Re: I got a live one! - Spam source
Not to keep endlessly on this thread, but again with reference to good whois record keeping and bad.. 64.21.87.136: mx2.yvzus.com 64.21.87.141: mx3.xmabs.com 64.21.87.168: mx5.zgows.com 64.21.87.170: mx5.zntas.com GOOD We know the activity is probably limited to: Found a referral to whois.nac.net:43. NAC-Rwhoisd32 Server Ready - [hydrogen/43] Rwhoisd32 - 1.0.76 Private (NET-40155780-26) 1000 Elliott Ave W Seattle, WA 98119 US OrgID : NAC-40612 Netname : NET-40155780-26 Netblock: 64.21.87.128/26 NetUse : additional loopback ips for 66.246.252.57 Coordinator: Whitaker, Claude washwhita...@aol.com Phone: 206-407-3201 67.229.101.206: hikmvo.leadingsolutionlinks.com 67.229.101.207: noqo.leadingsolutionlinks.com 67.229.101.208: rqecf.leadingsolutionlinks.com GOOD We know that the activity is probably limited to: VPLS Inc. d/b/a Krypt Technologies VPLSNET (NET-67-229-0-0-1) 67.229.0.0 - 67.229.255.255 Roy Diaz ROY (NET-67-229-96-0-1) 67.229.96.0 - 67.229.111.255 (Other than VPLS/Krypt seems to really like these type of customers) 70.97.119.58: mail1.ugallshwomange.com 70.97.119.59: mail1.ugouricarali.com 70.97.119.60: mail1.utanonesiana.com 70.97.119.61: mail1.vatetricarkose.com 70.97.119.62: mail1.venesiandsgu.com 70.97.119.63: mail1.viandslahass.com 70.97.119.64: mail1.vientianarica.com 70.97.119.65: mail1.vientuckyan.com BAD Integra Telecom, Inc. ELI-NETWORK-ELIX (NET-70-96-0-0-1) 70.96.0.0 - 70.99.255.255 Syptec ITCM-70-97-118-0-23 (NET-70-97-118-0-1) 70.97.118.0 - 70.97.119.255 This is a /23 but with Syptec's record... They sure like opening ranges to email marketers first :) Unless Syptec is operating those machines themselves.. but in that class C all the IP's don't appear to start on a normal boundary, .35-.65 with all the rest of the IP's having no reverse DNS. Does this client of theirs have control over the whole /23 or just a part? 205.251.11.130: loneas41.instantcasheasynow.com 205.251.11.163: lon69.instantcasheasynow.com 205.251.11.70: lon83.instantcasheasynow.com 205.251.7.144: click37.fallcreditcash.com 205.251.7.204: track42.fallcreditcash.com 205.251.7.253: click14.fallcreditcash.com 205.251.7.99: track4.fallcreditcash.com BAD InfoRelay Online Systems, Inc. INFORELAY-EST-02 (NET-205-251-0-0-1) 205.251.0.0 - 205.251.127.255 Reaction54 REACT54-03 (NET-205-251-8-0-1) 205.251.8.0 - 205.251.15.255 Is this two different clients on Reaction54, or is this Reaction54 themselves? I think you have to assume the later based on this whois information.. Especially when you see that the whole class C has the same naming patterns. 216.52.246.253: host6.chemistryearth.com 216.52.246.254: host6.consecutiveworld.com GOOD Internap Network Services Corporation PNAP-8-98 (NET-216-52-0-0-1) 216.52.0.0 - 216.52.255.255 Aurora Networking INAP-LAX-AURORA-34937 (NET-216-52-246-0-1) 216.52.246.0 - 216.52.246.255 More companies on Internap, but at least we know exactly what range is owned by this company.. We can just look at the one class 'C'. And of course we can see that this is quite typical right across the range.. 218.213.228.76: ad-a11.pointdnshere.com 218.213.228.92: ns193.pointdnshere.com BAD Ummm.. we can't say the same operator is using all of these can we? inetnum: 218.213.0.0 - 218.213.255.255 netname: HKNET-HK descr:HKNet Company Limited descr:15/F, Tower 2, Ever Gain Plaza, descr:88 Container Port Road, Kwai Chung, N.T. country: HK And if we guessed, and said the same behavior was across the board, we would be hurting the poor guy on that class C in the top of the range.. (Oh, yeah.. I know.. I threw that last example to show that this isn't just a North American problem) On November 26, 2009, Rich Kulawiec wrote: On Wed, Nov 25, 2009 at 09:25:27AM -0800, Michael Peddemors wrote: I here people saying that they don't publish whois information because they don't want the email's made public. Okay, at least the registered company name, or individual who presented the ID should be there. Without delving too far into this: there is no point whatsoever in attempting to conceal or obfuscate email addresses --not any more. It is an obsolete, cargo cult practice that many are still engaged in without grasping that it was quite thoroughly defeated by spammers and their associates years ago. That said, I concur in full with your opinions in re whois data and the need to assign it properly. I've long since stopped trying to deal with missing information and have adopted the rule that if the neighborhood looks sufficiently bad, I just block a /24 worth. That may sound arbitrary, but in practice it works extremely
