dealing with bogon spam ?

Leslie leslie at craigslist.org
Fri Oct 30 11:34:47 CDT 2009


Just in case anyone's curious - The prefix still hasn't been updated in 
ARIN and I am still seeing tons of spam (grrr spammers and grr transit 
providers who don't filter advertisements of smaller customers)

I made a script which looks at our log files for ips that are unknown, 
double checks them against live database, and then reports the number of 
hits to me - that way I can at least take manual action against 
offenders.  On the good side, the only offender I currently see is 
40430, but I am still trying to remain vigilent for future spammers

Leslie

Leslie wrote:
> Just FYI the colo4jax guys got back to me and it is a stale ARIN db 
> entry - I guess they don't update it as quickly as I thought.  So this 
> is now just a normal case of spam.
> 
> Leslie
> 
> Leslie wrote:
>> Yes, unallocated (at least according to ARIN's whois db) but not 
>> unannounced - obviously our network can get to the space or else I 
>> wouldn't be having a spam problem with them!   I'm actually seeing 
>> this  /20 as advertised through Savvis from AS40430
>>
>> It seems to me like the best solution might be a semi-hacky solution 
>> of asking arin (and other IRR's) if i can copy its DB and creating an 
>> internal peer which null routes unallocated blocks (updated nightly?)
>>
>> Has anyone seen an IRR's DB's not being updated for more than 30 days 
>> after allocations?  I always assumed that they are quickly updated.
>>
>> Thanks again,
>> Leslie
>>
>> Jon Lewis wrote:
>>> Unallocated doesn't mean non-routed.  All a spammer needs is a 
>>> willing/non-filtering provider doing BGP with them, and they can 
>>> announce any space they like, send out some spam, and then pull the 
>>> announcement. Next morning, when you see the spam and try to figure 
>>> out who to send complaints to, you're either going to complain to the 
>>> wrong people or find that whois is of no help.
>>>
>>> On Tue, 27 Oct 2009, Church, Charles wrote:
>>>
>>>> This is puzzling me.  If it's from non-announced space, at some 
>>>> point some router should report no route to it.  How is the TCP 
>>>> handshake performed to allow a sync to turn into spam?
>>>>
>>>> Chuck
>>>>
>>>> Chuck Church
>>>> Network Planning Engineer, CCIE #8776
>>>> Harris Information Technology Services
>>>> DOD Programs
>>>> 1210 N. Parker Rd. | Greenville, SC 29609
>>>> Office: 864-335-9473 | Cell: 864-266-3978
>>>> --------------------------
>>>> Sent using BlackBerry
>>>>
>>>>




More information about the NANOG mailing list