escalated by flying a plane into a building
to "get our attention".  That must have been ok by the same logic.

-- 
   Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - [EMAIL PROTECTED], www.tmbg.org


pgp0.pgp
Description: PGP signature

Re: williams spamhaus blacklist

[Justin Shore]

On Wed, 24 Sep 2003 [EMAIL PROTECTED] wrote:

> Customers who use blacklists compiled by vengeance-oriented folk deserve 
> what they get: No email.
> 
> Suggested solutions:
> a) whitelist williams
> b) stop using SBLs similar to spamhaus.
> 
> It is a question of trust: Do you trust spamhaus to block 'evil' spammers? 
> 
> Do you trust them after they blocked important mails to your clients that
> could -not- -possibly- have been spam?
> 
> Make your own conclusions.
> 
> -alex
> 

Providers that sleep the dogs deserve exactly what they get: No email.

Suggested solutions:
a) find a ethical provider that responses to abuse complaints
b) I can't think of anything better than a.

It is a question of trust: Do you trust Williams to be ethical to their 
Internet peers and respond to abuse issues?

Do you trust them after they -repeatedly- -ignore- abuse complaints
regarding your clients receiving spam from a spamhaus on their network?

Make your own conclusions.

-justin

Re: williams spamhaus blacklist

[Andy Walden]

On Wed, 24 Sep 2003, Leo Bicknell wrote:

> Osama and his followers told us for years they didn't like what we
> were doing, and then escalated by flying a plane into a building
> to "get our attention".  That must have been ok by the same logic.

Godwin's Law should probably be extended to September 11 references.

andy
--
PGP Key Available at http://www.tigerteam.net/andy/pgp

Re: williams spamhaus blacklist

[Avleen Vig]

On Wed, Sep 24, 2003 at 08:01:48PM -0400, Leo Bicknell wrote:
> What you're missing in my argument is that it doesn't matter.  I
> have no idea who Eddy Marin is, nor do I care.  Blocking wcg's
> corporate mail servers is not the solution.  Sure, it may get
> someone's attention at wcg, but it may also harm a lot of "innocent"
> communications, sales talking to clients, other wiltel customers
> requesting support, heck, the secretary ordering lunch to be
> delivered.

Your first statement isn't true. Of course you care. If you didn't care
who was spamming, you wouldn't be using a DNSBL to block them.
By using a BL to block spammers, you are saying you don't want to
receive spam. The terms of use are known and clearly listed on each BL's
site.
You should have known that SBL would do this in extreme cases, if you
chose to use them.

Re: williams spamhaus blacklist

[Eliot Lear]

Andy Walden wrote:
Godwin's Law should probably be extended to September 11 references.
Walden's Corollary?

;-)

Eliot

Re: williams spamhaus blacklist

[Dr. Jeffrey Race]

On Wed, 24 Sep 2003 20:01:48 -0400, Leo Bicknell wrote:

>Blocking wcg's corporate mail servers is not the solution. 

It is the ONLY solution that works, as shown many times including
the case just posted to this list about Sprint.

>Sure, it may get
>someone's attention at wcg, but it may also harm a lot of "innocent"
>communications, sales talking to clients, other wiltel customers
>requesting support, heck, the secretary ordering lunch to be
>delivered.

These people are also victims of bad corporate management and
they should complain to their managers, not to their fellow victims.

>
>There are laws against spam.  If you have evidence, sue in civil
>court, or get a DA to go for it in criminal court.

There are no presently enforceable laws for this kind of corporate
abuse.  The only thing that works is hitting the malafactors directly.

Regarding BLs: no one forces anyone to use them.   They are used  
because recipients don't want to get trash.

Those with a quiet moment who want to see a novel, amusing and detailed
ventilation of this issue may take a look at

   (some details dated)
and
    (work in progress)

I'd welcome any comments.

Jeffrey Race

Re: williams spamhaus blacklist

[Dan Hollis]

On Wed, 24 Sep 2003, Andy Walden wrote:
> On Wed, 24 Sep 2003, Leo Bicknell wrote:
> > Osama and his followers told us for years they didn't like what we
> > were doing, and then escalated by flying a plane into a building
> > to "get our attention".  That must have been ok by the same logic.
> Godwin's Law should probably be extended to September 11 references.

