Attn MCI/UUNet - Massive abuse from your network
(apologies to NANOG for only quasi-operational content of this message - I only post this here due to the fact that I am sure it is a problem on many of your networks) Attention UUNet, Regarding your continued unabated spam support, when do you plan to address the *189* issues outlined in the Spamhaus SBL (http://www.spamhaus.org/sbl/listings.lasso -> ISPs in the United States -> MCI.com )? Here's part of your AUP: Email: Sending unsolicited mail messages, including, without limitation, commercial advertising and informational announcements, is explicitly prohibited. A user shall not use another site's mail server to relay mail without the express permission of the site. What does your ethics department say about your blatant disregard for the internet in general and your complete and willful ignorance of your stated policies and procedures? Does UUNet *ever* plan on enforcing this AUP? I can't help but notice that several of these spammers are career hard-line operations- including Eddy Marin, G-Force Marketing, and Atriks to name a few. Are these customers operating under some form of undisclosed "Special Customer Agreement" ( http://global.mci.com/publications/service_guide/s_c_a/)? If so, how much do they pay for their pink contract? At this point I am just curious what the answers to these questions are. I have not (yet) widely blocklisted uunet, but if things don't change I fear such a measure may be the only way to stop the abuse spewing from your networks. Seeing such a large (and once-respected) network go as completely black-hat rogue as UUNet has is a sad thing. Any reply at all would be most welcome. ~Ben --- Ben Browning <benb@theriver.com> The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
On Mon, 21 Jun 2004, Ben Browning wrote:
(apologies to NANOG for only quasi-operational content of this message - I only post this here due to the fact that I am sure it is a problem on many of your networks)
curious, why did you not send this to the abuse@ alias? Did you include any logs or other relevant data about the problems you are reporting?
Attention UUNet,
At 11:42 AM 6/21/2004, Christopher L. Morrow wrote:
curious, why did you not send this to the abuse@ alias?
I wanted it to get read.
Did you include any logs or other relevant data about the problems you are reporting?
These problems are systemic and internet-wide. I can likely drudge up a great many examples if someone from UUNet can assure me they will be read and acted on. ~Ben --- Ben Browning <benb@theriver.com> The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
the ethics office doesn't need to see your complaints, they don't really deal with these anyway. On Mon, 21 Jun 2004, Ben Browning wrote:
At 11:42 AM 6/21/2004, Christopher L. Morrow wrote:
curious, why did you not send this to the abuse@ alias?
I wanted it to get read.
messages to abuse@ do infact get read...
Did you include any logs or other relevant data about the problems you are reporting?
These problems are systemic and internet-wide. I can likely drudge up a great many examples if someone from UUNet can assure me they will be read and acted on.
the best way to get abuse complaints handled is to infact send them to the abuse@ alias (or whereever arin/ripe/apnic records point if that is somewhere other than abuse@) complaints in public forums generally just make you look kooky. please back to network operations discussions, thanks.
I am beginning to think there need to be two types of abuse reports. One from individuals to their providers -- of the ilk: "This guy is spamming me!!". You have to accept these from your customers because they could be about you or someone else that you have the responsibility of forwarding on. This is the controversial part of the proposal: You do not need to accept these from non-customers. This is the improvement part: Another of the ilk from abuse desks (and certain individuals who have high enough clue factor) that is in an automatically parseable format. Maybe like a radb type format. It would be fairly trivial to handle the parsing. In the event of an attack [on your abuse desk], you can say no more than 1000 per day/hr from the same source --- this keeps your abuse desk from getting flooded. Known talkers can be exempted from rate limits. You have to accept a properly formatted one of these from everyone unless they are flooding you. Obvious here is that if someone isn't going to respond to an abuse item, it doesn't matter what form you send it -- If you are Spamhaus or some other organization and you are going to blackhole them in their lack of response, you of course can still do this. The idea here is that guys who are responsive don't need to read 800 complaints about the same matter that they are already handling and responsible complainers The idea is that this type of approach, if adopted, will stream line abuse desks and allow them to have predictable manpower hours needed to resolve x number of complaints because you will not have to deal with one abuse item more than the one or twice needed. You will also not need personnel to categorize incoming messages as [spam to your abuse desk, spam complaints to your abuse desk that are valid, spam complaints to your abuse desk about someone else]. Flames in private mail please. What am I missing on this busy Monday afternoon? Thanks, DJ
On Mon, Jun 21, 2004 at 05:21:15PM -0400, Deepak Jain wrote:
I am beginning to think there need to be two types of abuse reports.
