IPv4 squatters on the move again?

Jon Lewis jlewis at lewis.org
Tue Sep 7 14:35:33 UTC 2010

On Tue, 7 Sep 2010, Christopher Morrow wrote:

> it used to be (~4-5 years ago) that the spammer code of 'voip service
> provider' was really 'we intend on raping proxies all over the planet'
> ... when you call them out on the random port traffic out of their
> pipe they point at their 'business' model that this is 'voip traffic,
> you know that rtp uses random ports, right?'

I haven't seen that excuse/justification from customers.  What I did see 
recently that I have to admit was very slick was a customer who claimed 
they were going to be doing a bunch of remote "terminals" in stores VPN'd 
into their dedi servers and would be streaming video from the servers to 
the clients.  This was of course 99% BS.  There was VPN involved....they 
used the dedi servers as VPN endpoints for their spam servers that were 
hosted elsewhere.  When we shut them down, there was absolutely nothing 
incriminating of spam operations on their servers...and all they had to do 
was sign up for service at another hosting company, setup the VPN server, 
change the IPs their spam servers VPN to, and they're back in business.
When sales brought me their initial request, I really didn't believe it, 
but I didn't have good enough cause to reject it.

> I used to have some quick/dirty instructions for how to verify that
> the traffic was in fact proxy traffic, something like:
> 1) log traffic from the soon-to-be-ex-customer (acl logs are fine)
> 2) pick an external 'top talker'
> 3) route that /32 to a host you control
> 4) run NC on the port that /32 is being contacted on
> 5) rejoice (and shut now ex-customer interface) when you see: "CONNECT
> smtp.xxxxx:25"

Seems like a lot of work when you could just setup a monitor session on 
their port and capture a few minutes of actual spam traffic as evidence 
just before shutting their port.

  Jon Lewis, MCP :)           |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

More information about the NANOG mailing list