[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

dealing with bogon spam ?

Subject: dealing with bogon spam ?
From: leslie at craigslist.org (Leslie)
Date: Fri, 30 Oct 2009 09:34:47 -0700
In-reply-to: <[email protected]>
References: <290EF89F13F04F4E924BB235A46D18F1043B40145F@MLBMXUS2.cs.myharris.net> <[email protected]> <[email protected]> <[email protected]>

Just in case anyone's curious - The prefix still hasn't been updated in 
ARIN and I am still seeing tons of spam (grrr spammers and grr transit 
providers who don't filter advertisements of smaller customers)

I made a script which looks at our log files for ips that are unknown, 
double checks them against live database, and then reports the number of 
hits to me - that way I can at least take manual action against 
offenders.  On the good side, the only offender I currently see is 
40430, but I am still trying to remain vigilent for future spammers

Leslie

Leslie wrote:
> Just FYI the colo4jax guys got back to me and it is a stale ARIN db 
> entry - I guess they don't update it as quickly as I thought.  So this 
> is now just a normal case of spam.
> 
> Leslie
> 
> Leslie wrote:
>> Yes, unallocated (at least according to ARIN's whois db) but not 
>> unannounced - obviously our network can get to the space or else I 
>> wouldn't be having a spam problem with them!   I'm actually seeing 
>> this  /20 as advertised through Savvis from AS40430
>>
>> It seems to me like the best solution might be a semi-hacky solution 
>> of asking arin (and other IRR's) if i can copy its DB and creating an 
>> internal peer which null routes unallocated blocks (updated nightly?)
>>
>> Has anyone seen an IRR's DB's not being updated for more than 30 days 
>> after allocations?  I always assumed that they are quickly updated.
>>
>> Thanks again,
>> Leslie
>>
>> Jon Lewis wrote:
>>> Unallocated doesn't mean non-routed.  All a spammer needs is a 
>>> willing/non-filtering provider doing BGP with them, and they can 
>>> announce any space they like, send out some spam, and then pull the 
>>> announcement. Next morning, when you see the spam and try to figure 
>>> out who to send complaints to, you're either going to complain to the 
>>> wrong people or find that whois is of no help.
>>>
>>> On Tue, 27 Oct 2009, Church, Charles wrote:
>>>
>>>> This is puzzling me.  If it's from non-announced space, at some 
>>>> point some router should report no route to it.  How is the TCP 
>>>> handshake performed to allow a sync to turn into spam?
>>>>
>>>> Chuck
>>>>
>>>> Chuck Church
>>>> Network Planning Engineer, CCIE #8776
>>>> Harris Information Technology Services
>>>> DOD Programs
>>>> 1210 N. Parker Rd. | Greenville, SC 29609
>>>> Office: 864-335-9473 | Cell: 864-266-3978
>>>> --------------------------
>>>> Sent using BlackBerry
>>>>
>>>>

References:
- dealing with bogon spam ?
  - From: cchurc05 at harris.com (Church, Charles)
- dealing with bogon spam ?
  - From: jlewis at lewis.org (Jon Lewis)
- dealing with bogon spam ?
  - From: leslie at craigslist.org (Leslie)
- dealing with bogon spam ?
  - From: leslie at craigslist.org (Leslie)

Prev by Date: Abuse desk software
Next by Date: Abuse desk software
Previous by thread: dealing with bogon spam ?
Next by thread: Redundant Data Center Architectures
Index(es):
- Date
- Thread