where 419 scams come from (was: Re: New IANA IPv4 allocation to AfriNIC (41/8))

• Previous message (by thread): New IANA IPv4 allocation to AfriNIC (41/8)
• Next message (by thread): New block of AS Numbers to AfriNIC (36864 - 37887)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

on Wed, Apr 13, 2005 at 02:38:44PM -0600, Steve Meuse wrote:
> 
> On 4/13/05, John Palmer <nanog at adns.net> wrote:
> > 
> > Thank you for that information. I can leave 41/8 in my router bogon list
> > and hopefully eliminate the Nigerian 419 problem somewhat.
> 
> Personally, I believe we should give them the chance to fail before we
> cut them off from the rest of the world. I don't think the majority of
> 419 email comes from addresses actually sourced in Nigeria.

I can't speak to the whole world's perceptions, but for 419/aff mail
seen here, the vast majority comes from IPs assigned to the following
ISO country codes:

(africa|AR|BF|BG|BJ|BW|CI|DK|ES|GH|IL|KE|KR|LB|LV|ML|MR|NG|NL|RW|SN|TG|ZA|ZW)

Where 'africa' means "IP space delegated to africa-online.com"
(216.104.192/20).

Also see quite a bit from BR, the occasional one or two from space in
the US, satellite connections, and some from FR. I know this because I
use the Received: and various X-Originating-IP format headers (usually
originating via some compromised or unmonitored webmail software) to
extract the injection IP and reject messages if the source matches the
ISO codes above in a crossref of IP to ISO code or other keyword.

I used to see quite a bit from Australia, but bigpond seems to have
cleaned up its act significantly.

Steve

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
join us!   http://hesketh.com/about/careers/account_manager.html    join us!

• Previous message (by thread): New IANA IPv4 allocation to AfriNIC (41/8)
• Next message (by thread): New block of AS Numbers to AfriNIC (36864 - 37887)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]