I think you're speaking of INCH. http://www.ietf.org/html.charters/inch-charter.html the ability to hand reports back and forth btw providers like this is something that could be really cool.. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
At 12:28 PM 6/21/2004, Christopher L. Morrow wrote:
the ethics office doesn't need to see your complaints, they don't really deal with these anyway.
I am quite sure that the ethics department does not deal with spam complaints. My complaint is that your stated policy is clearly not being followed. MCI is currently the Number 1 spam source on many lists- certainly, your overall size skews that figure somewhat, but the listings I see (on the SBL anyway, I do not have the many hours needed to read all the documentation SPEWS has to offer) have reports that are at least 6 months old and are still alive... As an example, I see a posting that says emailtools.com was alive on 206.67.63.41 in 2000. They aren't there any more... But now: [me@host]$ telnet mail.emailtools.com 25 Trying 65.210.168.34... Connected to mail.emailtools.com. Escape character is '^]'. 220 mail.emailtools.com ESMTP Merak 5.1.5; Mon, 21 Jun 2004 18:55:20 -0400 quit 221 2.0.0 mail.emailtools.com closing connection Connection closed by foreign host. [me@host]$ whois `dnsip mail.emailtools.com` UUNET Technologies, Inc. UUNET65 (NET-65-192-0-0-1) 65.192.0.0 - 65.223.255.255 MTI SOFTWARE UU-65-210-168-32-D9 (NET-65-210-168-32-1) 65.210.168.32 - 65.210.168.39 I can furnish as many examples as needed of cases where UUNet has demonstrably ignored complaints. Alternately, you could go ask any major anti-spam community(NANAE for example) or entity (SpamCop, etc) how they feel your abuse@ response has been. If this sounds like a pain, I will gladly collect such stories and send them to whoever there can effect changes in these policies.
On Mon, 21 Jun 2004, Ben Browning wrote:
At 11:42 AM 6/21/2004, Christopher L. Morrow wrote:
curious, why did you not send this to the abuse@ alias?
I wanted it to get read.
messages to abuse@ do infact get read...
Allow me to rephrase- I wanted it to be read and hoped someone would act on complaints. I have no doubt MCI is serious about stopping DDOS and other abusive traffic of that ilk- when it comes to proxy hijacking and spamming, though, abuse@ turns a blind eye. What other conclusion can I draw from the 200ish SBL entries under MCI's name? Why else would emailtools.com(for example) still be around despite their wholesale raping of misconfigured proxies? All I want is a couple of straight-up answers. Why do complaints to uunet go unanswered and the abusers remain connected if, in fact, the complaints are read? Why has MCI gone from 111 SBL listings as of January 1 to 190 as of today? To whom does the anti-spam community turn when it becomes obvious a tier-1 provider is ignoring complaints? If I am a kook and an idiot for wanting a cleaner internet, well then I guess I am a kook and an idiot. ~Ben --- Ben Browning <benb@theriver.com> The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
On Mon, 21 Jun 2004, Ben Browning wrote:
At 12:28 PM 6/21/2004, Christopher L. Morrow wrote:
the ethics office doesn't need to see your complaints, they don't really deal with these anyway.
I am quite sure that the ethics department does not deal with spam complaints. My complaint is that your stated policy is clearly not being followed. MCI is currently the Number 1 spam source on many lists- certainly, your overall size skews that figure somewhat, but the listings I see (on the SBL anyway, I do not have the many hours needed to read all the documentation SPEWS has to offer) have reports that are at least 6 months old and are still alive...
The sbl lists quite a few /32 entries, while this is nice for blocking spam if you choose to use their RBL service I'm not sure it's a good measure of 'spamhaus size'. I'm not sure I know of a way to take this measurement, but given size and number if IPs that terminate inside AS701 there certainly are scope issues. All that said, I'm certainly not saying "spam is good", I also believe that over the last 4.5 years uunet's abuse group has done quite a few good things with respect to the main spammers.
As an example, I see a posting that says emailtools.com was alive on 206.67.63.41 in 2000. They aren't there any more... But now:
[me@host]$ telnet mail.emailtools.com 25 Trying 65.210.168.34... Connected to mail.emailtools.com. Escape character is '^]'.
Sure, customer of a customer we got emailtools.com kicked from their original 'home' now they've moved off (probably several times since 2000) to another customer. This happens to every ISP, each time they appear we start the process to disconnect them. I'm checking on the current status of their current home to see why we have either: 1) not gotten complaints about them, 2) have not made progress kicking them again.
On Mon, 21 Jun 2004, Ben Browning wrote:
At 11:42 AM 6/21/2004, Christopher L. Morrow wrote:
curious, why did you not send this to the abuse@ alias?
I wanted it to get read.
messages to abuse@ do infact get read...
