IPv4 squatters on the move again?

Christopher Morrow morrowc.lists at gmail.com
Tue Sep 7 09:21:36 CDT 2010


On Tue, Sep 7, 2010 at 10:03 AM, Jon Lewis <jlewis at lewis.org> wrote:
> On Tue, 7 Sep 2010, Jeffrey Lyon wrote:
>
>> We see this all the time, usually it involves either a /20 or multiple-/xx
>> that change every month.
>
> If they want frequently changing IPs, it's almost certainly for spamming.
>
> I got the impression with these people they were just trying to get a bunch
> of SWIPs in order to go to ARIN and request as big a block of ipv4 as they
> could get with the intent to chop it up and resell it in pieces as soon as
> ARIN runs out of IPs to satisfy normal requests.

it used to be (~4-5 years ago) that the spammer code of 'voip service
provider' was really 'we intend on raping proxies all over the planet'
... when you call them out on the random port traffic out of their
pipe they point at their 'business' model that this is 'voip traffic,
you know that rtp uses random ports, right?'

I used to have some quick/dirty instructions for how to verify that
the traffic was in fact proxy traffic, something like:
1) log traffic from the soon-to-be-ex-customer (acl logs are fine)
2) pick an external 'top talker'
3) route that /32 to a host you control
4) run NC on the port that /32 is being contacted on
5) rejoice (and shut now ex-customer interface) when you see: "CONNECT
smtp.xxxxx:25"

from the connection...

-Chris




More information about the NANOG mailing list