Re: I got a live one! - Spam source
Could you elaborate on what constitutes correct swip information? Sure, you just opened the door to my opinions on this :) -- WRONG -- OrgName:FortressITX OrgID: FORTR-5 Address:100 Delawanna Ave City: Clifton StateProv: NJ PostalCode: 07014 Country:US Found a referral to rwhois.fortressitx.com:4443. Timeout. -- - The argument that whois information should not be made public, is ridiculous. I here people saying that they don't publish whois information because they don't want the email's made public. Okay, at least the registered company name, or individual who presented the ID should be there. -- WRONG -- OrgName:Peer 1 Dedicated Hosting OrgID: P1DH-1 Address:101 Marietta Street Address:Suite 500 City: Atlanta StateProv: GA PostalCode: 30303 Country:US NetRange: 216.150.0.0 - 216.150.31.255 CIDR: 216.150.0.0/19 -- Okay, you REALLY want people to get tired of playing whack a mole? This is why many list operators block large ranges.. according to this listing, one responsible party for the whole list.. (oh, and don't get me started on reporting.. the quote i heard here was .. 'Oh, we don't do anything about spammers unless it affects other customers') So, how big a range should you block when you start seeing a pattern? Remember, organizations like UCE-PROTECT tend to base a reputation on /24 This is probably because in a lot of cases, you cannot tell does the person own the whole range, or just the top /25 -- RIGHT -- OrgName:Network Operations Center Inc. OrgID: NOC Address:PO Box 591 City: Scranton network:Network-Name:NET-96.9.145.224/28 network:IP-Network:96.9.145.224/28 network:Organization;I:org--6898 network:Org-Name:ServerPlaceNet c/o Network Operations Center, Inc. -- Simple, if the IP's reflect some behavior we don't like, we know exactly which ranges should be affected. Basically, if you absolve yourself of the responsibility for the conduct of part of your networks, to a 3rd party.. you should SWIP it. Some hosting companies are really good about this, even as far as SWIP'ing down to the /32. There is a chain of responsbilitly, and when a hosting company has a known offender using portion(s) of their space, it makes it much easier to decide how much of that space should be blocked. Should we block the whole /24 or only a portion? Say you see... 66.104.246.36: mail1.clubdelivery.net 66.104.246.37: mail1.deliverydirect.info 66.104.246.38: mail1.deliverymobile.net 66.104.246.39: mail1.deliveryonline.info 66.104.246.40: mail1.deliveryrama.net 66.104.246.41: mail1.deliveryusa.net 66.104.246.42: mail1.deliveryzilla.net 66.104.246.43: mail1.godelivery.info 66.104.246.44: mail1.instantdelivery.info 66.104.246.45: mail1.date-meet.net 66.104.246.46: mail1.uchatfree.net 66.104.246.47: mail1.secureeasypay.net 66.104.246.48: mail1.idevelopthings.com 66.104.246.49: mail1.whocanvote.com 66.104.246.50: mail1.freedvdz.net 66.104.246.51: mail1.freecybercam.com 66.104.246.53: mail2.clubdelivery.net 66.104.246.54: mail2.deliverydirect.info 66.104.246.55: mail2.deliverymobile.net 66.104.246.56: mail2.deliveryonline.info 66.104.246.57: mail2.deliveryrama.net 66.104.246.58: mail2.deliveryusa.net 66.104.246.59: mail2.deliveryzilla.net 66.104.246.60: mail2.godelivery.info 66.104.246.61: mail2.instantdelivery.info 66.104.246.62: mail2.date-meet.net It's listed as.. network:Organization;I:Precision Technology, Inc (286563-1) network:IP-Network:66.104.244.0/22 Well, we don't have to affect the whole XO block.. but who is the operator responsible for the activities of these servers? The SWIP should reflect that. Also, it makes it easier to see relevant activities from other ranges that the customer might own.. Like older IP Ranges... -- Precision Technology INC mycouponsavingsmailcom MYCOUPONSAVINGSMAILCOM 24.155.144.16 - 24.155.144.31 # 24.155.144.16/28 Guess business was good.. but now of course, with proper SWIP, we know that those IP's are no longer controlled by the same party . (we hope) Of course, it can still be abused.. if the hosting provider is in colusion.. changes the SWIP regularly to hide that it is the same operator.. but even then, we will see such patterns.. if a hosting company 'constantly' gets a new 'problem customer' sic then we can see that as well. -- -- Catch the Magic of Linux... Michael Peddemors - President/CEO - LinuxMagic Products, Services, Support and Development Visit us at http://www.linuxmagic.com A Wizard IT Company - For More Info http://www.wizard.ca LinuxMagic is a Registered TradeMark of Wizard
