|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Attn MCI/UUNet - Massive abuse from your network
Chris, To start off, thank you for taking this issue seriously and investigating it. At 08:05 PM 6/23/2004, Christopher L. Morrow wrote: Netmasks aside, a spammer is a spammer. One spammer sending 100,000 emails from 4 machines is functionally equivalent to one sending 100,000 from 1 machine.The sbl lists quite a few /32 entries, while this is nice for blocking spam if you choose to use their RBL service I'm not sure it's a good measure of 'spamhaus size'. I'm not sure I know of a way to take this measurement, but given size and number if IPs that terminate inside AS701 there certainly are scope issues. That's possible, I suppose, but the view from outside sees only the bad(and there's plenty).All that said, I'm certainly not saying "spam is good", I also believe that over the last 4.5 years uunet's abuse group has done quite a few good things with respect to the main spammers. Excellent! I (and I am sure the rest of the antispam community) will be looking forward to hearing how all this pans out, and I am very glad I could bring some of this to your attention.> As an example, I see a posting that says emailtools.com was alive on > 206.67.63.41 in 2000. They aren't there any more... But now: > > [[email protected]]$ telnet mail.emailtools.com 25 > Trying 65.210.168.34... > Connected to mail.emailtools.com. > Escape character is '^]'. Sure, customer of a customer we got emailtools.com kicked from their original 'home' now they've moved off (probably several times since 2000) to another customer. This happens to every ISP, each time they appear we start the process to disconnect them. I'm checking on the current status of their current home to see why we have either: 1) not gotten complaints about them, 2) have not made progress kicking them again. A lengthy timeline for action to be taken, from the viewpoint of the attacked, is indistinguishable from tacit approval of the attacks. I don't imagine MCI has a lengthy timeline when replying to sales email or billing issues.> >On Mon, 21 Jun 2004, Ben Browning wrote: > Allow me to rephrase- I wanted it to be read and hoped someone would act on > complaints. I have no doubt MCI is serious about stopping DDOS and other > abusive traffic of that ilk- when it comes to proxy hijacking and spamming, > though, [email protected] turns a blind eye. What other conclusion can I draw from the This is not true, the action might not happen in the time you'd like, but there are actions being taken. I'd be the first to admit that the timelinees are lengthy :( but part of that is the large company process, getting all the proper people to realize that this abuse is bad and the offendors need to be dealt with. Omaha Steaks has been there for 3+ weeks (since being added to the SBL).> 200ish SBL entries under MCI's name? Why else would emailtools.com(for > example) still be around despite their wholesale raping of misconfigured > proxies? emailtools will be around in one form or another, all the owner must do is purchase 9$ virtual-hosting from some other poor ISP out there who needs the money... they may not even know who emailtools is, if that ISP is a uunet/mci customer then we'll have to deal with them as well, just like their current home. you must realize you can't just snap your fingers and make these things go away. Scott Richter has likewise been spamming from there for a month. Do you need a permission slip to terminate him? Does it take a month to get one? I can snap my fingers many times in a month! According to ARIN records, both of these are swipped space only one step below yours(IE not a customer-of-a-customer). It's nice to say "Oh well they move around and we can't stop them", but the point is that if they got terminated in a timely fashion (measured in hours or days at the most, *not* weeks and months) they would not keep moving around on your network; they would find another one to abuse instead. As it stands, they get a month to spam, then they have to move- that's pink gold in spammerland. > All I want is a couple of straight-up answers. Why do complaints to uunet > go unanswered and the abusers remain connected if, in fact, the complaints I believe you do get an answer, if not the auto-acks are off still from a previous mail flood ;( An auto-ack is not an answer. Please let me know if you are NOT getting ticket numbers back. They might be connected still if there were: 1) not enough info in the complaints to take action on them I've never been asked to furnish more info. I've never been looped into this process either. What is the window you guys give your downstreams for ceasing such activities?2) not enough complaints to terminate the account, but working with the downstream to get the problem resolved What's the timeframe on these approvals happening? Do you need such approvals in the event of a DDOS or other abuse?3) action is awaiting proper approvals. Yes, they are drifting towards bulletproof hosting. MCI has a very wide reputation as being spam-friendly.> are read? Why has MCI gone from 111 SBL listings as of January 1 to 190 as I think the answer is shifting winds in spammer homelands, I'll look through the list and see if we know about the problem children in the list and what we are doing about them. What exactly makes NANOG the wrong place for this, given that MCI is mute in the more appropriate forum(news.admin.net-abuse.email)?> If I am a kook and an idiot for wanting a cleaner internet, well then I > guess I am a kook and an idiot. not for that, just for taking this up in the wrong place... but people call me kooky too, so maybe I'm just skewed. --- Ben Browning <[email protected]> The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
|