Thanks & Let's Prevent this in the Future.

George Bonser gbonser at
Wed Feb 1 17:00:43 UTC 2012

> I'd like to get a conversation going and possibly some support of an
> initiative to spend that extra 30-seconds to verify ownership and
> authorization of network space to be advertised.  Additionally, if
> someone rings your NOC's line an industry-standard process of verifying
> "ownership"
> and immediately responding by filtering out announcements. There's no
> sense in allowing a service provider to be impaired because a spammer
> doesn't want to give up clean IP space.  Do you protect a bad customer
> or the Internet as a whole?  I pick the Internet as a whole.
> How can we prevent anyone else from ever enduring this again?  While we
> may never stop it from ever happening, spammers (that's what we got hit
> by
> today) are a dime a dozen and will do everything possible to hit an
> Inbox, so how can we establish a protocol to immediate mitigate the
> effects of an traffic-stopping advertisement?

One problem is the number of routing registries and the requirements differ for them.  The nefarious operator can enter routes in an IRR just as easily as a legitimate operator.  There was a time when some significant networks used the IRRs for their filtration policy.  I'm not sure how many still do.

But generally speaking, if someone calls me and I can verify that they really are a POC for the entity that is assigned an address allocation (generally some verification method beyond email if the subnet their MX record points to is part of the hijacking!) then I am going to do whatever I can to help them out provided what they are asking for is reasonable and within my capabilities.  It shouldn't be too hard to verify.  If someone claims to be with a commercial entity of Foo.COM then the entity is likely listed in the phone book and a phone call can take care of my personal verification requirement.  

Back in the days of Cyberpromo and Sanford Wallace, what I did was used TCP wrappers on my mail server so that when I received a connection from a Cyberpromo net block, I hairpinned the connection back to his MX server using netcat so when he connected to me, the HELO he received was from his own mail server, which gladly accepted mail from Cyberpromo.  He could pump mail to me all day long if he wanted to, but his mailq wasn't going to get any smaller.

The problem of email spam is an interesting one that has been battled for a very long time and is probably better discussed on a list dedicated to that topic.

More information about the NANOG mailing list