Looks like of our customers has decided to turn their /24 into a nice little space spewing machine. Doesn't seem like just one compromised host. Reverse DNS for most of the /24 are suspicious domains. Each domain used in the message-id forwards to a single .net which lists their mailing address as a PO box an single link to an unsubscribe field. I've contacted at least three known contacts for the customer about the abuse without a single response. It would seem there are many layers to this entity: The domains are registered to one business Our billing information for the customer has one name, they colo with another person (whom the cross connect reaches) Our customer has an IT solutions person working for them (Strange since our customer and their colo provider are "IT solutions" people themselves. Abuse handle phone #s are supposedly incorrect (I called it) Besides the obvious of me at the minimum filtering port tcp/25 is their an organization that tracks businesses like these who seem like they are building a web of insulation in which to move? I think this case might interest them.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Nov 24, 2009 at 7:22 PM, Russell Myba <rusmyba@gmail.com> wrote:
Looks like of our customers has decided to turn their /24 into a nice little space spewing machine. Doesn't seem like just one compromised host.
Reverse DNS for most of the /24 are suspicious domains. Each domain used in the message-id forwards to a single .net which lists their mailing address as a PO box an single link to an unsubscribe field.
I've contacted at least three known contacts for the customer about the abuse without a single response.
It would seem there are many layers to this entity:
The domains are registered to one business Our billing information for the customer has one name, they colo with another person (whom the cross connect reaches) Our customer has an IT solutions person working for them (Strange since our customer and their colo provider are "IT solutions" people themselves. Abuse handle phone #s are supposedly incorrect (I called it)
Besides the obvious of me at the minimum filtering port tcp/25 is their an organization that tracks businesses like these who seem like they are building a web of insulation in which to move?
I think this case might interest them.
Can you name the /24? I can't say that this sound unfamiliar -- we are seeing an increase in "facilitated" criminal activity across the board... - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFLDKPkq1pz9mNUZTMRAg4pAKCZK6srbs1H2zp2FwKvB+T1xe3eKQCfSNFC Gv0xuZ7Lc0q94Yet+xUD3GY= =3sfS -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
On Tue, 24 Nov 2009, Russell Myba wrote:
Looks like of our customers has decided to turn their /24 into a nice little space spewing machine. Doesn't seem like just one compromised host.
Reverse DNS for most of the /24 are suspicious domains. Each domain used in the message-id forwards to a single .net which lists their mailing address as a PO box an single link to an unsubscribe field.
I've contacted at least three known contacts for the customer about the abuse without a single response.
I've found that in cases like this, the best way to get in contact with the customer is to interrupt their service. Suddenly, they'll go from being too busy to take/return your call to calling you.
It would seem there are many layers to this entity:
The domains are registered to one business Our billing information for the customer has one name, they colo with another person (whom the cross connect reaches) Our customer has an IT solutions person working for them (Strange since our customer and their colo provider are "IT solutions" people themselves. Abuse handle phone #s are supposedly incorrect (I called it)
I'm confused. Who are you billing and for what services?
Besides the obvious of me at the minimum filtering port tcp/25 is their an organization that tracks businesses like these who seem like they are building a web of insulation in which to move?
I think this case might interest them.
Spamhaus is the first one that comes to mind. From what I understand of your description, this doesn't sound all that different from typical spammer behavior. Multiple layers of indirection seems to be the latest thing for spammers. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
I'm confused. Who are you billing and for what services?
Let's say our direct customer is CustomerA. They seem to buy rackspace from BusinessB. CustomerA seem to retain BusinessC for "IT Solutions" even though all three entities purport to be IT solutions providers. BusinessC came into the picture after the spamming started saying a wholly different /24 (Different from the spam source) "doesn't work". It routes fine on our end. I have a feeling they've been added to some RBLs but I haven't found them listed yet. Just a simple ethernet handoff in a colo. We delegated rDNS to the servers of their choice and haven't heard a peep out of them until now.
