I got a live one! - Spam source
Michael Peddemors
michael at linuxmagic.com
Wed Nov 25 17:25:27 UTC 2009
>
> Could you elaborate on what constitutes correct swip information?
>
Sure, you just opened the door to my opinions on this :)
-- WRONG --
OrgName: FortressITX
OrgID: FORTR-5
Address: 100 Delawanna Ave
City: Clifton
StateProv: NJ
PostalCode: 07014
Country: US
Found a referral to rwhois.fortressitx.com:4443.
Timeout.
-- -----------------
The argument that whois information should not be made public, is ridiculous.
I here people saying that they don't publish whois information because they
don't want the email's made public. Okay, at least the registered company
name, or individual who presented the ID should be there.
-- WRONG --
OrgName: Peer 1 Dedicated Hosting
OrgID: P1DH-1
Address: 101 Marietta Street
Address: Suite 500
City: Atlanta
StateProv: GA
PostalCode: 30303
Country: US
NetRange: 216.150.0.0 - 216.150.31.255
CIDR: 216.150.0.0/19
------------------------------
Okay, you REALLY want people to get tired of playing whack a mole? This is
why many list operators block large ranges.. according to this listing, one
responsible party for the whole list.. (oh, and don't get me started on
reporting.. the quote i heard here was .. 'Oh, we don't do anything about
spammers unless it affects other customers')
So, how big a range should you block when you start seeing a pattern?
Remember, organizations like UCE-PROTECT tend to base a reputation on /24 This
is probably because in a lot of cases, you cannot tell does the person own the
whole range, or just the top /25
-- RIGHT --
OrgName: Network Operations Center Inc.
OrgID: NOC
Address: PO Box 591
City: Scranton
network:Network-Name:NET-96.9.145.224/28
network:IP-Network:96.9.145.224/28
network:Organization;I:org--6898
network:Org-Name:ServerPlaceNet c/o Network Operations Center, Inc.
--------------
Simple, if the IP's reflect some behavior we don't like, we know exactly which
ranges should be affected.
Basically, if you absolve yourself of the responsibility for the conduct of
part of your networks, to a 3rd party.. you should SWIP it. Some hosting
companies are really good about this, even as far as SWIP'ing down to the /32.
There is a chain of responsbilitly, and when a hosting company has a known
offender using portion(s) of their space, it makes it much easier to decide
how much of that space should be blocked. Should we block the whole /24 or
only a portion?
Say you see...
66.104.246.36: mail1.clubdelivery.net
66.104.246.37: mail1.deliverydirect.info
66.104.246.38: mail1.deliverymobile.net
66.104.246.39: mail1.deliveryonline.info
66.104.246.40: mail1.deliveryrama.net
66.104.246.41: mail1.deliveryusa.net
66.104.246.42: mail1.deliveryzilla.net
66.104.246.43: mail1.godelivery.info
66.104.246.44: mail1.instantdelivery.info
66.104.246.45: mail1.date-meet.net
66.104.246.46: mail1.uchatfree.net
66.104.246.47: mail1.secureeasypay.net
66.104.246.48: mail1.idevelopthings.com
66.104.246.49: mail1.whocanvote.com
66.104.246.50: mail1.freedvdz.net
66.104.246.51: mail1.freecybercam.com
66.104.246.53: mail2.clubdelivery.net
66.104.246.54: mail2.deliverydirect.info
66.104.246.55: mail2.deliverymobile.net
66.104.246.56: mail2.deliveryonline.info
66.104.246.57: mail2.deliveryrama.net
66.104.246.58: mail2.deliveryusa.net
66.104.246.59: mail2.deliveryzilla.net
66.104.246.60: mail2.godelivery.info
66.104.246.61: mail2.instantdelivery.info
66.104.246.62: mail2.date-meet.net
It's listed as..
network:Organization;I:Precision Technology, Inc (286563-1)
network:IP-Network:66.104.244.0/22
Well, we don't have to affect the whole XO block.. but who is the operator
responsible for the activities of these servers?
The SWIP should reflect that. Also, it makes it easier to see relevant
activities from other ranges that the customer might own..
Like older IP Ranges...
-- Precision Technology INC mycouponsavingsmailcom MYCOUPONSAVINGSMAILCOM
24.155.144.16 - 24.155.144.31
# 24.155.144.16/28
Guess business was good.. but now of course, with proper SWIP, we know that
those IP's are no longer controlled by the same party . (we hope)
Of course, it can still be abused.. if the hosting provider is in colusion..
changes the SWIP regularly to hide that it is the same operator.. but even
then, we will see such patterns.. if a hosting company 'constantly' gets a new
'problem customer' <sic> then we can see that as well.
--
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors - President/CEO - LinuxMagic
Products, Services, Support and Development
Visit us at http://www.linuxmagic.com
------------------------------------------------------------------------
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-589-0037 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
More information about the NANOG
mailing list