-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Nov 24, 2009 at 7:22 PM, Russell Myba <rusmyba@gmail.com> wrote:
Looks like of our customers has decided to turn their /24 into a nice little space spewing machine. Doesn't seem like just one compromised host.
Reverse DNS for most of the /24 are suspicious domains. Each domain used in the message-id forwards to a single .net which lists their mailing address as a PO box an single link to an unsubscribe field.
I've contacted at least three known contacts for the customer about the abuse without a single response.
It would seem there are many layers to this entity:
The domains are registered to one business Our billing information for the customer has one name, they colo with another person (whom the cross connect reaches) Our customer has an IT solutions person working for them (Strange since our customer and their colo provider are "IT solutions" people themselves. Abuse handle phone #s are supposedly incorrect (I called it)
Besides the obvious of me at the minimum filtering port tcp/25 is their an organization that tracks businesses like these who seem like they are building a web of insulation in which to move?
I think this case might interest them.
Can you name the /24? I can't say that this sound unfamiliar -- we are seeing an increase in "facilitated" criminal activity across the board... - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFLDKPkq1pz9mNUZTMRAg4pAKCZK6srbs1H2zp2FwKvB+T1xe3eKQCfSNFC Gv0xuZ7Lc0q94Yet+xUD3GY= =3sfS -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/