Attn MCI/UUNet - Massive abuse from your network
Ben Browning
benb at theriver.com
Thu Jun 24 19:12:28 UTC 2004
Chris,
To start off, thank you for taking this issue seriously and investigating it.
At 08:05 PM 6/23/2004, Christopher L. Morrow wrote:
>The sbl lists quite a few /32 entries, while this is nice for blocking
>spam if you choose to use their RBL service I'm not sure it's a good
>measure of 'spamhaus size'. I'm not sure I know of a way to take this
>measurement, but given size and number if IPs that terminate inside AS701
>there certainly are scope issues.
Netmasks aside, a spammer is a spammer. One spammer sending 100,000 emails
from 4 machines is functionally equivalent to one sending 100,000 from 1
machine.
>All that said, I'm certainly not saying "spam is good", I also believe
>that over the last 4.5 years uunet's abuse group has done quite a few good
>things with respect to the main spammers.
That's possible, I suppose, but the view from outside sees only the bad(and
there's plenty).
> > As an example, I see a posting that says emailtools.com was alive on
> > 206.67.63.41 in 2000. They aren't there any more... But now:
> >
> > [me at host]$ telnet mail.emailtools.com 25
> > Trying 65.210.168.34...
> > Connected to mail.emailtools.com.
> > Escape character is '^]'.
>
>Sure, customer of a customer we got emailtools.com kicked from their
>original 'home' now they've moved off (probably several times since 2000)
>to another customer. This happens to every ISP, each time they appear we
>start the process to disconnect them. I'm checking on the current status
>of their current home to see why we have either: 1) not gotten complaints
>about them, 2) have not made progress kicking them again.
Excellent! I (and I am sure the rest of the antispam community) will be
looking forward to hearing how all this pans out, and I am very glad I
could bring some of this to your attention.
> > >On Mon, 21 Jun 2004, Ben Browning wrote:
> > Allow me to rephrase- I wanted it to be read and hoped someone would act on
> > complaints. I have no doubt MCI is serious about stopping DDOS and other
> > abusive traffic of that ilk- when it comes to proxy hijacking and spamming,
> > though, abuse@ turns a blind eye. What other conclusion can I draw from the
>
>This is not true, the action might not happen in the time you'd like, but
>there are actions being taken. I'd be the first to admit that the
>timelinees are lengthy :( but part of that is the large company process,
>getting all the proper people to realize that this abuse is bad and the
>offendors need to be dealt with.
A lengthy timeline for action to be taken, from the viewpoint of the
attacked, is indistinguishable from tacit approval of the attacks. I don't
imagine MCI has a lengthy timeline when replying to sales email or billing
issues.
> > 200ish SBL entries under MCI's name? Why else would emailtools.com(for
> > example) still be around despite their wholesale raping of misconfigured
> > proxies?
>
>emailtools will be around in one form or another, all the owner must do is
>purchase 9$ virtual-hosting from some other poor ISP out there who needs
>the money... they may not even know who emailtools is, if that ISP is a
>uunet/mci customer then we'll have to deal with them as well, just like
>their current home. you must realize you can't just snap your fingers and
>make these things go away.
Omaha Steaks has been there for 3+ weeks (since being added to the SBL).
Scott Richter has likewise been spamming from there for a month. Do you
need a permission slip to terminate him? Does it take a month to get one? I
can snap my fingers many times in a month!
According to ARIN records, both of these are swipped space only one step
below yours(IE not a customer-of-a-customer).
It's nice to say "Oh well they move around and we can't stop them", but the
point is that if they got terminated in a timely fashion (measured in hours
or days at the most, *not* weeks and months) they would not keep moving
around on your network; they would find another one to abuse instead. As it
stands, they get a month to spam, then they have to move- that's pink gold
in spammerland.
> > All I want is a couple of straight-up answers. Why do complaints to uunet
> > go unanswered and the abusers remain connected if, in fact, the complaints
>
>I believe you do get an answer, if not the auto-acks are off still from a
>previous mail flood ;(
An auto-ack is not an answer.
>Please let me know if you are NOT getting ticket
>numbers back. They might be connected still if there were:
>1) not enough info in the complaints to take action on them
I've never been asked to furnish more info.
>2) not enough complaints to terminate the account, but working with the
>downstream to get the problem resolved
I've never been looped into this process either. What is the window you
guys give your downstreams for ceasing such activities?
>3) action is awaiting proper approvals.
What's the timeframe on these approvals happening? Do you need such
approvals in the event of a DDOS or other abuse?
> > are read? Why has MCI gone from 111 SBL listings as of January 1 to 190 as
>
>I think the answer is shifting winds in spammer homelands, I'll look
>through the list and see if we know about the problem children in the list
>and what we are doing about them.
Yes, they are drifting towards bulletproof hosting. MCI has a very wide
reputation as being spam-friendly.
> > If I am a kook and an idiot for wanting a cleaner internet, well then I
> > guess I am a kook and an idiot.
>
>not for that, just for taking this up in the wrong place... but people
>call me kooky too, so maybe I'm just skewed.
What exactly makes NANOG the wrong place for this, given that MCI is mute
in the more appropriate forum(news.admin.net-abuse.email)?
---
Ben Browning <benb at theriver.com>
The River Internet Access Co.
WA Operations Manager
1-877-88-RIVER http://www.theriver.com
More information about the NANOG
mailing list