rbnnetwork.org

Jeroen Massar jeroen at unfix.org
Tue Oct 31 15:13:57 UTC 2006


Alexander Harrowell wrote:
> 
> Is hosting a phishing site and bouncing abuse reports..

Not so strange, gmail addresses are being used a lot a for spam sources.
With the description you gave, I would also ignore it, it's a miracle
that the spamfilter didn't drop it dead on the floor in the first place,
especially as you are spamvertizing a certain website ;)

Lets see what you should do different the next time you try to report
something:

> ---------- Forwarded message ----------
> From: Alexander Harrowell <a.harrowell at gmail.com>

Don't use gmail, use a real address, not something which everybody can
create on the fly, at random and throw away again. That gives you some
credit that you are not trying to fake somebody else. Having your full
name instead of barbylover666 is a good part though, gmail isn't.

> Date: Oct 31, 2006 2:38 PM
> Subject: Phisher

Phisher? Is that it? Lets assume you have to handle [email protected] and you get
1000 mails a day from silly automated tools, seeing 'Phisher' as the
only thing in the subject from a person from gmail will simply trigger
only one action: [del].

In the 'description' below you write that they are doing comment spam.
Phising != comment spam. A better subject would have been:
 "Spamvertized website at <$ip> in your <$ispnet>, ASxxxx".

Having the ASN in there gives some credibility.

> To: abuse at rbnnetwork.org
> 
> 
> We're receiving large volumes of comments spam advertising a site
> hosted in your network. http://onlineinvestmentworld.com is located at
> 81.95.146.166, which is your netblock: inetnum:        81.95.144.0 -
> 81.95.147.255

Who is "We"? Gmail? When reporting something it is actually useful to
show proof somewhere, thus simply point to the websites in question. As
those websites are yours you most likely also have logs of those sites,
then you can also contact the ISP's who are actually spamming the comments.

<SNIP RIPE object>

They know who they are, so you don't have to repeat that.

As this message, according to you, bounced, you could also have tried
the admin and tech handles. Altough in this case that leads only to
support at rbnnetwork.com. Email wise you are thus out of luck, but those
handles do contain phone numbers, which you can use then to resolve this.

Another way, instead of calling (which might be horrible if you don't
speak russian ;) is too check their peers and transits:

http://www.robtex.com/as/as40989.html which tells you that it is a very
small company with only one /22, they are pretty new to the game and
some other things. As they are a small ISP, they clearly have a transit
and you can always contact them if they don't reply to your mails or
they simply drop them on the floor.

If you would have done a whois on rbnnetwork.com you would have found
another email address and strangely, a US address and phone number.
They are not so russian as they seem like after all ;)

<SNIP traceroute>

What does a traceroute do at all? It might be handy only in the case
where some IP hijack is in progress, but in that case you can always do
a BGPPlay using RIPE's RIS to figure out where it came from.

Last but not least: there are dedicated spam etc reporting sites.
Afaik Nanog is not that place. Unless your network went down because an
ISP was overloading you with traffic of course ;)

Greets,
 Jeroen


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 311 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20061031/c592e659/attachment.sig>


More information about the NANOG mailing list