Re: massive snowshoe operations may be a cause for concern (was: Re:UCEProtect Level 3)
You wont find me holding up uceprotect or apews as fine examples of properly or even competently run lists, I'd point you to spamhaus for that. But, in this day and age, and with the volumes of spam around, I'd counsel you NOT to wait for or expect manual complaints to your abuse desk, almost nobody does that these days. Feel free to signup for AOL etc feedback loops and you'd probably get a much higher volume of complaints - enough that you'd have to dedicate an email address to it, and use the scriptability of the ARF format these feedback loops are sent in, so you can get / generate stats. Periodic rDNS scans of your network, and either making rDNS requests manual, or at least running periodic rDNS scans of your network to spot that kind of customer would make sense too. You must admit that the kind of rDNS Steve Champeon posted in in that very long list upthread sticks out like a sore thumb. --srs On Sat, May 9, 2009 at 4:20 AM, John van Oppen <john@vanoppen.com> wrote:
My favorite part of uceprotect was that there was basically no way to get them to send us actual reports or even IPs (without us paying for them). We canned this customer a month or two ago for abuse but gave them time to migrate out of our IP space (they were announcing it with their ASN to their other provider even after we cut transit) and swore up and down they were using it for virtual hosting (as did their ARIN justification forms). I just requested directly to their other provider that announcements be filtered and removed the SWIP. That /20 had only ever had about 15 reports for it to our abuse desk and we are actually responsive hence the kicking of the customer
I agree, spamhaus has always been great. We were on a few feedback loops and senderbase.org did not show much for that subnet... anyway solved now. Got the ex-customer's other ISP to block the announcement since we killed it a while ago, also removed the SWIP. ;) John van Oppen Spectrum Networks LLC Direct: 206.973.8302 Main: 206.973.8300 Website: http://spectrumnetworks.us -----Original Message----- From: Suresh Ramasubramanian [mailto:ops.lists@gmail.com] Sent: Friday, May 08, 2009 4:35 PM To: John van Oppen Cc: Steven Champeon; Skywing; Raleigh Apple; nanog@nanog.org Subject: Re: massive snowshoe operations may be a cause for concern (was: Re:UCEProtect Level 3) You wont find me holding up uceprotect or apews as fine examples of properly or even competently run lists, I'd point you to spamhaus for that. But, in this day and age, and with the volumes of spam around, I'd counsel you NOT to wait for or expect manual complaints to your abuse desk, almost nobody does that these days. Feel free to signup for AOL etc feedback loops and you'd probably get a much higher volume of complaints - enough that you'd have to dedicate an email address to it, and use the scriptability of the ARF format these feedback loops are sent in, so you can get / generate stats. Periodic rDNS scans of your network, and either making rDNS requests manual, or at least running periodic rDNS scans of your network to spot that kind of customer would make sense too. You must admit that the kind of rDNS Steve Champeon posted in in that very long list upthread sticks out like a sore thumb. --srs On Sat, May 9, 2009 at 4:20 AM, John van Oppen <john@vanoppen.com> wrote:
My favorite part of uceprotect was that there was basically no way to get them to send us actual reports or even IPs (without us paying for them). We canned this customer a month or two ago for abuse but gave them time to migrate out of our IP space (they were announcing it with their ASN to their other provider even after we cut transit) and swore up and down they were using it for virtual hosting (as did their ARIN justification forms). I just requested directly to their other provider that announcements be filtered and removed the SWIP. That /20 had only ever had about 15 reports for it to our abuse desk and we are actually responsive hence the kicking of the customer
participants (2)
-
John van Oppen -
Suresh Ramasubramanian