Allow me to rephrase- I wanted it to be read and hoped someone would act on complaints. I have no doubt MCI is serious about stopping DDOS and other abusive traffic of that ilk- when it comes to proxy hijacking and spamming, though, abuse@ turns a blind eye. What other conclusion can I draw from the
This is not true, the action might not happen in the time you'd like, but there are actions being taken. I'd be the first to admit that the timelinees are lengthy :( but part of that is the large company process, getting all the proper people to realize that this abuse is bad and the offendors need to be dealt with.
200ish SBL entries under MCI's name? Why else would emailtools.com(for example) still be around despite their wholesale raping of misconfigured proxies?
emailtools will be around in one form or another, all the owner must do is purchase 9$ virtual-hosting from some other poor ISP out there who needs the money... they may not even know who emailtools is, if that ISP is a uunet/mci customer then we'll have to deal with them as well, just like their current home. you must realize you can't just snap your fingers and make these things go away.
All I want is a couple of straight-up answers. Why do complaints to uunet go unanswered and the abusers remain connected if, in fact, the complaints
I believe you do get an answer, if not the auto-acks are off still from a previous mail flood ;( Please let me know if you are NOT getting ticket numbers back. They might be connected still if there were: 1) not enough info in the complaints to take action on them 2) not enough complaints to terminate the account, but working with the downstream to get the problem resolved 3) action is awaiting proper approvals. There might be a few more steps things could be in, but in general all complaints that have proper/actionable info are dealt with.
are read? Why has MCI gone from 111 SBL listings as of January 1 to 190 as
I think the answer is shifting winds in spammer homelands, I'll look through the list and see if we know about the problem children in the list and what we are doing about them.
If I am a kook and an idiot for wanting a cleaner internet, well then I guess I am a kook and an idiot.
not for that, just for taking this up in the wrong place... but people call me kooky too, so maybe I'm just skewed.
On Thu, 24 Jun 2004 03:05:41 +0000 (GMT), Christopher L. Morrow wrote:
Sure, customer of a customer we got emailtools.com kicked from their original 'home' now they've moved off (probably several times since 2000) to another customer. This happens to every ISP, each time they appear we start the process to disconnect them.
This is too flagrant to let pass without comment. This "endless loop" situation does NOT happen to every ISP, only to those who have not emplaced procedures to prevent serial signups of serial abusers. This is trivially easy to do and your firm's failure to do so and to enforce this rule on your contracting parties definitively proves your management's decision to profit from spam rather than to stop spam. Jeffrey Race
----- Original Message ----- From: "Dr. Jeffrey Race" <jrace@attglobal.net> To: "Jeffrey Race" <jrace@attglobal.net> Cc: <nanog@merit.edu> Sent: Wednesday, June 23, 2004 11:20 PM Subject: Re: Attn MCI/UUNet - Massive abuse from your network
On Thu, 24 Jun 2004 03:05:41 +0000 (GMT), Christopher L. Morrow wrote:
Sure, customer of a customer we got emailtools.com kicked from their original 'home' now they've moved off (probably several times since 2000) to another customer. This happens to every ISP, each time they appear we start the process to disconnect them.
This is too flagrant to let pass without comment.
not specifically in response to jeffrey, but may i suggest we &> /dev/{nanae,null} ? paul
Dr. Jeffrey Race wrote:
This "endless loop" situation does NOT happen to every ISP, only to those who have not emplaced procedures to prevent serial signups of serial abusers. This is trivially easy to do and your firm's failure to do so and to enforce this rule on your contracting parties definitively proves your management's decision to profit from spam rather than to stop spam.
I don't think "trivially easy" is the right word in this case. If this were someone doing hit and run dialup directly on UUnet I might agree. But here he's talking about a customer of a customer. How do you retroactively modify your contract to tell all your existing clients "don't do business with company X" or we'll terminate you (actually, such a contract term would probably run afoul of antitrust regs esp. for an entity as large as AS701). In general, policing the customer of a customer is not an easy thing. We were once sued by the French organization for the preservation of the name "Champagne". One of our clients was apparently hosting a domain for one of their clients named "champ-pagne.com" which was selling bottled water for dogs(!). But by the time we were served with the papers, the DNS had been moved away from our client. We had to go to court just to find out just why they were suing us to begin with since the paperwork didn't explicitly mention our client by name or IP.
On Wed, 23 Jun 2004 21:34:39 -0600, Mike Lewinski wrote:
. How do you retroactively modify your contract to tell all your existing clients "don't do business with company X" or we'll terminate you
It is ALREADY in the contracts and TOS. Just has to be enforced.
(actually, >such a contract term would probably run afoul of antitrust regs esp. for an entity as large as AS701).
