williams spamhaus blacklist

Thu Sep 25 19:24:14 UTC 2003

On 9/25/2003 at 2:19 PM, "Deepak Jain" <deepak at ai.net> wrote:

>> But it's ok when AboveNet does it?...or actually does much worse by
>> secretly and arbitrarily blackholing various networks at will, while
>> advertising connectivity to those networks to their BGP customers and
>> peers?
>>

> So why keep connectivity to them? A contract term? Now that you know of the
> policy and aren't very happy about it, why not change providers -- you
> already have a few. :)

> I think anyone who blackholes sites within their own network should take the
> specifics with a community that clueful customers can use to route-around
> them, but obviously its their network, and whoever is setting up the
> blackholes can decide that for themselves. Just a suggestion.

Travis Haymore, Director of Security at AboveNet, has reportedly (see
Spam-L a couple weeks back) made telephoned threats to at least one system
owner (digistar.com), threatening (and then following up on that threat)
to null-route that particular system (/32) on all of AboveNet/MFNX's routers,
for no other reason than a user of that system making unfavorable public
statements about AboveNet in public forums - while not disputing the truth
of such statements made; he just wanted "that user gone, or else".

Unfortunately for Travis, that happened to be the backup outgoing MX
for a mailing list of quite some importance to a few ISPs and RIRs:
Hijacked-L.

As far as my own case is concerned, presumably the same individual null-routed
the machine this mail originates from (208.241.101.2), for reasons not
explained and not justified with internal documentation whatsoever (that
much I got from an AboveNet manager; causing removal of this IP from their
BL, for lack of documentation, and the unnamed individual responsible for
its entry (Travis was never mentioned by name to me by this AboveNet person,
but everyone else who has reported similar experiences with AboveNet seems
to be pointing back to him at this point) never contested it).

Indeed, quite a bit of mail to abuse at above.net has been sent from this IP
(we are talking of maybe a few hundred since Jan 2003, a fraction of the
number of actual incidents observed) - and that appeared to be the one and
only reason why this machine would appear on his/their radar at all.

Legitimate, persistent and continuing complaints about illegal trespassing
originating from AboveNet's (or their customer's) IP space into your servers
apparently can get you transit-blackholed at AboveNet, rather than getting
yourself blocked from accessing *AboveNet OWNED AND OPERATED* machines -
while AboveNet, knowingly and willingly, does nothing to stop the illegal
activity by itself.

If null0-routing the complainant shields that complainant from the illegal
activity (in order to make him shut up), I become quite suspicious that the
remaining illegal activity against the other 99.99999999999% of the Internet
is not just being ignored, but endorsed and shielded from further discovery
by the complainant. That's called "collusion", in my I-am-not-a-lawyer-way
of expressing this.

Add the secrecy on AboveNet's side and the unusual paths it takes to even
partially uncover any of this, then tell me: would you rather be SBL-listed
for everyone to see, or secretly null0'd at a transit point, with no public
or privately accessible record, until you randomly find out about it, because
some customer-used services (websites, email, etc.) have been failing
randomly for a couple of weeks (blame the Internet!) ?

> This way, blackholes designed to protect clue-light customers can be used
> with little detriment to clueful customers (once the communities are used
> and well-described/published).

Funny as it is, none of the definitions found at http://www.above.net/antispam.html
(section (3) and (8)) ever seem to apply to the cases that we are hearing
and reading about here, making the interception and redirection of this
traffic NOT AIMED AT AboveNET quite unlawful under federal wiretapping
statutes - and all of this is happening with AboveNet managers being well-aware
- less the details on the legalities, I am sure.

And this one is for Deepak: how exactly would a single host (e.g.: any
prefix longer than a /24) evade the giant traffic vacuum cleaner (AboveNet,
busy cleansing the Internet of "unwanted by anyone" packets) when your route,
as seem from most of the Internet, is a /10, rather than a /22, /23 or /24?

And last but not least: Infrastructure failures as a result of operator
behavior are on-topic, the last time I checked.

bye,Kai