Coming back from my vacation, I had to discover that some losers (who, no doubt, had something to lose as far as their hijacked IP space is concerned) have attempted to DoS the MX for pac-rim.net/spamshield.org by sending a few 100,000 spams with randomized @pac-rim.net return addresses around June 25/26th, and us seeing 10,000's of bounces generated by misbehaving mail hosts that bounce to MAIL FROM: addresses sometime after their mail back-end decides that the recipients don't exist (nice AOL-style abuse amplifier, just un-AOL-like unthrottled). At the same time, MFN/Above.net seems to have null0'd 208.241.101.2 (in response to that? we have yet to see a SINGLE complaint/forwarded copy), thus denying transit of all their non-multihomed downstreams (or those that transit through them to the UUnet /10 aggregate this IP lives in) to our MXs, as well as the SpamShield.org website and the private SpamShield DNSBL zone origin host. While we have to suffer constantly under attempts of unlawful trespass originating from MFN/Above.net's customers, with never a peep of a follow-up after the auto-reply coming back from abuse@above.net (and in quite a few cases with such trespass continuing unabated) we've never bothered to null0 more than a surrounding /22 around for such abuse for more than a brief amount of time (1-3 days max). Whoever is wielding 'enable' power at MFN/AboveNet may want to re-think what abuse actually is - and may want to consult with his boss at this time wether it was appropriate to block a DoS victims' MX without contacting same beforehand. Meanwhile it seems that it took Above.net a LOT longer to null0 hijacked IP space (like: a couple weeks) announced from customer AS 26891 than it took them to null0 a /32 they seemed to perceive as a threat that isn't paying them: # routes (20030515): # 199.120.163.0/24 from AS: 26891 (upstreams: 6461), # 199.120.164.0/24 from AS: 26891 (upstreams: 6461), # 199.166.200.0/22 from AS: 26891 (upstreams: 6461), # 199.201.151.0/24 from AS: 26891 (upstreams: 6461), # 199.201.152.0/24 from AS: 26891 (upstreams: 6461), # 204.19.162.0/24 from AS: 26891 (upstreams: 6461 23352), (all gone now) Waiting for AboveNet/MFN's mail on this - and no, renumbering the host to another IP number would be too annoying. bye,Kai -------- sonet:~# tcptraceroute -s 208.241.101.2 whois.gandi.net Selected device exp0, address 208.241.101.2, port 58193 for outgoing packets Tracing the path to whois.gandi.net (80.67.173.20) on TCP port 80, 30 hops max [...] 4 0.so-1-1-0.XL2.NYC1.ALTER.NET (152.63.19.98) 10.150 ms 8.815 ms 10.136 ms 5 0.so-7-0-0.XL2.NYC8.Alter.Net (152.63.0.37) 13.199 ms 11.889 ms 12.103 ms 6 0.so-3-0-0.XR2.NYC8.ALTER.NET (152.63.19.34) 16.530 ms 13.251 ms 11.268 ms 7 182.ATM6-0.BR1.NYC8.ALTER.NET (152.63.23.173) 8.762 ms 7.053 ms 10.339 ms 8 * * * 9 * * * ^C sonet:~# tcptraceroute -s another.address.on.the.same.box whois.gandi.net Selected device exp0, address x.x.x.x, port 58185 for outgoing packets Tracing the path to whois.gandi.net (80.67.173.20) on TCP port 80, 30 hops max [...] 4 0.so-1-1-0.XL2.NYC1.ALTER.NET (152.63.19.98) 9.631 ms 8.728 ms 10.066 ms 5 0.so-7-0-0.XL2.NYC8.Alter.Net (152.63.0.37) 9.621 ms 8.731 ms 10.017 ms 6 0.so-3-0-0.XR2.NYC8.ALTER.NET (152.63.19.34) 9.663 ms 8.736 ms 10.131 ms 7 182.ATM5-0.BR1.NYC8.ALTER.NET (152.63.23.77) 19.588 ms 9.054 ms 10.067 ms 8 200.atm6-0.pr1.lga2.us.mfnx.net (208.184.231.245) 29.625 ms 36.590 ms 29.811 ms 9 so-2-2-0.cr2.lga2.us.mfnx.net (216.200.127.169) 49.795 ms 35.010 ms 29.780 ms 10 so-0-0-0.cr2.lga1.us.mfnx.net (208.184.232.197) 49.766 ms 28.664 ms 39.752 ms 11 so-6-0-0.cr2.lhr3.uk.above.net (64.125.31.181) 99.797 ms 103.668 ms 99.700 ms 12 so-0-0-0.cr1.lhr3.uk.above.net (208.184.231.145) 109.793 ms 108.402 ms 99.705 ms 13 pos12-0.cr1.cdg2.fr.above.net (64.125.31.130) 109.857 ms 107.870 ms 109.774 ms 14 pos0-2.er1a.cdg2.fr.above.net (208.184.231.205) 109.799 ms 108.622 ms 109.779 ms 15 gitoyen-voltaire-gw.gitoyen.net (62.4.73.30) 119.632 ms 111.625 ms 109.781 ms 16 80.67.168.6 (80.67.168.6) 129.879 ms 119.700 ms 109.803 ms 17 jd.gandi.net (80.67.173.20) [open] 109.893 ms 1.390 ms 119.798 ms