[119608] in North American Network Operators' Group
Re: I got a live one! - Spam source
daemon@ATHENA.MIT.EDU (Paul Ferguson)
Tue Nov 24 22:27:21 2009
In-Reply-To: <5e1ca1ac0911241922u25634547u7eeb7ec6e357b352@mail.gmail.com>
Date: Tue, 24 Nov 2009 19:26:34 -0800
From: Paul Ferguson <fergdawgster@gmail.com>
To: Russell Myba <rusmyba@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, Nov 24, 2009 at 7:22 PM, Russell Myba <rusmyba@gmail.com> wrote:
> Looks like of our customers has decided to turn their /24 into a nice
> little space spewing machine.  Doesn't seem like just one compromised
> host.
>
> Reverse DNS for most of the /24 are suspicious domains.  Each domain used
> in the message-id forwards to a single .net which lists their mailing
> address as a PO box an single link to an unsubscribe field.
>
> I've contacted at least three known contacts for the customer about the
> abuse without a single response.
>
> It would seem there are many layers to this entity:
>
> The domains are registered to one business
> Our billing information for the customer has one name, they colo with
> another person (whom the cross connect reaches)
> Our customer has an IT solutions person working for them (Strange since
> our customer and their colo provider are "IT solutions" people
> themselves.
> Abuse handle phone #s are supposedly incorrect (I called it)
>
> Besides the obvious of me at the minimum filtering port tcp/25 is their
> an organization that tracks businesses like these who seem like they are
> building a web of insulation in which to move?
>
> I think this case might interest them.
>
Can you name the /24?
I can't say that this sound unfamiliar -- we are seeing an increase in
"facilitated" criminal activity across the board...
- - ferg
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)
wj8DBQFLDKPkq1pz9mNUZTMRAg4pAKCZK6srbs1H2zp2FwKvB+T1xe3eKQCfSNFC
Gv0xuZ7Lc0q94Yet+xUD3GY=
=3sfS
-----END PGP SIGNATURE-----
-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/