I got a live one! - Spam source
Steve Linford
linford at spamhaus.org
Thu Nov 26 09:53:42 UTC 2009
On 25 Nov 2009, at 04:22, Russell Myba wrote:
> Looks like of our customers has decided to turn their /24 into a
> nice little
> space spewing machine. Doesn't seem like just one compromised host.
>
> Reverse DNS for most of the /24 are suspicious domains. Each
> domain used in
> the message-id forwards to a single .net which lists their mailing
> address
> as a PO box an single link to an unsubscribe field.
Classic snowshoe spam setup, probably a professional snowshoe spam
outfit known to Spamhaus as 'Tactara' and 'Webzero'.
Snowshoe spam operations operate by contacting ISP pretending to be
'IP space brokers', they buy lots of IP space and have it all SWIPed
in small chunks, mostly /24s, to an endless array of anonymous
Wyoming and Delaware shell companies at UPS mailboxes. They then fill
the /24s with freshly-registered 'nonsense' domains, tunnel into the
server to hide their real location, and start the spamming. Usually
almost every IP in the /24 has a spam cannon on it and a web page
with just an 'unsubscribe' field.
They're the reason we created the CSS announced here:
http://www.spamhaus.org/news.lasso?article=646
(please don't follow up to this post here on NANOG, as NANOG is not
an appropriate forum for spam discussions)
Steve Linford
The Spamhaus Project
http://www.spamhaus.org
More information about the NANOG
mailing list