On Fri, Nov 10, 2006 at 07:20:10AM +0200, Hank Nussbacher wrote:
AS29449 is not the problem. It is the upstreams of AS5602 (KPNQwest Italia) and AS286 (KPN) that let this crap leak.
In fact, it may not even be the immediate upstreams. In our paper, we describe specific examples where it's very hard to track exactly who's at fault, because so much of the AS path appears to be forged. See finding #5 in the excerpt below. I include the most germane excerpt from the paper below, for people's convenience. btw, Randy Bush helped us understand this technique a bit better and coined the phrase spectrum agility. "... We have called this technique ``spectrum agility'' because it allows a spammer the flexibility to use a wide variety of IP addresses within a very large block from which to send spam. The large IP address block allows the mail relays to ``hop'' between a large number of IP addresses, thereby evading IP-based filtering techniques like DNSBLs. Judging from Figure~\ref{fig:dnsbls} and our analysis in Section~\ref{sec:dnsbls}, the technique seems to be rather effective. As an added benefit, route announcements for shorter IP prefixes (\ie, larger blocks of IP addresses) are less likely to be blocked by ISPs' route filters than route announcements or hijacks for longer prefixes. Upon further inspection, we also discovered the following interesting features: (1)~the IP addresses of the mail relays sending this spam are widely distributed across the IP address space; (2)~the IP addresses from which we see spam in this address space typically appear only once; (3)~on February 6, 2006, attempts to contact the mail relays that we observed using this technique revealed that that roughly 60-80\% of these hosts were not reachable by {\tt traceroute}; (4)~many of the IP addresses of these mail relays were located in allocated, albeit unannounced and unused IP address space; and (5)~many of the AS paths for these announcements contained reserved (\ie, to-date unallocated AS numbers), suggesting a possible attempt to further hamper traceability by forging elements of the AS path. ... " -Nick