Re: What DNS Is Not
On November 25, 2009, Jorge Amodio wrote: What needs to be done to have ISPs and other service providers stop tampering with DNS ? Cheers Jorge And what is needed to have a consistant 'whois' reporting format :) Keeping adding to the list? -- -- Catch the Magic of Linux... Michael Peddemors - President/CEO - LinuxMagic Products, Services, Support and Development Visit us at http://www.linuxmagic.com A Wizard IT Company - For More Info http://www.wizard.ca LinuxMagic is a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-589-0037 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
Re: ATT SMTP Admin contact?
On November 24, 2009, Brad Laue wrote: True, but wouldn't a blacklist of SPF records for known spam issuing domains be a more maintainable list than an IP block whitelist? (I'm no doubt missing something very obvious with this question) Brad Yes, I think you are :) First of all, domains are easier to throw away than IP Addresses, IP Lookups are more efficient than DNS SPF records, and SPF is not really meant to address Spam problems, although it can address some forgeries. SPF works best to identify forgeries of large well known domains, but I think you do not really understand what SPF records do, or how they work. Don't worry, many email operators don't either, and simply put in an SPF record that says that every IP can send email for that domain ;) And think how large the theoretical database size would be for every domain, compared to the limited size of the IPv4 space.. But this is better taken off list you want to discuss SPF's usage in combatting spam. -- -- Catch the Magic of Linux... Michael Peddemors - President/CEO - LinuxMagic Products, Services, Support and Development Visit us at http://www.linuxmagic.com A Wizard IT Company - For More Info http://www.wizard.ca LinuxMagic is a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-589-0037 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
Re: I got a live one! - Spam source
On November 24, 2009, Russell Myba wrote: Spamhaus is the first one that comes to mind. From what I understand of your description, this doesn't sound all that different from typical spammer behavior. Multiple layers of indirection seems to be the latest thing for spammers. Depends on the activity, but this re-iterates the importance of maintaining correct SWIP, so that only the offenders get listed, and not bordering customers. But if you give the info on the listed company and range, we might be able to give you a lot more information.. I was just reading the latest spam auditors report, and it is always amazing how the same guys keep finding new colo's to work out of .. -- -- Catch the Magic of Linux... Michael Peddemors - President/CEO - LinuxMagic Products, Services, Support and Development Visit us at http://www.linuxmagic.com A Wizard IT Company - For More Info http://www.wizard.ca LinuxMagic is a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-589-0037 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
Re: Human Factors and Accident reduction/mitigation
On November 5, 2009, Robert Boyle wrote: It's because someone circumvented the rules, processes, and cross checks put in place to prevent the problem in the first place. Nothing can be made idiot proof because idiots are so creative. -Robert SEL/MEL Private Instrument No, no commercial pilot every flew overweight, or in weather below minimums, or more that the max hours in a month.. never happens ;) And there was never a boss that 'pushed' them into it, for the sake of expediency or financial gain, and the phrase.. 'Big Sky, Little Plane' was nevered uttered.. logbooks never fudged and rules are always followed.. C(om)255379 -- -- Catch the Magic of Linux... Michael Peddemors - President/CEO - LinuxMagic Products, Services, Support and Development Visit us at http://www.linuxmagic.com A Wizard IT Company - For More Info http://www.wizard.ca LinuxMagic is a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-589-0037 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
Re: Peering in Latin America