I was thinking exactly the same thing. 9/11 has become the rallying cry of 
those on the losing side of a debate.

-Dan
-- 
[-] Omae no subete no kichi wa ore no mono da. [-]

Re: williams spamhaus blacklist

[Steve Linford]

(Apologies to nanog, I make a point of not discussing spam issues 
here, but I feel an uncontrollable urge to respond to this one as it 
concerns Spamhaus directly)

At 20:01 -0400 (GMT) 24/9/03, Leo Bicknell wrote:
 In a message written on Wed, Sep 24, 2003 at 07:42:39PM -0400, 
Richard Welty wrote:
 there's nothing alleged about it. the Eddy Marin spam gang in Boca Raton is
 one of the nastiest bunches of vile spamming slime you will ever see. this
 is all extremely well documented. go see the spamhaus site for
 documentation, it's all there.
 What you're missing in my argument is that it doesn't matter.  I
 have no idea who Eddy Marin is, nor do I care.
Eddy Marin is The Spam King, not your average garden-variety spammer. 
You might not care who Marin is but we unfortunately have to.

 Blocking wcg's corporate mail servers is not the solution.
It's not a nice solution but it's sometimes the only solution 
available (to us). It's not an easy decision and it's a very rare one 
for us, but when a provider hosts a major spam gang long-term and 
looks set to continue indefinitely, escalating the issue by listing 
the corporate mail relays focuses the escalation only on the provider 
himself and not on his customers. We at that moment in time deem the 
provider to be 'knowingly supplying a spam support service'.

 but it may also harm a lot of "innocent"
 communications, sales talking to clients, other wiltel customers
 requesting support, heck, the secretary ordering lunch to be
 delivered.
The Internet is now brimming with people who are almost in tears each 
time they check their mail and sort through their spam to see if 
there's any mail in it. Well over 50% of all email on the Internet is 
now spam (most ISPs say 60%+ of their incoming mail). That a 
provider's CEO, sales staff, or the secretary ordering lunch are 
inconvenienced due to an escalation caused by them allowing known 
spammers to cause such problems for all the rest of the Internet, is 
not our prime concern. The arguments of whether it's right or wrong 
can go on indefinitely but until someone invents a better solution 
this is all we have.

 There are laws against spam.  If you have evidence, sue in civil
 court, or get a DA to go for it in criminal court.
That's a joke right?

 Osama and his followers [...]
I see, perhaps I shouldn't have responded to this post afterall. But 
for the benefit of those providers on nanag who use our SBL system, 
rest assured we will be removing the escalation 'any minute now' as 
WCG are now in contact with us and I understand are pulling spammer 
plugs.

Regards,

--
  Steve Linford
  The Spamhaus Project
  http://www.spamhaus.org

Re: williams spamhaus blacklist

[Dr. Jeffrey Race]

On Thu, 25 Sep 2003 08:29:42 +0100, Steve Linford wrote:

>for the benefit of those providers on nanag who use our SBL system, 
>rest assured we will be removing the escalation 'any minute now' as 
>WCG are now in contact with us and I understand are pulling spammer 
>plugs.

Elegant understatement of basic principle that only hitting the
management scum over the head with a mallet will change their
behavior.   Leo, are you listening?

In my judgment rehashing this issue on NANOG is 1000% appropriate
because the people on this list are the ones who have to carry the
bad news to their masters.  

Jeffrey Race

Re: williams spamhaus blacklist

[Susan Harris]

Dr. Race - this is the second time I have contacted you concerning a NANOG
mailing list AUP violation.  Please refer to the AUP:

http://www.nanog.org/aup.html

If you again violate any terms of the AUP, we'll need to withdraw your
posting privileges from the list.

Susan Harris, Ph.D. 
Merit Network/Univ. of Mich.
 