Spamhaus is the first one that comes to mind. From what I understand of your description, this doesn't sound all that different from typical spammer behavior. Multiple layers of indirection seems to be the latest thing for spammers.
---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp<http://www.lewis.org/%7Ejlewis/pgp>for PGP public key_________
On November 24, 2009, Russell Myba wrote:
Spamhaus is the first one that comes to mind. From what I understand of your description, this doesn't sound all that different from typical spammer behavior. Multiple layers of indirection seems to be the latest thing for spammers.
Depends on the activity, but this re-iterates the importance of maintaining correct SWIP, so that only the offenders get listed, and not bordering customers. But if you give the info on the listed company and range, we might be able to give you a lot more information.. I was just reading the latest spam auditors report, and it is always amazing how the same guys keep finding new colo's to work out of .. -- -- "Catch the Magic of Linux..." ------------------------------------------------------------------------ Michael Peddemors - President/CEO - LinuxMagic Products, Services, Support and Development Visit us at http://www.linuxmagic.com ------------------------------------------------------------------------ A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd. ------------------------------------------------------------------------ 604-589-0037 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Nov 24, 2009 at 10:55 PM, Michael Peddemors <michael@linuxmagic.com> wrote:
Depends on the activity, but this re-iterates the importance of maintaining correct SWIP, so that only the offenders get listed, and not bordering customers.
Right. There are *so many* loopholes in this entire process, Bad Guys are waltzing through it. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFLDNofq1pz9mNUZTMRAgNrAKDz6JwFqBG3gvXEIKo1UVrJSTmxDQCfadqV Ph3qt/qPDze8Z5tsRP7LgSw= =gQrR -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
On Wed, Nov 25, 2009 at 2:17 AM, Paul Ferguson <fergdawgster@gmail.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, Nov 24, 2009 at 10:55 PM, Michael Peddemors <michael@linuxmagic.com> wrote:
Depends on the activity, but this re-iterates the importance of maintaining correct SWIP, so that only the offenders get listed, and not bordering customers.
Right. There are *so many* loopholes in this entire process, Bad Guys are waltzing through it.
- - ferg
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003)
wj8DBQFLDNofq1pz9mNUZTMRAgNrAKDz6JwFqBG3gvXEIKo1UVrJSTmxDQCfadqV Ph3qt/qPDze8Z5tsRP7LgSw= =gQrR -----END PGP SIGNATURE-----
-- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Could you elaborate on what constitutes correct swip information?
Russell Myba wrote:
Let's say our direct customer is CustomerA. They seem to buy rackspace from BusinessB. CustomerA seem to retain BusinessC for "IT Solutions" even though all three entities purport to be IT solutions providers. BusinessC came into the picture after the spamming started saying a wholly different /24 (Different from the spam source) "doesn't work". It routes fine on our end. I have a feeling they've been added to some RBLs but I haven't found them listed yet.
Just a simple ethernet handoff in a colo. We delegated rDNS to the servers of their choice and haven't heard a peep out of them until now.
I think it's an absolute crying shame that a freak bolt of lighting somehow fried their rackspace in the colo and didn't affect any of the surrounding neighbors. I hate it when that happens. It's karma I think... Justin
Interesting scenario ... but would be far more interesting to us if you share the /24? Truman On 25/11/2009, at 3:07 PM, Russell Myba wrote:
I'm confused. Who are you billing and for what services?
Let's say our direct customer is CustomerA. They seem to buy rackspace from BusinessB. CustomerA seem to retain BusinessC for "IT Solutions" even though all three entities purport to be IT solutions providers. BusinessC came into the picture after the spamming started saying a wholly different /24 (Different from the spam source) "doesn't work". It routes fine on our end. I have a feeling they've been added to some RBLs but I haven't found them listed yet.
Just a simple ethernet handoff in a colo. We delegated rDNS to the servers of their choice and haven't heard a peep out of them until now.
Spamhaus is the first one that comes to mind. From what I understand of your description, this doesn't sound all that different from typical spammer behavior. Multiple layers of indirection seems to be the latest thing for spammers.
