I got a live one! - Spam source

Paul Ferguson fergdawgster at gmail.com
Wed Nov 25 03:26:34 UTC 2009

Hash: SHA1

On Tue, Nov 24, 2009 at 7:22 PM, Russell Myba <rusmyba at gmail.com> wrote:

> Looks like of our customers has decided to turn their /24 into a nice
> little space spewing machine.  Doesn't seem like just one compromised
> host.
> Reverse DNS for most of the /24 are suspicious domains.  Each domain used
> in the message-id forwards to a single .net which lists their mailing
> address as a PO box an single link to an unsubscribe field.
> I've contacted at least three known contacts for the customer about the
> abuse without a single response.
> It would seem there are many layers to this entity:
> The domains are registered to one business
> Our billing information for the customer has one name, they colo with
> another person (whom the cross connect reaches)
> Our customer has an IT solutions person working for them (Strange since
> our customer and their colo provider are "IT solutions" people
> themselves.
> Abuse handle phone #s are supposedly incorrect (I called it)
> Besides the obvious of me at the minimum filtering port tcp/25 is their
> an organization that tracks businesses like these who seem like they are
> building a web of insulation in which to move?
> I think this case might interest them.

Can you name the /24?

I can't say that this sound unfamiliar -- we are seeing an increase in
"facilitated" criminal activity across the board...

- - ferg

Version: PGP Desktop 9.5.3 (Build 5003)


"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 ferg's tech blog: http://fergdawg.blogspot.com/

More information about the NANOG mailing list