I got a live one! - Spam source

Michael Peddemors michael at linuxmagic.com
Wed Nov 25 17:25:27 UTC 2009


> 
> Could you elaborate on what constitutes correct swip information?
> 

Sure, you just opened the door to my opinions on this :)

 -- WRONG -- 

OrgName:    FortressITX 
OrgID:      FORTR-5     
Address:    100 Delawanna Ave
City:       Clifton          
StateProv:  NJ               
PostalCode: 07014            
Country:    US               

Found a referral to rwhois.fortressitx.com:4443.

Timeout.
-- -----------------
The argument that whois information should not be made public, is ridiculous.  
I here people saying that they don't publish whois information because they 
don't want the email's made public.  Okay, at least  the registered company 
name, or individual who presented the ID should be there.  

 -- WRONG --

OrgName:    Peer 1 Dedicated Hosting
OrgID:      P1DH-1
Address:    101 Marietta Street
Address:    Suite 500
City:       Atlanta
StateProv:  GA
PostalCode: 30303
Country:    US

NetRange:   216.150.0.0 - 216.150.31.255
CIDR:       216.150.0.0/19
------------------------------
Okay, you REALLY want people to get tired of playing whack a mole?  This is 
why many list operators block large ranges.. according to this listing, one 
responsible party for the whole list.. (oh, and don't get me started on 
reporting.. the quote i heard here was .. 'Oh, we don't do anything about 
spammers unless it affects other customers')

So, how big a range should you block when you start seeing a pattern?

Remember, organizations like UCE-PROTECT tend to base a reputation on /24 This 
is probably because in a lot of cases, you cannot tell does the person own the 
whole range, or just the top /25

 -- RIGHT -- 

OrgName:    Network Operations Center Inc. 
OrgID:      NOC                            
Address:    PO Box 591                     
City:       Scranton                       

network:Network-Name:NET-96.9.145.224/28
network:IP-Network:96.9.145.224/28
network:Organization;I:org--6898
network:Org-Name:ServerPlaceNet c/o Network Operations Center, Inc.
--------------

Simple, if the IP's reflect some behavior we don't like, we know exactly which 
ranges should be affected.

Basically, if you absolve yourself of the responsibility for the conduct of 
part of your networks, to a 3rd party.. you should SWIP it.  Some hosting 
companies are really good about this, even as far as SWIP'ing down to the /32.

There is a chain of responsbilitly, and when a hosting company has a known 
offender using portion(s) of their space, it makes it much easier to decide 
how much of that space should be blocked.  Should we block the whole /24 or 
only a portion? 

Say you see... 

66.104.246.36: mail1.clubdelivery.net
66.104.246.37: mail1.deliverydirect.info
66.104.246.38: mail1.deliverymobile.net
66.104.246.39: mail1.deliveryonline.info
66.104.246.40: mail1.deliveryrama.net
66.104.246.41: mail1.deliveryusa.net
66.104.246.42: mail1.deliveryzilla.net
66.104.246.43: mail1.godelivery.info
66.104.246.44: mail1.instantdelivery.info
66.104.246.45: mail1.date-meet.net
66.104.246.46: mail1.uchatfree.net
66.104.246.47: mail1.secureeasypay.net
66.104.246.48: mail1.idevelopthings.com
66.104.246.49: mail1.whocanvote.com
66.104.246.50: mail1.freedvdz.net
66.104.246.51: mail1.freecybercam.com
66.104.246.53: mail2.clubdelivery.net
66.104.246.54: mail2.deliverydirect.info
66.104.246.55: mail2.deliverymobile.net
66.104.246.56: mail2.deliveryonline.info
66.104.246.57: mail2.deliveryrama.net
66.104.246.58: mail2.deliveryusa.net
66.104.246.59: mail2.deliveryzilla.net
66.104.246.60: mail2.godelivery.info
66.104.246.61: mail2.instantdelivery.info
66.104.246.62: mail2.date-meet.net

It's listed as..

network:Organization;I:Precision Technology, Inc (286563-1)
network:IP-Network:66.104.244.0/22

Well, we don't have to affect the whole XO block.. but who is the operator 
responsible for the activities of these servers?  

The SWIP should reflect that.  Also, it makes it easier to see relevant 
activities from other ranges that the customer might own..

Like older IP Ranges...

   -- Precision Technology INC mycouponsavingsmailcom MYCOUPONSAVINGSMAILCOM 
24.155.144.16 - 24.155.144.31
# 24.155.144.16/28

Guess business was good.. but now of course, with proper SWIP, we know that 
those IP's are no longer controlled by the same party . (we hope)  

Of course, it can still be abused.. if the hosting provider is in colusion.. 
changes the SWIP regularly to hide that it is the same operator.. but even 
then, we will see such patterns.. if a hosting company 'constantly' gets a new 
'problem customer' <sic> then we can see that as well. 






-- 
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors - President/CEO - LinuxMagic
Products, Services, Support and Development
Visit us at http://www.linuxmagic.com
------------------------------------------------------------------------
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-589-0037 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended 
solely for the use of the individual or entity to which they are addressed. 
Please note that any views or opinions presented in this email are solely 
those of the author and are not intended to  represent those of the company.





More information about the NANOG mailing list