Re: Re[2]: The in-your-face hijacking example, was: Re: Who is announcing bogons?
On Wed, 30 Apr 2003 emil@atrivo.com wrote:
Might I mention that Spews, SpamHaus or anyone that has made these claims has not even attempted to give me a call.
Maybe because they expect your email to actually work, and dont care to spend money calling you long distance? http://groups.google.com/groups?selm=jql2avgk84hporq5cj8vdkcvsghj8ae9so%404ax.com&oe=UTF-8&output=gplain Your role address bounces (yes, i did verify emil@atrivo.com bounces), and apparently you have a portscanner on 170.208.15.82. Looking through my logs for April I have received spams from 170.208.17.65, 170.208.17.67, 170.208.17.70, 170.208.17.92, 170.208.17.112, 170.208.17.113, 170.208.17.114, 170.208.17.115 You have got porno spammers in these netblocks scanning for open relays and relay raping innocent third parties. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Wed, 30 Apr 2003, Dan Hollis wrote: Looking through my logs for April I have received spams from 170.208.17.65, 170.208.17.67, 170.208.17.70, 170.208.17.92, 170.208.17.112, 170.208.17.113, 170.208.17.114, 170.208.17.115 You have got porno spammers in these netblocks scanning for open relays and relay raping innocent third parties. -Dan +---------------------+----------------+--------+----------------+ | date | msgid | reason | relayi | +---------------------+----------------+--------+----------------+ | 2003-02-10 17:31:46 | h1B1Vavr008635 | honey | 170.208.0.138 | | 2003-02-12 16:55:56 | h1D0tpvr025598 | honey | 170.208.0.139 | | 2003-02-12 20:01:26 | h1D41Qvr004895 | honey | 170.208.0.136 | | 2003-02-14 07:04:56 | h1EF4pvr007227 | honey | 170.208.0.137 | | 2003-04-18 21:28:56 | h3J4S0Bk022427 | honey | 170.208.17.68 | | 2003-04-19 05:18:37 | h3JCHfBk013611 | honey | 170.208.17.70 | | 2003-04-24 21:50:03 | h3P4o2vf013525 | honey | 170.208.17.67 | | 2003-04-29 15:11:46 | h3TMBbfc005975 | honey | 170.208.17.113 | +---------------------+----------------+--------+----------------+ Every one of them sent to address never used by humans, but somehow well known by professional spammers.. But I'm sure Emil's an innocent victim here, somehow. Matt Ghali --mghali@snark.net------------------------------------------<darwin>< Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include <disclaim.h>
Can't have one on 170.208.15.82 I null routed it some time ago as it was a compromised machine. On Wed, 30 Apr 2003, Dan Hollis wrote:
On Wed, 30 Apr 2003 emil@atrivo.com wrote:
Might I mention that Spews, SpamHaus or anyone that has made these claims has not even attempted to give me a call.
Maybe because they expect your email to actually work, and dont care to spend money calling you long distance?
http://groups.google.com/groups?selm=jql2avgk84hporq5cj8vdkcvsghj8ae9so%404ax.com&oe=UTF-8&output=gplain Your role address bounces (yes, i did verify emil@atrivo.com bounces), and apparently you have a portscanner on 170.208.15.82.
Looking through my logs for April I have received spams from 170.208.17.65, 170.208.17.67, 170.208.17.70, 170.208.17.92, 170.208.17.112, 170.208.17.113, 170.208.17.114, 170.208.17.115
You have got porno spammers in these netblocks scanning for open relays and relay raping innocent third parties.
-Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Thu 1 May 2003 06:28:16 (UTC), Dan Hollis <goemon@anime.net> wrote: | ... apparently you have a portscanner on 170.208.15.82. Which is a salient reminder that while spam may be the most visible indication of compromised machines, bogus routing etc) it is likely to be by far the least of the evils that will originate from such a source. Spot the spam, catch the REAL problem ... prevent more serious issues. On Wed, 30 Apr 2003 22:36:57 (UTC), william@elan.net wrote: | I would not be so sure that LANET-1 ASN has anything to do with | LANET-1 Network or with LANET organization id. To be frank, I wasn't as sure as I wanted to be; that's why I simply pointed to the repeated use of the LANET-1 label, so that others could make their own judgements. Further research confirms William is right about it being a California LANET: compare the listing for 170.208.0.0 in: http://euclid.math.brandeis.edu/turtschi/whois/netb22.html with the listing for (the block currently in use by LA County) 159.83.0.0 in: http://euclid.math.brandeis.edu/turtschi/whois/netb16.html I have today spoken to the appropriate people who have confirmed their ongoing ownership of the block and are now taking appropriate action. We have also identified how the deception was carried out in this case. For the record, the current routing analysis is as follows: Netblock BGP route Announced by 170.208.0.0/24 174 16631 Cogent 170.208.1.0/24 6939 26346 27595 Atrivo 170.208.2.0/24 6939 26346 27595 Atrivo 170.208.3.0/24 6939 26346 27595 Atrivo 170.208.4.0/24 6939 26346 27595 Atrivo 170.208.5.0/24 6939 26346 27595 Atrivo 170.208.6.0/24 6939 26346 27595 Atrivo 170.208.7.0/24 6939 26346 27595 Atrivo 170.208.8.0/24 174 16631 Cogent 170.208.9.0/24 6939 26346 27595 Atrivo 170.208.10.0/24 6939 26346 27595 Atrivo 170.208.11.0/24 6939 26346 27595 Atrivo 170.208.12.0/24 6939 26346 27595 Atrivo 170.208.13.0/24 6939 26346 27595 Atrivo 170.208.14.0/24 6939 26346 Digital Wireworks 170.208.15.0/24 6939 26346 27595 Atrivo 170.208.17.0/24 6939 26346 Digital Wireworks 170.208.18.0/24 6939 26346 27595 Atrivo -- Richard Cox
On Thu, 1 May 2003, Richard Cox wrote:
For the record, the current routing analysis is as follows: Netblock BGP route Announced by
170.208.1.0/24 6939 26346 27595 Atrivo etc...
FYI, AS 6939 (Hurricane) is no longer transiting prefixes in the 170.208.0.0/16 range. Mike. +----------------- H U R R I C A N E - E L E C T R I C -----------------+ | Mike Leber Direct Internet Connections Voice 510 580 4100 | | Hurricane Electric Web Hosting Colocation Fax 510 580 4151 | | mleber@he.net http://www.he.net | +-----------------------------------------------------------------------+
On Thu, 1 May 2003 19:51:50 -0700 (PDT), Mike Leber <mleber@he.net> wrote: | FYI, AS 6939 (Hurricane) is no longer transiting prefixes in the | 170.208.0.0/16 range. Excellent news, Mike; the current routing now appears to be: Netblock BGP route Announced by 170.208.0.0/24 174 16631 Cogent 170.208.0.0/19 174 16631 27595 Atrivo 170.208.6.0/24 174 16631 Cogent 170.208.7.0/24 174 16631 Cogent 170.208.8.0/24 174 16631 Cogent 170.208.14.0/24 7911 6517 26346 Digital Wireworks via YIPES Richard Cox
Just to further add, Wireworks is no longer transiting blocks in the 170.208.0.0/16 block. The block appears to still be announced but not via 26346. ----- Original Message ----- From: "Mike Leber" <mleber@he.net> To: "Richard Cox" <Richard@mandarin.com> Cc: <nanog@merit.edu> Sent: Thursday, May 01, 2003 7:51 PM Subject: Re: Re[4]: The in-your-face hijacking example, was: Re: Who is announcing bogons?
On Thu, 1 May 2003, Richard Cox wrote:
For the record, the current routing analysis is as follows: Netblock BGP route Announced by
170.208.1.0/24 6939 26346 27595 Atrivo etc...
FYI, AS 6939 (Hurricane) is no longer transiting prefixes in the 170.208.0.0/16 range.
Mike.
+----------------- H U R R I C A N E - E L E C T R I C -----------------+ | Mike Leber Direct Internet Connections Voice 510 580 4100 | | Hurricane Electric Web Hosting Colocation Fax 510 580 4151 | | mleber@he.net http://www.he.net | +-----------------------------------------------------------------------+
participants (5)
-
Dan Hollis -
just me -
Mike Leber -
Richard Cox -
Scott Granados