On Thu, 25 Sep 2003, Dr. Jeffrey Race wrote:

> 
> On Thu, 25 Sep 2003 08:29:42 +0100, Steve Linford wrote:
> 
> >for the benefit of those providers on nanag who use our SBL system, 
> >rest assured we will be removing the escalation 'any minute now' as 
> >WCG are now in contact with us and I understand are pulling spammer 
> >plugs.
> 
> Elegant understatement of basic principle that only hitting the
> management scum over the head with a mallet will change their
> behavior.   Leo, are you listening?
> 
> In my judgment rehashing this issue on NANOG is 1000% appropriate
> because the people on this list are the ones who have to carry the
> bad news to their masters.  
> 
> Jeffrey Race
> 
> 

Re: williams spamhaus blacklist

[jlewis]

On Wed, 24 Sep 2003, Leo Bicknell wrote:

> What you're missing in my argument is that it doesn't matter.  I
> have no idea who Eddy Marin is, nor do I care.  Blocking wcg's
> corporate mail servers is not the solution.  Sure, it may get
> someone's attention at wcg, but it may also harm a lot of "innocent"
> communications, sales talking to clients, other wiltel customers
> requesting support, heck, the secretary ordering lunch to be
> delivered.

But it's ok when AboveNet does it?...or actually does much worse by
secretly and arbitrarily blackholing various networks at will, while
advertising connectivity to those networks to their BGP customers and
peers?

This means anyone connected to AboveNet will be unable to reach those
blackholed victims if the routes to those destinations propogated by
AboveNet appear to be their "best route" to the affected networks.  This
breaks connectivity even though we have multiple other transit providers.

This is much worse than a Spamhaus (or any other DNSBL) listing since
anyone using such services does so by choice and can decide for themself
what action to take, if any, for listed addresses.  With AboveNet
blackhole routing, our only option, once we're aware of the problem, is to
make changes to our routing policy and force traffic away from AboveNet
and onto one of our other transit providers.

We only find out about such AboveNet blackhole routes when we open a
ticket with AboveNet to ask why your network is broken when our customers
complain of networks they can't reach when using our service (i.e. banks
that can't reach their staff training web sites), but they can reach from
other service providers, so they inform us that our network is broken.  
Who's attention is AboveNet trying to get?

Anyone taking BGP routes from AboveNet, or worse yet, single homed to
AboveNet, ought to be aware of this policy.  At the very least, you should
make sure whoever does your BGP is aware of it and knows how to reroute
traffic when the "best route" doesn't actually work.  You also might bring
it up with your sales person when it's time to renew.

The central image on www.above.net boasts of "Unconstrained Information
Exchange".  I wish that were true.

--
 Jon Lewis [EMAIL PROTECTED]|  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|  
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

RE: williams spamhaus blacklist

[Deepak Jain]

> But it's ok when AboveNet does it?...or actually does much worse by
> secretly and arbitrarily blackholing various networks at will, while
> advertising connectivity to those networks to their BGP customers and
> peers?
>

So why keep connectivity to them? A contract term? Now that you know of the
policy and aren't very happy about it, why not change providers -- you
already have a few. :)

I think anyone who blackholes sites within their own network should take the
specifics with a community that clueful customers can use to route-around
them, but obviously its their network, and whoever is setting up the
blackholes can decide that for themselves. Just a suggestion.

This way, blackholes designed to protect clue-light customers can be used
with little detriment to clueful customers (once the communities are used
and well-described/published).

Just my idea.

Deepak Jain
AiNET

Re: williams spamhaus blacklist

[Kai Schlichting]

[at the risk of getting whacked by Sue Harris, like: what does "operational"
mean anyway when the flood of criminal activity that's been the subject of
discussion here in recent days is frustrating massive amounts of ordinary
customers/Internet users, who will turn away from the Internet in frustration
altogether ; the impact on operators should be quite obvious]

On 9/25/2003 at 11:58 AM, "netadm" <[EMAIL PROTECTED]> wrote:

> This is exactly the problem with certain e-mail block lists (i.e.
> www.spamhaus.org). A few zealots who control this particular block list
> have made a decision based on inaccurate information.

> Mr. Linford has listed (in his block list) 48 /24s allocated to Infolink
> (yes we are a real ISP with real customers) for 2 customers we are
> working to terminate.

> In addition, as previously mentioned, Mr. Linford refuses to remove
> listings once we notify him of the termination.

And with good reason.

> Given the above, it is imprudent for any network operator (North
> American or Other) to use Mr. Linford's SBL to restrict the delivery of
> e-mail.

