On 25 Nov 2009, at 04:22, Russell Myba wrote:
Looks like of our customers has decided to turn their /24 into a
nice little
space spewing machine. Doesn't seem like just one compromised host.
Reverse DNS for most of the /24 are suspicious domains. Each
domain used in
the message-id
On Wed, Nov 25, 2009 at 09:25:27AM -0800, Michael Peddemors wrote:
I here people saying that they don't publish whois information because they
don't want the email's made public. Okay, at least the registered company
name, or individual who presented the ID should be there.
Without
Not to keep endlessly on this thread, but again with reference to good whois
record keeping and bad..
64.21.87.136: mx2.yvzus.com
64.21.87.141: mx3.xmabs.com
64.21.87.168: mx5.zgows.com
64.21.87.170: mx5.zntas.com
GOOD We know the activity is probably limited to:
Found a referral to
Interesting scenario ... but would be far more interesting to us if you share
the /24?
Truman
On 25/11/2009, at 3:07 PM, Russell Myba wrote:
I'm confused. Who are you billing and for what services?
Let's say our direct customer is CustomerA. They seem to buy rackspace from
On Tue, Nov 24, 2009 at 10:22:36PM -0500, Russell Myba wrote:
Looks like of our customers has decided to turn their /24 into a nice little
space spewing machine. Doesn't seem like just one compromised host.
1. This is possibly/probably better on spam-l.
2. This is a very common operational
Russell,
My personal inclination would be to look for what legit entities are
provisioning them with critical resources and what margins they appear
to be paying.
For DNS resources, the domains, to identify registry preference,
probably a simple volume correlation, and the registrars, which
On Wed, 25 Nov 2009, Rich Kulawiec wrote:
On Tue, Nov 24, 2009 at 10:22:36PM -0500, Russell Myba wrote:
Looks like of our customers has decided to turn their /24 into a nice little
space spewing machine. Doesn't seem like just one compromised host.
1. This is possibly/probably better on
On Wed, Nov 25, 2009 at 2:17 AM, Paul Ferguson fergdawgs...@gmail.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, Nov 24, 2009 at 10:55 PM, Michael Peddemors
mich...@linuxmagic.com wrote:
Depends on the activity, but this re-iterates the importance of
maintaining correct
Could you elaborate on what constitutes correct swip information?
Sure, you just opened the door to my opinions on this :)
-- WRONG --
OrgName:FortressITX
OrgID: FORTR-5
Address:100 Delawanna Ave
City: Clifton
StateProv: NJ
PostalCode:
On Wed, 25 Nov 2009 09:25:27 -0800
Michael Peddemors mich...@linuxmagic.com wrote:
Could you elaborate on what constitutes correct swip information?
Sure, you just opened the door to my opinions on this :)
hmmm - odd that the 2 you chose to show as wrong, both feature highly
in my
On Wed, Nov 25, 2009 at 10:55 PM, Michael Peddemors
mich...@linuxmagic.com wrote:
Could you elaborate on what constitutes correct swip information?
Sure, you just opened the door to my opinions on this :)
Dysfunctional rwhois servers sounds more like general brokenness than
malice. The
Looks like of our customers has decided to turn their /24 into a nice little
space spewing machine. Doesn't seem like just one compromised host.
Reverse DNS for most of the /24 are suspicious domains. Each domain used in
the message-id forwards to a single .net which lists their mailing address
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, Nov 24, 2009 at 7:22 PM, Russell Myba rusm...@gmail.com wrote:
Looks like of our customers has decided to turn their /24 into a nice
little space spewing machine. Doesn't seem like just one compromised
host.
Reverse DNS for most of the
On Tue, 24 Nov 2009, Russell Myba wrote:
Looks like of our customers has decided to turn their /24 into a nice little
space spewing machine. Doesn't seem like just one compromised host.
Reverse DNS for most of the /24 are suspicious domains. Each domain used in
the message-id forwards to a
Russell Myba wrote:
Looks like of our customers has decided to turn their /24 into a nice little
space spewing machine. Doesn't seem like just one compromised host.
Reverse DNS for most of the /24 are suspicious domains. Each domain used in
the message-id forwards to a single .net which lists
I'm confused. Who are you billing and for what services?
Let's say our direct customer is CustomerA. They seem to buy rackspace from
BusinessB. CustomerA seem to retain BusinessC for IT Solutions even
though all three entities purport to be IT solutions providers.
BusinessC came into the
On Wed, Nov 25, 2009 at 8:52 AM, Russell Myba rusm...@gmail.com wrote:
Looks like of our customers has decided to turn their /24 into a nice little
space spewing machine. Doesn't seem like just one compromised host.
Reverse DNS for most of the /24 are suspicious domains. Each domain used in
On November 24, 2009, Russell Myba wrote:
Spamhaus is the first one that comes to mind. From what I understand of
your description, this doesn't sound all that different from typical
spammer behavior. Multiple layers of indirection seems to be the latest
thing for spammers.
Depends on
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, Nov 24, 2009 at 10:55 PM, Michael Peddemors
mich...@linuxmagic.com wrote:
Depends on the activity, but this re-iterates the importance of
maintaining correct SWIP, so that only the offenders get listed, and not
bordering
customers.
Russell Myba wrote:
Let's say our direct customer is CustomerA. They seem to buy rackspace from
BusinessB. CustomerA seem to retain BusinessC for IT Solutions even
though all three entities purport to be IT solutions providers.
BusinessC came into the picture after the spamming started saying
20 matches
Mail list logo