---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp<http://www.lewis.org/%7Ejlewis/pgp>for PGP public key_________
Russell Myba wrote:
Looks like of our customers has decided to turn their /24 into a nice little space spewing machine. Doesn't seem like just one compromised host.
Reverse DNS for most of the /24 are suspicious domains. Each domain used in the message-id forwards to a single .net which lists their mailing address as a PO box an single link to an unsubscribe field.
I've contacted at least three known contacts for the customer about the abuse without a single response.
It would seem there are many layers to this entity:
The domains are registered to one business Our billing information for the customer has one name, they colo with another person (whom the cross connect reaches) Our customer has an IT solutions person working for them (Strange since our customer and their colo provider are "IT solutions" people themselves. Abuse handle phone #s are supposedly incorrect (I called it)
Besides the obvious of me at the minimum filtering port tcp/25 is their an organization that tracks businesses like these who seem like they are building a web of insulation in which to move?
I think this case might interest them.
From principle, I want to jump up and down and say "zap `em!". However, I also make several assumption which need to be clearned, pragmatically. I assume you have authority over the decision of what to do with them, and I also assume that your contract with them does not bind you in some fashion, can get you in trouble with the business side of the business, or can introduce *liability* issues. And naturally, that if you are not the decision maker, that you are synched with whomever it is. These assumptions aside, kicking them might not be the best solution. "Starving them" out by blocking port 25, as an example you gave, or following some of the other suggestions in this thread, may be workable. Which brings me three very important questions: 1. How much intelligence can you collect if you let them stay? 2. Have you considered legal action against them? 3. Did you consult with legal about possible law enforcement involvement? As to the intricate web of who they are and where their resources lie, these are usually cases where the more you dig, the more you find -- ad infinitum. Me? I'd just kick them after verifying they are not victims themselves. I hope this helps, Gadi. -- Gadi Evron, ge@linuxbox.org. Blog: http://gevron.livejournal.com/
Russell, My personal inclination would be to look for what legit entities are provisioning them with critical resources and what margins they appear to be paying. For DNS resources, the domains, to identify registry preference, probably a simple volume correlation, and the registrars, which may corollate better to other primary characteristics than simple volume, to RRset data, which may have interesting corollates to other, provisioned, critical resources. I'm not the "registrar police", I'm simply interested in ICANN having a policy towards registrars that looks beyond failure to respond to email, failure to pay $0.25/domain/year, and failure to escrow registrant data, which seem to be the only basis for breach of contract proceedings against, or non-renewals of its registrars. Whack-a-mole has been discussed lots of times, and as Gadi confirms at the end of his note, he's still mostly in the Whack-a-camp, though he does mention gathering information. When they stop providing you (and "you" could include parties who are paying you to look over your shoulder at this petri dish and its cultured agar) with data of value then their existence is of no value. Eric Gadi Evron wrote:
Russell Myba wrote:
Looks like of our customers has decided to turn their /24 into a nice little space spewing machine. Doesn't seem like just one compromised host.
Reverse DNS for most of the /24 are suspicious domains. Each domain used in the message-id forwards to a single .net which lists their mailing address as a PO box an single link to an unsubscribe field.
I've contacted at least three known contacts for the customer about the abuse without a single response.
It would seem there are many layers to this entity:
The domains are registered to one business Our billing information for the customer has one name, they colo with another person (whom the cross connect reaches) Our customer has an IT solutions person working for them (Strange since our customer and their colo provider are "IT solutions" people themselves. Abuse handle phone #s are supposedly incorrect (I called it)
Besides the obvious of me at the minimum filtering port tcp/25 is their an organization that tracks businesses like these who seem like they are building a web of insulation in which to move?
I think this case might interest them.
From principle, I want to jump up and down and say "zap `em!". However, I also make several assumption which need to be clearned, pragmatically.
I assume you have authority over the decision of what to do with them, and I also assume that your contract with them does not bind you in some fashion, can get you in trouble with the business side of the business, or can introduce *liability* issues. And naturally, that if you are not the decision maker, that you are synched with whomever it is.