It is inadvisable for any network operator to even accept your BGP
announcements like yours, inbound into their network:

Anyone who is bleeding 32 /24's in addition to an enclosing /19 supernet
(presumably out of incompetence, but maybe this is part of a strategy to
 circumvent less-skilled operators nullrouting the /19 at router level,
 and failing to notice that that doesn't work when there's longer
 prefixes)
is worthy of being dropped for stealing too much of our router CPU/RAM.

Anyone who (at least at one point in the past) replied to mail sent to
[EMAIL PROTECTED] with a note that the complaint will be ignored and the only
complaints that will be addressed (yeah right) are those sent in
PLAIN OLD PAPER HARDCOPY, deserves no access to other networks whatsoever.

Any ASN that announces the equivalent of only 51 /24's, yet manages to
generate 106 AUP violations (mailing spamtraps, dead users, failing to
yield to SMTP 550, etc., many of them continuous 'repeat action') in a
four month period to 2 rather small MXs, and continues such illegal
trespass after their 4 upstreams are informed (and have in turn informed
you) of this continuously, deserves to be dropped until the end of time.

Current AS 15083 upstreams:
2914 (Verio) 16631 (Cogentco) 19094 (Adelphia/telcove.com)

My guess is that abuse@ people at (at least) Verio and Adelphia are tipping
on their toes, waiting until the complaint count has reached the magic number
high enough to term you with their management's support, so you can go find
yourself some new upstreams - again. That won't change our stance of blocking
you by ASN, IP space and known domain names - indefinitely.

Given that there is 1000's of systems like ours, this makes the SBL listing
seem like an insignificant problem for your so-called "ethucal bizniz".

bye,Kai

Re: williams spamhaus blacklist

[Kai Schlichting]

On 9/25/2003 at 2:19 PM, "Deepak Jain" <[EMAIL PROTECTED]> wrote:


>> But it's ok when AboveNet does it?...or actually does much worse by
>> secretly and arbitrarily blackholing various networks at will, while
>> advertising connectivity to those networks to their BGP customers and
>> peers?
>>

> So why keep connectivity to them? A contract term? Now that you know of the
> policy and aren't very happy about it, why not change providers -- you
> already have a few. :)

> I think anyone who blackholes sites within their own network should take the
> specifics with a community that clueful customers can use to route-around
> them, but obviously its their network, and whoever is setting up the
> blackholes can decide that for themselves. Just a suggestion.

Travis Haymore, Director of Security at AboveNet, has reportedly (see
Spam-L a couple weeks back) made telephoned threats to at least one system
owner (digistar.com), threatening (and then following up on that threat)
to null-route that particular system (/32) on all of AboveNet/MFNX's routers,
for no other reason than a user of that system making unfavorable public
statements about AboveNet in public forums - while not disputing the truth
of such statements made; he just wanted "that user gone, or else".

Unfortunately for Travis, that happened to be the backup outgoing MX
for a mailing list of quite some importance to a few ISPs and RIRs:
Hijacked-L.


As far as my own case is concerned, presumably the same individual null-routed
the machine this mail originates from (208.241.101.2), for reasons not
explained and not justified with internal documentation whatsoever (that
much I got from an AboveNet manager; causing removal of this IP from their
BL, for lack of documentation, and the unnamed individual responsible for
its entry (Travis was never mentioned by name to me by this AboveNet person,
but everyone else who has reported similar experiences with AboveNet seems
to be pointing back to him at this point) never contested it).

Indeed, quite a bit of mail to [EMAIL PROTECTED] has been sent from this IP
(we are talking of maybe a few hundred since Jan 2003, a fraction of the
number of actual incidents observed) - and that appeared to be the one and
only reason why this machine would appear on his/their radar at all.

Legitimate, persistent and continuing complaints about illegal trespassing
originating from AboveNet's (or their customer's) IP space into your servers
apparently can get you transit-blackholed at AboveNet, rather than getting
yourself blocked from accessing *AboveNet OWNED AND OPERATED* machines -
while AboveNet, knowingly and willingly, does nothing to stop the illegal
activity by itself.

If null0-routing the complainant shields that complainant from the illegal
activity (in order to make him shut up), I become quite suspicious that the
remaining illegal activity against the other 99.999% of the Internet
is not just being ignored, but endorsed and shielded from further discovery
by the complainant. That's called "collusion", in my I-am-not-a-lawyer-way
of expressing this.


