I got a live one! - Spam source

Gadi Evron ge at linuxbox.org
Tue Nov 24 21:57:30 CST 2009


Russell Myba wrote:
> Looks like of our customers has decided to turn their /24 into a nice little
> space spewing machine.  Doesn't seem like just one compromised host.
> 
> Reverse DNS for most of the /24 are suspicious domains.  Each domain used in
> the message-id forwards to a single .net which lists their mailing address
> as a PO box an single link to an unsubscribe field.
> 
> I've contacted at least three known contacts for the customer about the
> abuse without a single response.
> 
> It would seem there are many layers to this entity:
> 
> The domains are registered to one business
> Our billing information for the customer has one name, they colo with
> another person (whom the cross connect reaches)
> Our customer has an IT solutions person working for them (Strange since our
> customer and their colo provider are "IT solutions" people themselves.
> Abuse handle phone #s are supposedly incorrect (I called it)
> 
> Besides the obvious of me at the minimum filtering port tcp/25 is their an
> organization that tracks businesses like these who seem like they are
> building a web of insulation in which to move?
> 
> I think this case might interest them.
> 

 From principle, I want to jump up and down and say "zap `em!". However, 
I also make several assumption which need to be clearned, pragmatically.

I assume you have authority over the decision of what to do with them, 
and I also assume that your contract with them does not bind you in some 
fashion, can get you in trouble with the business side of the business, 
or can introduce *liability* issues. And naturally, that if you are not 
the decision maker, that you are synched with whomever it is.

These assumptions aside, kicking them might not be the best solution. 
"Starving them" out by blocking port 25, as an example you gave, or 
following some of the other suggestions in this thread, may be workable.

Which brings me three very important questions:
1. How much intelligence can you collect if you let them stay?
2. Have you considered legal action against them?
3. Did you consult with legal about possible law enforcement involvement?

As to the intricate web of who they are and where their resources lie, 
these are usually cases where the more you dig, the more you find -- ad 
infinitum.

Me? I'd just kick them after verifying they are not victims themselves.

I hope this helps,

	Gadi.


-- 
Gadi Evron,
ge at linuxbox.org.

Blog: http://gevron.livejournal.com/




More information about the NANOG mailing list