I got a live one! - Spam source

Paul Ferguson fergdawgster at gmail.com
Tue Nov 24 21:26:34 CST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Nov 24, 2009 at 7:22 PM, Russell Myba <rusmyba at gmail.com> wrote:

> Looks like of our customers has decided to turn their /24 into a nice
> little space spewing machine.  Doesn't seem like just one compromised
> host.
>
> Reverse DNS for most of the /24 are suspicious domains.  Each domain used
> in the message-id forwards to a single .net which lists their mailing
> address as a PO box an single link to an unsubscribe field.
>
> I've contacted at least three known contacts for the customer about the
> abuse without a single response.
>
> It would seem there are many layers to this entity:
>
> The domains are registered to one business
> Our billing information for the customer has one name, they colo with
> another person (whom the cross connect reaches)
> Our customer has an IT solutions person working for them (Strange since
> our customer and their colo provider are "IT solutions" people
> themselves.
> Abuse handle phone #s are supposedly incorrect (I called it)
>
> Besides the obvious of me at the minimum filtering port tcp/25 is their
> an organization that tracks businesses like these who seem like they are
> building a web of insulation in which to move?
>
> I think this case might interest them.
>

Can you name the /24?

I can't say that this sound unfamiliar -- we are seeing an increase in
"facilitated" criminal activity across the board...

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFLDKPkq1pz9mNUZTMRAg4pAKCZK6srbs1H2zp2FwKvB+T1xe3eKQCfSNFC
Gv0xuZ7Lc0q94Yet+xUD3GY=
=3sfS
-----END PGP SIGNATURE-----



-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/




More information about the NANOG mailing list