Add the secrecy on AboveNet's side and the unusual paths it takes to even
partially uncover any of this, then tell me: would you rather be SBL-listed
for everyone to see, or secretly null0'd at a transit point, with no public
or privately accessible record, until you randomly find out about it, because
some customer-used services (websites, email, etc.) have been failing
randomly for a couple of weeks (blame the Internet!) ?

> This way, blackholes designed to protect clue-light customers can be used
> with little detriment to clueful customers (once the communities are used
> and well-described/published).

Funny as it is, none of the definitions found at http://www.above.net/antispam.html
(section (3) and (8)) ever seem to apply to the cases that we are hearing
and reading about here, making the interception and redirection of this
traffic NOT AIMED AT AboveNET quite unlawful under federal wiretapping
statutes - and all of this is happening with AboveNet managers being well-aware
- less the details on the legalities, I am sure.

And this one is for Deepak: how exactly would a single host (e.g.: any
prefix longer than a /24) evade the giant traffic vacuum cleaner (AboveNet,
busy cleansing the Internet of "unwanted by anyone" packets) when your route,
as seem from most of the Internet, is a /10, rather than a /22, /23 or /24?

And last but not least: Infrastructure failures as a result of operator
behavior are on-topic, the last time I checked.

bye,Kai

Re: williams spamhaus blacklist

[Kai Schlichting]

On 9/25/2003 at 3:04 PM, "Susan Harris" <[EMAIL PROTECTED]> wrote to me:

> This is the third time I've contacted you concerning violations of the
> NANOG list AUP.  Your message below focuses on spam/blacklists, issues
> that are not considered operational and are therefore off-topic for the
> list.  This is your last warning - if subsequent messages violate any
> terms of the NANOG list, we'll need to remove your posting privileges from
> the list.

> Please refer to the AUP:

> http://www.nanog.org/aup.html

> Susan Harris, Ph.D. 
> Merit Network/Univ. of Mich.

(above is a template, btw)
oops - too late - been busy writing the next post that is SUPPOSEDLY
off topic, and I hit 'send' before seeing this one.

Now tell me: why are you not posting this notice to the list to kill
the thread, if that is the desired effect?

bye,Kai

Re[2]: williams spamhaus blacklist

[Richard Welty]

On Wed, 24 Sep 2003 16:28:52 -0700 Scott Granados <[EMAIL PROTECTED]> wrote:
> Even though this is off topic, I'd have to say that this seems very odd
> from
> SpamHaus.  They never seemed to isolate entire ranges but seemed more
> specific.  I can also say they were very fast to remove issues once the
> spammers were removed and were also quite helpful.
 
> I wonder does this strategy demonstrate some sort of change or is it
> just a
> one off?

disclaimer: i do not speak for spamhaus. i have used the sbl for many
years, found it effective, and believe that steve linford and his crew are
honestly trying to do a good job with a difficult project.

now, to answer your question.

spamhaus normally is extremely focused. they keep detailed records that
explain why they have chosen to block specific ranges. they are oriented
towards spammers of fixed address, that is, they don't chase open relays,
they don't chase abused proxies, or anything of that sort. there are other
lists that perform those functions.

the blacklisting of ISP ranges is very rare, it only occurs perhaps once a
year, in extreme cases. several years ago, the sbl listed sprint's coporate
mail servers during a period when sprint was providing connectivity for
many spamhausen. sprint responded by appointing a new head of abuse, and
giving him the power to terminate spammers. sprint's corporate mail servers
were delisted, and their network is now fairly clean. we don't jokingly
call their service "sprintpink" any more.

it takes a lot to get your ISP's corporate mail servers listed on the sbl.
wcg's problems must be pretty severe.

in another message, Leo Bicknell refered to Eddy Marin & crew as (i think)
"alleged spammers".

there's nothing alleged about it. the Eddy Marin spam gang in Boca Raton is
one of the nastiest bunches of vile spamming slime you will ever see. this
is all extremely well documented. go see the spamhaus site for
documentation, it's all there.

cheers,
  richard
(the scary thing is that spamming may be the closest thing to a legitimate
 business that Eddy Marin has ever been involved in.)
-- 
Richard Welty [EMAIL PROTECTED]
Averill Park Networking 518-573-7592
Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security