Isn't skylink offering peering? On October 31, 2009, Ken Gilmour wrote: Hi There, I am looking for carriers who offer peering in Latin America (Specifically Costa Rica). So far the only carrier in Costa Rica who I have been able to find that does this is ADN (American Data Networks, www.data.cr). While they are already on my list for a quote, we need at least one other diverse connection, so I would appreciate if anyone else would be able to help me find other carriers who operate here? Here's who i've contacted so far: RACSA - Can't get past 1st level support (they don't know what BGP is) ICE - Tried contacting a person who's address I was previously given from NANOG to no avail Global Crossing - Said they contacted an engineer who would get back to me, mailed them 4 times since to no avail (no bounced emails either). Level 3 - Apparently don't operate in Latin America ATT - Want us to have a minimum of 3 locations in the US to peer with first So far ADN are the only carrier who have actually been of any help. Quick Googling for BGP Peering Latin America and BGP Peering Costa Rica and several variations thereof is not yielding any fruitful results. Thanks and regards, Ken -- -- Catch the Magic of Linux... Michael Peddemors - President/CEO - LinuxMagic Products, Services, Support and Development Visit us at http://www.linuxmagic.com A Wizard IT Company - For More Info http://www.wizard.ca LinuxMagic is a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-589-0037 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
Re: Tucows vs Postini
Depends on your operational needs and size. For some people, nowadays you can go to a hosted email solution for the price of filtering.. and besides, any form of 'filtering' appliance or service comes at a price compared to solutions built into your mail servers.. It would be helpful if you provided the following: Type of Email Server/Service you want to protect Number of Email Boxes. Any other custom wants/needs. I never want to slag on anyones' service, but even if I did, I am sure you will get votes both ways. Your decision might need to be based on other factors that you are not aware of at this time. Cost is an obvious concern, but if say you are an ISP, and end up with more support calls with one company or the other.. it might outweigh the monthly cost differences. You would get better results if people with the same size and environment commented -- Michael -- On October 29, 2009, Paul Stewart wrote: Hi folks... Anyone have much experience with outsourcing antispam/antivirus to Tucows? We use Postini today and are overall pleased. The Tucows pricing seems to be MUCH lower so curious on any feedback... Thanks, Paul --- - The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you. -- -- Catch the Magic of Linux... Michael Peddemors - President/CEO - LinuxMagic Products, Services, Support and Development Visit us at http://www.linuxmagic.com A Wizard IT Company - For More Info http://www.wizard.ca LinuxMagic is a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-589-0037 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
Re: ISP port blocking practice
On October 23, 2009, Steve Bertrand wrote: http://eagle.ca/update/mail/Outlook_Express/index.html ...yes, believe it or not, even with the pictures, they will sometimes still get it wrong ;) Years in planning and implementation, but a good, large-scale learning exercise and the achievement of no port 25 that I'm very proud of. Steve Congratulations, it would be nice if everyone got there, and we push all our clients to adopt such a strategy, but it is always surprising how many still fear.. change.. and the phone calls they fear may come from it. We should all work to educate that in the end run, call volumes, and other problems will be reduced. -- -- Catch the Magic of Linux... Michael Peddemors - President/CEO - LinuxMagic Products, Services, Support and Development Visit us at http://www.linuxmagic.com A Wizard IT Company - For More Info http://www.wizard.ca LinuxMagic is a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-589-0037 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
Re: CRTC rules on Traffic Management Practices