These assumptions aside, kicking them might not be the best solution. "Starving them" out by blocking port 25, as an example you gave, or following some of the other suggestions in this thread, may be workable.
Which brings me three very important questions: 1. How much intelligence can you collect if you let them stay? 2. Have you considered legal action against them? 3. Did you consult with legal about possible law enforcement involvement?
As to the intricate web of who they are and where their resources lie, these are usually cases where the more you dig, the more you find -- ad infinitum.
Me? I'd just kick them after verifying they are not victims themselves.
I hope this helps,
Gadi.
On Wed, Nov 25, 2009 at 8:52 AM, Russell Myba <rusmyba@gmail.com> wrote:
Looks like of our customers has decided to turn their /24 into a nice little space spewing machine. Doesn't seem like just one compromised host.
Reverse DNS for most of the /24 are suspicious domains. Each domain used in the message-id forwards to a single .net which lists their mailing address as a PO box an single link to an unsubscribe field.
Sounds like what spamhaus.org calls snowshoe. What /24 would this be?
On Tue, Nov 24, 2009 at 10:22:36PM -0500, Russell Myba wrote:
Looks like of our customers has decided to turn their /24 into a nice little space spewing machine. Doesn't seem like just one compromised host.
1. This is possibly/probably better on spam-l. 2. This is a very common operational model. Any number of spamgangs have been busy doing this with multiple /24's scattered over numerous providers in order to distribute the workload and minimize the impact of any takedown. 3. There is no point in reporting this to any law enforcment agency anywhere in the world *unless* child pornography is involved. Any action they take will be slow, inept, and ineffective. The best that you can probably do is (a) shut down them instantly and permanently and (b) publish all relevant details -- name names -- on spam-l so that workers and researchers can use the information. ---Rsk
On Wed, 25 Nov 2009, Rich Kulawiec wrote:
On Tue, Nov 24, 2009 at 10:22:36PM -0500, Russell Myba wrote:
Looks like of our customers has decided to turn their /24 into a nice little space spewing machine. Doesn't seem like just one compromised host.
1. This is possibly/probably better on spam-l. 2. This is a very common operational model. Any number of spamgangs have been busy doing this with multiple /24's scattered over numerous providers in order to distribute the workload and minimize the impact of any takedown.
One of them actually patented it. Further proof that you can patent just about anything in the US. http://www.faqs.org/patents/app/20090271475 ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On 25 Nov 2009, at 04:22, Russell Myba wrote:
Looks like of our customers has decided to turn their /24 into a nice little space spewing machine. Doesn't seem like just one compromised host.
Reverse DNS for most of the /24 are suspicious domains. Each domain used in the message-id forwards to a single .net which lists their mailing address as a PO box an single link to an unsubscribe field.
Classic snowshoe spam setup, probably a professional snowshoe spam outfit known to Spamhaus as 'Tactara' and 'Webzero'. Snowshoe spam operations operate by contacting ISP pretending to be 'IP space brokers', they buy lots of IP space and have it all SWIPed in small chunks, mostly /24s, to an endless array of anonymous Wyoming and Delaware shell companies at UPS mailboxes. They then fill the /24s with freshly-registered 'nonsense' domains, tunnel into the server to hide their real location, and start the spamming. Usually almost every IP in the /24 has a spam cannon on it and a web page with just an 'unsubscribe' field. They're the reason we created the CSS announced here: http://www.spamhaus.org/news.lasso?article=646 (please don't follow up to this post here on NANOG, as NANOG is not an appropriate forum for spam discussions) Steve Linford The Spamhaus Project http://www.spamhaus.org
participants (11)
-
Eric Brunner-Williams
-
Gadi Evron
-
Jon Lewis
-
Justin Shore
-
Michael Peddemors
-
Paul Ferguson
-
Rich Kulawiec
-
Russell Myba
-
Steve Linford
-
Suresh Ramasubramanian
-
Truman Boyes