I got a live one! - Spam source

Steve Linford linford at spamhaus.org
Thu Nov 26 03:53:42 CST 2009


On 25 Nov 2009, at 04:22, Russell Myba wrote:

> Looks like of our customers has decided to turn their /24 into a  
> nice little
> space spewing machine.  Doesn't seem like just one compromised host.
>
> Reverse DNS for most of the /24 are suspicious domains.  Each  
> domain used in
> the message-id forwards to a single .net which lists their mailing  
> address
> as a PO box an single link to an unsubscribe field.

Classic snowshoe spam setup, probably a professional snowshoe spam  
outfit known to Spamhaus as 'Tactara' and 'Webzero'.

Snowshoe spam operations operate by contacting ISP pretending to be  
'IP space brokers', they buy lots of IP space and have it all SWIPed  
in small chunks, mostly /24s, to an endless array of anonymous  
Wyoming and Delaware shell companies at UPS mailboxes. They then fill  
the /24s with freshly-registered 'nonsense' domains, tunnel into the  
server to hide their real location, and start the spamming. Usually  
almost every IP in the /24 has a spam cannon on it and a web page  
with just an 'unsubscribe' field.

They're the reason we created the CSS announced here:
http://www.spamhaus.org/news.lasso?article=646

(please don't follow up to this post here on NANOG, as NANOG is not  
an appropriate forum for spam discussions)

   Steve Linford
   The Spamhaus Project
   http://www.spamhaus.org









More information about the NANOG mailing list