Slightly OT: Looking for an old domain for spam collection
Douglas Otis
dotis at mail-abuse.org
Wed Mar 28 18:24:18 UTC 2007
On Mar 28, 2007, at 11:08 AM, william(at)elan.net wrote:
>
> On Wed, 28 Mar 2007, Tony Finch wrote:
>
>> On Wed, 28 Mar 2007, Ken Simpson wrote:
>>>
>>> What is particularly missing IMHO is a spoofed-BGP-route blacklist.
>>> Anyone making any progress on that sort of thing?
>>
>> completewhois has lists in various forms of bogon and hijacked
>> networks.
>>
>> http://completewhois.com/bogons/bogons_usage.htm
This list apparently does not track much of the active spoofed
announcements. This is understandable, as this tracking remains a
difficult task.
> Only bogon list will catch some real-time hijacking and only when
> they are doing at the unannounced space (which does happen - see
> presentation at couple nanogs ago about spammers announcing full /8
> and using unallocated portions; there were other cases too that did
> not use as large of an announcement).
>
> The real-time hijacking (short-announcements that go away in about
> an hour although some do stay longer) of someone else's space or
> short-term announcements of unused legacy space can only be caught
> when you know where correct announcements should come from and
> until we have SIDR, there is no reliable way to do it. The way i'm
> testing it is by comparing where routes for where announcements
> come from before and setting certain time period before route is
> considered "adequate" (this has obvious bad implications for those
> changing from one ASN to another). If my project get sufficiently
> stable for public consumption trials I'll let you know more but
> from what I wrote you should get an idea on how set something like
> it yourself (and I think this is something similar to what others
> are doing too already, I'm unsure if they are making data public or
> not).
Some of this information is incorporated within one of our temporary
lists, but not exclusively. The level of this activity is rather
disconcerting. Perhaps there should be a list dedicated for this
purpose for use beyond email, which appears to be the purpose of most
but not all such announcements.
-Doug
More information about the NANOG
mailing list