On Thu, Mar 9, 2023 at 4:05 PM Grant Taylor via NANOG <nanog@nanog.org> wrote:
On 3/9/23 2:19 PM, Christopher Munz-Michielin wrote:
Not this exact scenario, but what we see a lot of in my VPS company is people sending spam by using our VPS' source addresses, but routing outbound via some kind of tunnel to a VPN provider or similar in order to bypass our port 25 blocks.
I'd be curious what VPN providers they are using so that I could start blocking them. That seems like another player in the criminal support ecosystem.
If I had to put money on it, it's not VPN providers but other VPS providers. VPN providers don't have enough business that anyone cares about to avoid getting killed over BCP38 non-compliance. It's trivial to turn a $5 VPS into a disposable VPN head-end that can spray TCP SYN packets at a modest rate, and once the packet is on the backbone somewhere in the world not only can't you do anything about it, it's just on the near side of impossible to figure out where it originally entered. Unless you want to start handing out BGP AS death penalties to entire "tier 1's" who don't instrument their reciprocal peering connections well enough for third parties to trace the source of spoofed packets. Which is 100% of everyone right now. That sort of instrumentation would be darn expensive. Regards, Bill Herrin -- For hire. https://bill.herrin.us/resume/