massive snowshoe operations may be a cause for concern (was: Re:UCEProtect Level 3)

John van Oppen john at vanoppen.com
Fri May 8 19:08:30 CDT 2009


I agree, spamhaus has always been great.  

We were on a few feedback loops and senderbase.org did not show much for that subnet...   anyway solved now.    Got the ex-customer's other ISP to block the announcement since we killed it a while ago, also removed the SWIP.  ;)

John van Oppen
Spectrum Networks LLC
Direct: 206.973.8302
Main: 206.973.8300
Website: http://spectrumnetworks.us


-----Original Message-----
From: Suresh Ramasubramanian [mailto:ops.lists at gmail.com] 
Sent: Friday, May 08, 2009 4:35 PM
To: John van Oppen
Cc: Steven Champeon; Skywing; Raleigh Apple; nanog at nanog.org
Subject: Re: massive snowshoe operations may be a cause for concern (was: Re:UCEProtect Level 3)

You wont find me holding up uceprotect or apews as fine examples of
properly or even competently run lists, I'd point you to spamhaus for
that.

But, in this day and age, and with the volumes of spam around, I'd
counsel you NOT to wait for or expect manual complaints to your abuse
desk, almost nobody does that these days.

Feel free to signup for AOL etc feedback loops and you'd probably get
a much higher volume of complaints - enough that you'd have to
dedicate an email address to it, and use the scriptability of the ARF
format these feedback loops are sent in, so you can get / generate
stats.

Periodic rDNS scans of your network, and either making rDNS requests
manual, or at least running periodic rDNS scans of your network to
spot that kind of customer would make sense too.  You must admit that
the kind of rDNS Steve Champeon posted in in that very long list
upthread sticks out like a sore thumb.

--srs

On Sat, May 9, 2009 at 4:20 AM, John van Oppen <john at vanoppen.com> wrote:
> My favorite part of uceprotect was that there was basically no way to get them to send us actual reports or even IPs
> (without us paying for them). We canned this customer a month or two ago for abuse but gave them time to migrate
> out of our IP space (they were announcing it with their ASN to their other provider even after we cut transit) and
> swore up and down they were using it for virtual hosting (as did their ARIN justification forms). I just requested
> directly to their other provider that announcements be filtered and removed the SWIP. That /20 had only ever
> had about 15 reports for it to our abuse desk and we are actually responsive hence the kicking of the customer


More information about the NANOG mailing list