Re: I got a live one! - Spam source

[Russell Myba]

On Wed, Nov 25, 2009 at 2:17 AM, Paul Ferguson  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Tue, Nov 24, 2009 at 10:55 PM, Michael Peddemors
>  wrote:
>
>>
>> Depends on the activity, but this re-iterates the importance of
>> maintaining correct SWIP, so that only the offenders get listed, and not
>> bordering
>> customers.
>>
>
> Right. There are *so many* loopholes in this entire process, Bad Guys are
> waltzing through it.
>
> - - ferg
>
>
> -BEGIN PGP SIGNATURE-
> Version: PGP Desktop 9.5.3 (Build 5003)
>
> wj8DBQFLDNofq1pz9mNUZTMRAgNrAKDz6JwFqBG3gvXEIKo1UVrJSTmxDQCfadqV
> Ph3qt/qPDze8Z5tsRP7LgSw=
> =gQrR
> -END PGP SIGNATURE-
>
> --
> "Fergie", a.k.a. Paul Ferguson
>  Engineering Architecture for the Internet
>  fergdawgster(at)gmail.com
>  ferg's tech blog: http://fergdawg.blogspot.com/
>
>

Could you elaborate on what constitutes correct swip information?

Re: I got a live one! - Spam source

[Russell Myba]

>
>
> I'm confused.  Who are you billing and for what services?
>
>
Let's say our direct customer is CustomerA.  They seem to buy rackspace from
BusinessB.  CustomerA seem to retain BusinessC for "IT Solutions" even
though all three entities purport to be IT solutions providers.
BusinessC came into the picture after the spamming started saying a wholly
different /24 (Different from the spam source) "doesn't work".  It routes
fine on our end.  I have a feeling they've been added to some RBLs but I
haven't found them listed yet.

Just a simple ethernet handoff in a colo.  We delegated rDNS to the servers
of their choice and haven't heard a peep out of them until now.



> Spamhaus is the first one that comes to mind.  From what I understand of
> your description, this doesn't sound all that different from typical spammer
> behavior.  Multiple layers of indirection seems to be the latest thing for
> spammers.
>
> --
>  Jon Lewis   |  I route
>  Senior Network Engineer |  therefore you are
>  Atlantic Net|
> _ 
> http://www.lewis.org/~jlewis/pgpfor PGP 
> public key_
>

I got a live one! - Spam source

[Russell Myba]

Looks like of our customers has decided to turn their /24 into a nice little
space spewing machine.  Doesn't seem like just one compromised host.

Reverse DNS for most of the /24 are suspicious domains.  Each domain used in
the message-id forwards to a single .net which lists their mailing address
as a PO box an single link to an unsubscribe field.

I've contacted at least three known contacts for the customer about the
abuse without a single response.

It would seem there are many layers to this entity:

The domains are registered to one business
Our billing information for the customer has one name, they colo with
another person (whom the cross connect reaches)
Our customer has an IT solutions person working for them (Strange since our
customer and their colo provider are "IT solutions" people themselves.
Abuse handle phone #s are supposedly incorrect (I called it)

Besides the obvious of me at the minimum filtering port tcp/25 is their an
organization that tracks businesses like these who seem like they are
building a web of insulation in which to move?

I think this case might interest them.