Holy Hannah! ISP actions affecting content According to the Telecommunications Act, a telecommunications company must obtain the Commission’s prior approval to “control the content or influence the meaning or purpose of telecommunications” carried over its network. The Commission does not consider such disruptive actions to be proper Internet traffic management practices, and they will always require prior approval. An ISP would therefore need to seek the Commission’s approval before it implemented a practice that would: block the delivery of content to an end-user, or slow down time-sensitive traffic, such as videoconferencing or Internet telephone (Voice over Internet Protocol) services, to the extent that the content is degraded. When faced with these requests, the Commission will only grant its approval in the most exceptional cases. The email marketing lobby already got the legislation watered down on the spam front, but does this in essence say that ISP's are no longer allowed to block email content, viruses et al? On October 21, 2009, Jeff Gallagher wrote: For those following the regulatory / net neutrality debate, the Canadian Radio and Telecommunications Commission released this morning a decision requiring additional transparency with respect to the traffic management practices of Canadian service providers. News Release: http://www.crtc.gc.ca/eng/NEWS/RELEASES/2009/r091021.htm Policy Details: http://www.crtc.gc.ca/eng/archive/2009/2009-657.htm Jeff Gallagher Network Engineering jeff.gallag...@bellaliant.ca -- -- Catch the Magic of Linux... Michael Peddemors - President/CEO - LinuxMagic Products, Services, Support and Development Visit us at http://www.linuxmagic.com A Wizard IT Company - For More Info http://www.wizard.ca LinuxMagic is a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-589-0037 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
Re: IPv6 internet broken, cogent/telia/hurricane not peering
On October 12, 2009, Patrick W. Gilmore wrote: In summary: HE has worked tirelessly and mostly thanklessly to promote v6. They have done more to bring v6 to the forefront than any other network. But at the end of day, despite HE's valiant effort on v6, v6 has all the problems of v4 on the backbone, PLUS growing pains. Which means it is difficult to rely on it, as v4 has enough dangers on its own. And don't forget.. Once IPv6 gets to the mainstream.. IP Reputation lists are going to have a real fun time :) Spammers would love to see IPv6 in place I am sure. ;) Routing IPv6 is going to require one heck of a thinking re- adjustment. Would be nice to just leave IPv6 in the premises, and keep IPv4 for routing. -- -- Catch the Magic of Linux... Michael Peddemors - President/CEO - LinuxMagic Products, Services, Support and Development Visit us at http://www.linuxmagic.com A Wizard IT Company - For More Info http://www.wizard.ca LinuxMagic is a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-589-0037 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
Re: IPv6 internet broken, cogent/telia/hurricane not peering
On October 12, 2009, Dan White wrote: Reputation lists will just be on the /64, /56 and /48 boundaries, rather than IPv4 /32. IF Network Operators started advertising and routing /64 addresses, and assuming there were email servers our there running MX records on IPv6, http://eng.genius.com/blog/2009/09/14/email-on-ipv6/ for the spammers to send too, they would quickly adopt the idea of large blocks of IPv6 Addresses. If you had to apply reputation to them individually, it would make a much larger dataset to maintain. If you look at for instance the number of IP's on RATS-DYNA and RATS-NOPTR, (examples of IP's typically representative of DUL's) they have 65 Million IP's in the database at /32 IPv4, just think what the numbers would be with IPv6. Spammers could in theory be using a much larger set of routable IP's to send from. Once NAT is out, it opens a huge can of worms to detect and maintain the size of databases that would be needed to reflect this new space. With 18,446,744,073,709,551,616 compared to 4,294,967,296 anyone who is trying to build an effecient way to gather and store reputation, has their work cut out for them. Currently, maintaining the reputation of the IPv4 space is feasible, however once we reach IPv6 numbers, it would almost require a model of registering IP's for certain uses. We have enough trouble getting current providers to even have whois delgation, of who is using what part of their IPv4 spaces, I don't expect it to get any easier with IPv6. Imagine the size of ACL lists? -- -- Catch the Magic of Linux... Michael Peddemors - President/CEO - LinuxMagic Products, Services, Support and Development Visit us at http://www.linuxmagic.com A Wizard IT Company - For More Info http://www.wizard.ca LinuxMagic is a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-589-0037 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.