This is puzzling me. If it's from non-announced space, at some point some router should report no route to it. How is the TCP handshake performed to allow a sync to turn into spam? Chuck Chuck Church Network Planning Engineer, CCIE #8776 Harris Information Technology Services DOD Programs 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 -------------------------- Sent using BlackBerry ----- Original Message ----- From: Jon Lewis <jlewis@lewis.org> To: Leslie <leslie@craigslist.org> Cc: NANOG <nanog@nanog.org> Sent: Tue Oct 27 21:08:12 2009 Subject: Re: dealing with bogon spam ? On Tue, 27 Oct 2009, Leslie wrote:
I failed to mention we're seeing this from an unallocated /20 whose parent /8 is allocated to ARIN (and is partially in use)
What /20 would that be? If you're sure it's unallocated, and see nothing but spam from it, block it at your border. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________