I got a live one! - Spam source
fergdawgster at gmail.com
Wed Nov 25 03:26:34 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, Nov 24, 2009 at 7:22 PM, Russell Myba <rusmyba at gmail.com> wrote:
> Looks like of our customers has decided to turn their /24 into a nice
> little space spewing machine. Doesn't seem like just one compromised
> Reverse DNS for most of the /24 are suspicious domains. Each domain used
> in the message-id forwards to a single .net which lists their mailing
> address as a PO box an single link to an unsubscribe field.
> I've contacted at least three known contacts for the customer about the
> abuse without a single response.
> It would seem there are many layers to this entity:
> The domains are registered to one business
> Our billing information for the customer has one name, they colo with
> another person (whom the cross connect reaches)
> Our customer has an IT solutions person working for them (Strange since
> our customer and their colo provider are "IT solutions" people
> Abuse handle phone #s are supposedly incorrect (I called it)
> Besides the obvious of me at the minimum filtering port tcp/25 is their
> an organization that tracks businesses like these who seem like they are
> building a web of insulation in which to move?
> I think this case might interest them.
Can you name the /24?
I can't say that this sound unfamiliar -- we are seeing an increase in
"facilitated" criminal activity across the board...
- - ferg
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)
-----END PGP SIGNATURE-----
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
ferg's tech blog: http://fergdawg.blogspot.com/
More information about the NANOG