Attn MCI/UUNet - Massive abuse from your network

Thu Jun 24 19:12:28 UTC 2004

Chris,

To start off, thank you for taking this issue seriously and investigating it.

At 08:05 PM 6/23/2004, Christopher L. Morrow wrote:
>The sbl lists quite a few /32 entries, while this is nice for blocking
>spam if you choose to use their RBL service I'm not sure it's a good
>measure of 'spamhaus size'. I'm not sure I know of a way to take this
>measurement, but given size and number if IPs that terminate inside AS701
>there certainly are scope issues.

Netmasks aside, a spammer is a spammer. One spammer sending 100,000 emails 
from 4 machines is functionally equivalent to one sending 100,000 from 1 
machine.

>All that said, I'm certainly not saying "spam is good", I also believe
>that over the last 4.5 years uunet's abuse group has done quite a few good
>things with respect to the main spammers.

That's possible, I suppose, but the view from outside sees only the bad(and 
there's plenty).

> > As an example, I see a posting that says emailtools.com was alive on
> > 206.67.63.41 in 2000. They aren't there any more... But now:
> >
> > [me at host]$ telnet mail.emailtools.com 25
> > Trying 65.210.168.34...
> > Connected to mail.emailtools.com.
> > Escape character is '^]'.
>
>Sure, customer of a customer we got emailtools.com kicked from their
>original 'home' now they've moved off (probably several times since 2000)
>to another customer. This happens to every ISP, each time they appear we
>start the process to disconnect them. I'm checking on the current status
>of their current home to see why we have either: 1) not gotten complaints
>about them, 2) have not made progress kicking them again.

Excellent! I (and I am sure the rest of the antispam community) will be 
looking forward to hearing how all this pans out, and I am very glad I 
could bring some of this to your attention.

> > >On Mon, 21 Jun 2004, Ben Browning wrote:
> > Allow me to rephrase- I wanted it to be read and hoped someone would act on
> > complaints. I have no doubt MCI is serious about stopping DDOS and other
> > abusive traffic of that ilk- when it comes to proxy hijacking and spamming,
> > though, abuse@ turns a blind eye. What other conclusion can I draw from the
>
>This is not true, the action might not happen in the time you'd like, but
>there are actions being taken. I'd be the first to admit that the
>timelinees are lengthy :( but part of that is the large company process,
>getting all the proper people to realize that this abuse is bad and the
>offendors need to be dealt with.

A lengthy timeline for action to be taken, from the viewpoint of the 
attacked, is indistinguishable from tacit approval of the attacks. I don't 
imagine MCI has a lengthy timeline when replying to sales email or billing 
issues.

> > 200ish SBL entries under MCI's name? Why else would emailtools.com(for
> > example) still be around despite their wholesale raping of misconfigured
> > proxies?
>
>emailtools will be around in one form or another, all the owner must do is
>purchase 9$ virtual-hosting from some other poor ISP out there who needs
>the money... they may not even know who emailtools is, if that ISP is a
>uunet/mci customer then we'll have to deal with them as well, just like
>their current home. you must realize you can't just snap your fingers and
>make these things go away.

Omaha Steaks has been there for 3+ weeks (since being added to the SBL).

Scott Richter has likewise been spamming from there for a month. Do you 
need a permission slip to terminate him? Does it take a month to get one? I 
can snap my fingers many times in a month!

According to ARIN records, both of these are swipped space only one step 
below yours(IE not a customer-of-a-customer).

It's nice to say "Oh well they move around and we can't stop them", but the 
point is that if they got terminated in a timely fashion (measured in hours 
or days at the most, *not* weeks and months) they would not keep moving 
around on your network; they would find another one to abuse instead. As it 
stands, they get a month to spam, then they have to move- that's pink gold 
in spammerland.

> > All I want is a couple of straight-up answers. Why do complaints to uunet
> > go unanswered and the abusers remain connected if, in fact, the complaints
>
>I believe you do get an answer, if not the auto-acks are off still from a
>previous mail flood ;(

An auto-ack is not an answer.

>Please let me know if you are NOT getting ticket
>numbers back. They might be connected still if there were:
>1) not enough info in the complaints to take action on them

I've never been asked to furnish more info.

>2) not enough complaints to terminate the account, but working with the
>downstream to get the problem resolved

I've never been looped into this process either. What is the window you 
guys give your downstreams for ceasing such activities?

>3) action is awaiting proper approvals.

What's the timeframe on these approvals happening? Do you need such 
approvals in the event of a DDOS or other abuse?

> > are read? Why has MCI gone from 111 SBL listings as of January 1 to 190 as
>
>I think the answer is shifting winds in spammer homelands, I'll look
>through the list and see if we know about the problem children in the list
>and what we are doing about them.

Yes, they are drifting towards bulletproof hosting. MCI has a very wide 
reputation as being spam-friendly.

> > If I am a kook and an idiot for wanting a cleaner internet, well then I
> > guess I am a kook and an idiot.
>
>not for that, just for taking this up in the wrong place... but people
>call me kooky too, so maybe I'm just skewed.

What exactly makes NANOG the wrong place for this, given that MCI is mute 
in the more appropriate forum(news.admin.net-abuse.email)?
---
    Ben Browning <benb at theriver.com>
       The River Internet Access Co.
          WA Operations Manager
1-877-88-RIVER  http://www.theriver.com