Re[2]: williams spamhaus blacklist

[Hank Nussbacher]

At 07:42 PM 24-09-03 -0400, Richard Welty wrote:

the blacklisting of ISP ranges is very rare, it only occurs perhaps once a
year, in extreme cases. several years ago, the sbl listed sprint's coporate
mail servers during a period when sprint was providing connectivity for
many spamhausen. sprint responded by appointing a new head of abuse, and
giving him the power to terminate spammers. sprint's corporate mail servers
were delisted, and their network is now fairly clean. we don't jokingly
call their service "sprintpink" any more.
AS3339 has a zero tolerance for spamming.  With just one spam complaint we 
block the IP in question.  We have a downstream customer that has many 
cybercafes in Africa that generate http and smtp spam and we block each 
complaint within 48 hours.

None the less, here is a recent email extract I received from someone:

"Hank, I am not a Spamhaus.org representative in any shape or form.
I do not claim to speak for Spamhaus.org in any capacity.  The
University of xx is, however, a customer (i.e. as of this
morning, we block e-mails from IP addresses listed on Spamhaus SBL).
I am just guessing what might happen if the problem is not sorted out.

I am sure you already know that the standard escalation procedure for
many blocklists is first to block the single offending IP address, then
the immediate smallest block that it is contained in according to WHOIS,
then the entire block of the ISP, and if that fails to stop the spam,
then the corporate MXes of the upstream ISP may be blocklisted."
Basically, we are being told if we don't drop the customer, our corporate 
MXes will be blocked.  I would not call this an "extreme case", but it 
would appear that overzealous anti-spammers are perhaps going a bit overboard.

Regards,
Hank

Re[3]: williams spamhaus blacklist

[Richard Welty]

On Thu, 25 Sep 2003 12:50:58 +0200 Hank Nussbacher <[EMAIL PROTECTED]> wrote:
> AS3339 has a zero tolerance for spamming.
...
> None the less, here is a recent email extract I received from someone:
... 
> "Hank, I am not a Spamhaus.org representative in any shape or form.
> I do not claim to speak for Spamhaus.org in any capacity.  The
> University of xx is, however, a customer (i.e. as of this
> morning, we block e-mails from IP addresses listed on Spamhaus SBL).
...
> Basically, we are being told if we don't drop the customer, our
> corporate 
> MXes will be blocked.  I would not call this an "extreme case", but it 
> would appear that overzealous anti-spammers are perhaps going a bit
> overboard.

i'd say that's more than a little bit of a reach. they admit right up front
that they don't speak for spamhaus (steve linford can speak for spamhaus,
and he's apparently reading this thread on nanog.)

a spamhaus customer can hardly threaten a spamhaus listing, only spamhaus
investigators can do that. what you're describing doesn't sound like a
situation that would get you onto spamhaus. this spamhaus customer is
talking through their hat.

additionally, to the best of my knowledge, spamhaus listing and escalation
procedures differ from the ones you described.

richard
-- 
Richard Welty [EMAIL PROTECTED]
Averill Park Networking 518-573-7592
Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security

Re[2]: williams spamhaus blacklist

[Steve Linford]

At 12:50 +0200 (GMT) 25/9/03, Hank Nussbacher wrote:
 AS3339 has a zero tolerance for spamming.  With just one spam
 complaint we block the IP in question.  We have a downstream
 customer that has many cybercafes in Africa that generate http and
 smtp spam and we block each complaint within 48 hours.
 None the less, here is a recent email extract I received from someone:

 "Hank, I am not a Spamhaus.org representative in any shape or form.
 I do not claim to speak for Spamhaus.org in any capacity.  The
 University of xx is, however, a customer (i.e. as of this
 morning, we block e-mails from IP addresses listed on Spamhaus SBL).
 I am just guessing what might happen if the problem is not sorted out.

 I am sure you already know that the standard escalation procedure for
 many blocklists is first to block the single offending IP address, then
 the immediate smallest block that it is contained in according to WHOIS,
 then the entire block of the ISP, and if that fails to stop the spam,
 then the corporate MXes of the upstream ISP may be blocklisted."
That describes the escalation procedure of SPEWS, but is not at all 
accurate for the SBL, we do not expand listings sideways into 
customer space or block whole ISPs [*].

