[135152] in North American Network Operators' Group
RE: Re: Request Spamhaus contact
daemon@ATHENA.MIT.EDU (Mark Scholten)
Mon Jan 17 21:02:03 2011
From: "Mark Scholten" <mark@streamservice.nl>
To: "'Jeffrey Lyon'" <jeffrey.lyon@blacklotus.net>,
"'Raymond Dijkxhoorn'" <raymond@prolocation.net>
In-Reply-To: <AANLkTinhN9e7OqJ1i0LwsaeqQDJoLOf3PTHtDMb5=fMJ@mail.gmail.com>
Date: Tue, 18 Jan 2011 02:23:14 +0100
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> From: Jeffrey Lyon [mailto:jeffrey.lyon@blacklotus.net]
> Sent: Tuesday, January 18, 2011 1:42 AM
>
> I fat fingered the netmask, try now.
>
> Thanks, Jeff
I don't think it is yet solved. The listed time is CET (GMT+1).
tmp@support:~$ wget -S www.vertrouwdeapotheek.nl
--2011-01-18 02:18:15-- http://www.vertrouwdeapotheek.nl/
Resolving www.vertrouwdeapotheek.nl... 208.64.120.197
Connecting to www.vertrouwdeapotheek.nl|208.64.120.197|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 301 Moved Permanently
Cache-Control: private
Content-Length: 0
Location: http://www.vertrouwdeapotheek.nl/Home.aspx
Server: Microsoft-IIS/7.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 18 Jan 2011 01:17:50 GMT
Connection: close
Location: http://www.vertrouwdeapotheek.nl/Home.aspx [following]
--2011-01-18 02:18:15-- http://www.vertrouwdeapotheek.nl/Home.aspx
Connecting to www.vertrouwdeapotheek.nl|208.64.120.197|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 126007
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 4.0.30319
WL-Version: 2475.0
Set-Cookie: ASP.NET_SessionId=olbzhbkanrerwwzqeoho22ws; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Tue, 18 Jan 2011 01:17:51 GMT
Connection: close
Length: 126007 (123K) [text/html]
Saving to: `index.html'
100%[=======================================================================
============>] 126,007 154K/s in 0.8s
2011-01-18 02:18:17 (154 KB/s) - `index.html' saved [126007/126007]
I did check the content of index.html and it shows a page I expect at that
domain. Giving a suspend page is also acceptable for me (or a page with a
message that the site was removed).
How difficult is it for you to nullroute it? For me (and probably for
others) it is also acceptable if you put a firewall between them and the
internet with the rule to DROP everything for that IP. I'm even prepared to
give an example config (based on Debian 5) to drop the traffic for all IPs
mentioned on this list and on SBL.
How you do it isn't important for me, but please clean your network for as
far as possible with the given information (and looking through your
clients).
Regards, Mark
