Slightly OT: Looking for an old domain for spam collection

• Previous message (by thread): Slightly OT: Looking for an old domain for spam collection
• Next message (by thread): 92/8, 93/8 allocated to the RIPE NCC
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mar 28, 2007, at 11:08 AM, william(at)elan.net wrote:

>
> On Wed, 28 Mar 2007, Tony Finch wrote:
>
>> On Wed, 28 Mar 2007, Ken Simpson wrote:
>>>
>>> What is particularly missing IMHO is a spoofed-BGP-route blacklist.
>>> Anyone making any progress on that sort of thing?
>>
>> completewhois has lists in various forms of bogon and hijacked  
>> networks.
>>
>> http://completewhois.com/bogons/bogons_usage.htm

This list apparently does not track much of the active spoofed  
announcements.  This is understandable, as this tracking remains a  
difficult task.

> Only bogon list will catch some real-time hijacking and only when  
> they are doing at the unannounced space (which does happen - see  
> presentation at couple nanogs ago about spammers announcing full /8  
> and using unallocated portions; there were other cases too that did  
> not use as large of an announcement).
>
> The real-time hijacking (short-announcements that go away in about  
> an hour although some do stay longer) of someone else's space or  
> short-term announcements of unused legacy space can only be caught  
> when you know where correct announcements should come from and  
> until we have SIDR, there is no reliable way to do it. The way i'm  
> testing it is by comparing where routes for where announcements  
> come from before and setting certain time period before route is  
> considered "adequate" (this has obvious bad implications for those  
> changing from one ASN to another). If my project get sufficiently  
> stable for public consumption trials I'll let you know more but  
> from what I wrote you should get an idea on how set something like  
> it yourself (and I think this is something similar to what others  
> are doing too already, I'm unsure if they are making data public or  
> not).

Some of this information is incorporated within one of our temporary  
lists, but not exclusively.  The level of this activity is rather  
disconcerting.  Perhaps there should be a list dedicated for this  
purpose for use beyond email, which appears to be the purpose of most  
but not all such announcements.

-Doug

• Previous message (by thread): Slightly OT: Looking for an old domain for spam collection
• Next message (by thread): 92/8, 93/8 allocated to the RIPE NCC
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]