 Basically, we are being told if we don't drop the customer, our
 corporate MXes will be blocked.  I would not call this an "extreme
 case", but it would appear that overzealous anti-spammers are
 perhaps going a bit overboard.
Luckily he claimed up-front to not be speaking for Spamhaus. I can 
sympathize with the level of frustration of someone being bombarded 
in spam, however we do not run escalations for single spammers 
(unless the problem is chronic, but even then we'd always contact the 
ISP and exhaust all other avenues).

[*] Although we do not list whole U.S. or European ISPs, that's not 
strictly true for other areas of the net the "offshore" spammers have 
gravitated to. We are currently leaning on China heavily and are at 
this moment blocking large parts of Chinanet Shanghai (online.sh.cn) 
ADSL netblocks, as it's the worst of the China spam problems with 120 
separate SBL listings all of US-based spammers (all the usual 
make-penis-fast crowd) hosted mainly on Shanghai ADSL lines.
Spammers like Alan Ralsky these days pump everything out via 
SoBig-opened proxies with everything hosted in China, all run from 
Detroit using VPN. The Chinese are now understanding this but it's 
taken some time. That escalation should resolve itself 'any moment 
now' too as they say they're starting the process of tracking down 
and kicking off the hoard of pests they've acquired these last months.

--
  Steve Linford
  The Spamhaus Project
  http://www.spamhaus.org

RE: Re[2]: williams spamhaus blacklist

[netadm]

>> That describes the escalation procedure of SPEWS, but is not at all 
>> accurate for the SBL, we do not expand listings sideways into 
>> customer space or block whole ISPs [*].
>>

Mr. Linford's Spamhaus has recently blocked our entire ISP because of 2
entities on our network we are working to terminate (it is a bit more
complicated than simply pulling the plug).

In addition, we have recently requested removal of listings once we have
terminated the customer in question, but received no response.

We can vouch for the fact that www.spamhaus.org blocks far more than
just sources of UCE. In our case, it is our entire network.

-Original Message-
From: Steve Linford [mailto:[EMAIL PROTECTED] 
Sent: Thursday, September 25, 2003 8:22 AM
To: Hank Nussbacher; [EMAIL PROTECTED]
Subject: Re[2]: williams spamhaus blacklist



At 12:50 +0200 (GMT) 25/9/03, Hank Nussbacher wrote:
>  AS3339 has a zero tolerance for spamming.  With just one spam  
> complaint we block the IP in question.  We have a downstream  customer

> that has many cybercafes in Africa that generate http and  smtp spam 
> and we block each complaint within 48 hours.
>
>  None the less, here is a recent email extract I received from 
> someone:
>
>  "Hank, I am not a Spamhaus.org representative in any shape or form.  
> I do not claim to speak for Spamhaus.org in any capacity.  The  
> University of xx is, however, a customer (i.e. as of this  
> morning, we block e-mails from IP addresses listed on Spamhaus SBL).
>
>  I am just guessing what might happen if the problem is not sorted 
> out.
>
>  I am sure you already know that the standard escalation procedure for

> many blocklists is first to block the single offending IP address, 
> then  the immediate smallest block that it is contained in according 
> to WHOIS,  then the entire block of the ISP, and if that fails to stop

> the spam,  then the corporate MXes of the upstream ISP may be 
> blocklisted."

That describes the escalation procedure of SPEWS, but is not at all 
accurate for the SBL, we do not expand listings sideways into 
customer space or block whole ISPs [*].

>  Basically, we are being told if we don't drop the customer, our  
> corporate MXes will be blocked.  I would not call this an "extreme  
> case", but it would appear that overzealous anti-spammers are  perhaps

> going a bit overboard.

Luckily he claimed up-front to not be speaking for Spamhaus. I can 
sympathize with the level of frustration of someone being bombarded 
in spam, however we do not run escalations for single spammers 
(unless the problem is chronic, but even then we'd always contact the 
ISP and exhaust all other avenues).

