[118733] in North American Network Operators' Group
Re: dealing with bogon spam ?
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Wed Oct 28 03:27:23 2009
In-Reply-To: <4AE7E858.4020109@craigslist.org>
Date: Wed, 28 Oct 2009 12:56:41 +0530
From: Suresh Ramasubramanian <ops.lists@gmail.com>
To: Leslie <leslie@craigslist.org>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Ah, colo4jax I see. Jacksonville, Florida.
68.234.16.0/20 shows up as unallocated but as these guys own the
previous /20 its probably a stale arin db and a brand new allocation
Prefix AS Path
Aggregation Suggestion
68.234.0.0/20 4777 2497 25973 40430
68.234.16.0/20 4608 1221 4637 3561 40430
69.174.96.0/21 4777 2497 25973 40430
173.205.80.0/20 4777 2497 25973 40430
204.237.184.0/21 4777 2497 25973 40430
204.237.192.0/22 4777 2497 25973 40430
208.153.96.0/22 4777 2497 25973 40430
208.169.228.0/22 4777 2497 25973 40430
On Wed, Oct 28, 2009 at 12:14 PM, Leslie <leslie@craigslist.org> wrote:
> Yes, unallocated (at least according to ARIN's whois db) but not unannoun=
ced
> - obviously our network can get to the space or else I wouldn't be having=
a
> spam problem with them! =C2=A0 I'm actually seeing this =C2=A0/20 as adve=
rtised
> through Savvis from AS40430
>
> It seems to me like the best solution might be a semi-hacky solution of
> asking arin (and other IRR's) if i can copy its DB and creating an intern=
al
> peer which null routes unallocated blocks (updated nightly?)
>
> Has anyone seen an IRR's DB's not being updated for more than 30 days aft=
er
> allocations? =C2=A0I always assumed that they are quickly updated.
>
> Thanks again,
> Leslie
>
> Jon Lewis wrote:
>>
>> Unallocated doesn't mean non-routed. =C2=A0All a spammer needs is a
>> willing/non-filtering provider doing BGP with them, and they can announc=
e
>> any space they like, send out some spam, and then pull the announcement.
>> Next morning, when you see the spam and try to figure out who to send
>> complaints to, you're either going to complain to the wrong people or fi=
nd
>> that whois is of no help.
>>
>> On Tue, 27 Oct 2009, Church, Charles wrote:
>>
>>> This is puzzling me. =C2=A0If it's from non-announced space, at some po=
int
>>> some router should report no route to it. =C2=A0How is the TCP handshak=
e
>>> performed to allow a sync to turn into spam?
>>>
>>> Chuck
>>>
>>> Chuck Church
>>> Network Planning Engineer, CCIE #8776
>>> Harris Information Technology Services
>>> DOD Programs
>>> 1210 N. Parker Rd. | Greenville, SC 29609
>>> Office: 864-335-9473 | Cell: 864-266-3978
>>> --------------------------
>>> Sent using BlackBerry
>>>
>>>
>
>
--=20
Suresh Ramasubramanian (ops.lists@gmail.com)