[*] Although we do not list whole U.S. or European ISPs, that's not 
strictly true for other areas of the net the "offshore" spammers have 
gravitated to. We are currently leaning on China heavily and are at 
this moment blocking large parts of Chinanet Shanghai (online.sh.cn) 
ADSL netblocks, as it's the worst of the China spam problems with 120 
separate SBL listings all of US-based spammers (all the usual 
make-penis-fast crowd) hosted mainly on Shanghai ADSL lines. Spammers
like Alan Ralsky these days pump everything out via 
SoBig-opened proxies with everything hosted in China, all run from 
Detroit using VPN. The Chinese are now understanding this but it's 
taken some time. That escalation should resolve itself 'any moment 
now' too as they say they're starting the process of tracking down 
and kicking off the hoard of pests they've acquired these last months.

-- 
   Steve Linford
   The Spamhaus Project
   http://www.spamhaus.org

RE: Re[2]: williams spamhaus blacklist

[Steve Linford]

From netadm, received 25/9/03, 9:02 -0400 (GMT):
 That describes the escalation procedure of SPEWS, but is not at all
 accurate for the SBL, we do not expand listings sideways into
 customer space or block whole ISPs [*].
 Mr. Linford's Spamhaus has recently blocked our entire ISP because of 2
 entities on our network we are working to terminate (it is a bit more
 complicated than simply pulling the plug).
 In addition, we have recently requested removal of listings once we have
 terminated the customer in question, but received no response.
 We can vouch for the fact that www.spamhaus.org blocks far more than
 just sources of UCE. In our case, it is our entire network.
Ehm, that was because you, infolink.com WERE the spam outfit, of 
course we block your 'entire network', it was an entire network of 
spammers with no real customers. You can pretend Infolink is an 
'EyeEshPee' all you like Mr Leary but what we see is this, from your 
ROKSO record:

Prieur Leary's Infolink Communication Services, Inc.
(64.251.0.0/19) initially got bandwidth from Yipes.com circa
February 2002.  Infolink (and Yipes) ignored tremendous
numbers of spam reports for months on end.  When
E-xpedient.com bought that chunk of Yipes circa late June
2002, they continued spam hosting and were booted in a week or
so.
Next, Infolink headed for WCG.net, and commenced routing there
during early July.  It may have looked like a tasty morsel to
Williams, but they soon realized it had a bitter aftertaste.
It took until August 21 2002 before the mallet swung at WCG.
Then UU.net took a whack at at it.  By August 21, Infolink was
already spamming via that route.  That lasted until about
August 28, and it was three strikes and they were in ROKSO.
But other networks are still willing to experience the thrill
of a flooded abuse queue, it seems, and these persistent
spammers are still on the air.  There was apparently a route
via cw.net during August 28 and 29, but as of August 29 they
seem to have transit via host.net, go-net.net, and
go-intl.net, downstream of Verio.net.
Among Infolink's notorious partners in spam, Infolink hosts
Eddy Marin (OneRoute.net), John Ritzer, and Daniel Amato.
http://www.spamhaus.org/rokso/search.lasso?evidencefile=1955

Spammers pretending to be ISPs don't qualify.

--
  Steve Linford
  The Spamhaus Project
  http://www.spamhaus.org

RE: Re[2]: williams spamhaus blacklist

[netadm]

>> Ehm, that was because you, infolink.com WERE the spam outfit, of 
>> course we block your 'entire network', it was an entire network of 
>> spammers with no real customers. You can pretend Infolink is an 
>> 'EyeEshPee' all you like Mr Leary but what we see is this, from your 
>> ROKSO record:
>>

This is exactly the problem with certain e-mail block lists (i.e.
www.spamhaus.org). A few zealots who control this particular block list
have made a decision based on inaccurate information.

Mr. Linford has listed (in his block list) 48 /24s allocated to Infolink
(yes we are a real ISP with real customers) for 2 customers we are
working to terminate.

In addition, as previously mentioned, Mr. Linford refuses to remove
listings once we notify him of the termination.

Given the above, it is imprudent for any network operator (North
American or Other) to use Mr. Linford's SBL to restrict the delivery of
e-mail.

Dynamic block lists such as Spamcop will be much more effective at
blocking spam, while allowing normal e-mail to flow as it should.

Jon Ham/Infolink Network Administration
Toll Free (USA) +1 877 293 2095 ext. 1422
Tel. +1 305 324 1616 ext. 1422
www.infolink.com