Not at all. You can terminate for actions prejudicial to the safety and security of the system. Has nothing to do with anti-trust.
In general, policing the customer of a customer is not an easy thing.
Well it is an OBLIGATION so easy or hard (and lots of things in life are hard) it has to be done.
On Thu, 24 Jun 2004 15:22:02 +0700, "Dr. Jeffrey Race" <jrace@attglobal.net> said:
Not at all. You can terminate for actions prejudicial to the safety and security of the system. Has nothing to do with anti-trust.
I suspect that the spammer can find a lawyer who is willing to argue the idea that the "safety and security" of the AS701 backbone was not prejudiced by the spammer's actions, unless AS701 is able to show mtrg graphs and the like showing that the spammer was actually sending enough of a volume to swamp their core routers.... And of course, none of the Tier-1's wants to argue in court that one spammer is able to present enough of a load to jeopardize their network stability, when even large DDoS attacks usually aren't much of a blip except near the victim node...
At 11:16 AM 6/24/2004, Valdis.Kletnieks@vt.edu wrote:
On Thu, 24 Jun 2004 15:22:02 +0700, "Dr. Jeffrey Race" <jrace@attglobal.net> said:
Not at all. You can terminate for actions prejudicial to the safety and security of the system. Has nothing to do with anti-trust.
I suspect that the spammer can find a lawyer who is willing to argue the idea that the "safety and security" of the AS701 backbone was not prejudiced by the spammer's actions, unless AS701 is able to show mtrg graphs and the like showing that the spammer was actually sending enough of a volume to swamp their core routers....
Likewise, I imagine MCI could argue that the damage is to their core product; namely, the trust of other ISPs and their willingness to exchange traffic with MCI. ~Ben --- Ben Browning <benb@theriver.com> The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
On Thu, 24 Jun 2004, Ben Browning wrote:
like showing that the spammer was actually sending enough of a volume to swamp their core routers....
Likewise, I imagine MCI could argue that the damage is to their core product; namely, the trust of other ISPs and their willingness to exchange traffic with MCI.
you mean the phone companies we do business with?
At 02:36 PM 6/24/2004, Christopher L. Morrow wrote:
On Thu, 24 Jun 2004, Ben Browning wrote:
like showing that the spammer was actually sending enough of a volume to swamp their core routers....
Likewise, I imagine MCI could argue that the damage is to their core product; namely, the trust of other ISPs and their willingness to exchange traffic with MCI.
you mean the phone companies we do business with?
No, I mean the internet. (Hence, ISPs). Your product, in the context of this discussion anyways, is access to the internet. When the actions of a downstream damage that product(IE more and more networks nullroute UUNet traffic), I would assume that you have appropriate privilege to toss them overboard in the contracts. IANAL, though. ~Ben --- Ben Browning <benb@theriver.com> The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
On Thu, 24 Jun 2004, Ben Browning wrote:
At 02:36 PM 6/24/2004, Christopher L. Morrow wrote:
On Thu, 24 Jun 2004, Ben Browning wrote:
like showing that the spammer was actually sending enough of a volume to swamp their core routers....
Likewise, I imagine MCI could argue that the damage is to their core product; namely, the trust of other ISPs and their willingness to exchange traffic with MCI.
you mean the phone companies we do business with?
whoops, forgot my smilies :(
No, I mean the internet. (Hence, ISPs). Your product, in the context of this discussion anyways, is access to the internet. When the actions of a
I'm not sure that there are many who are wholesale null routing uunet ip space, if they do they might be causing their customers unnecessary outages.
downstream damage that product(IE more and more networks nullroute UUNet traffic), I would assume that you have appropriate privilege to toss them overboard in the contracts.
On Thu, 24 Jun 2004, Ben Browning wrote:
you mean the phone companies we do business with?
No, I mean the internet. (Hence, ISPs). Your product, in the context of this discussion anyways, is access to the internet. When the actions of a downstream damage that product(IE more and more networks nullroute UUNet traffic), I would assume that you have appropriate privilege to toss them overboard in the contracts.
I think you'll be hard pressed to find anyone running a real ISP who will null route any/all of UUNet. UUNet is a large organization, network wise, and people wise. The fact that they don't have people dedicated to jumping on customers who you consider to be spamming, should not be suprising nor expected.
On Thu, 24 Jun 2004 11:50:44 -0700, Ben Browning wrote:
Likewise, I imagine MCI could argue that the damage is to their core product; namely, the trust of other ISPs and their willingness to exchange traffic with MCI.
This was Earthlink's argument in the case I cited in <http://www.camblab.com/nugget/spam_03.pdf>: their connectivity was jeopardized by the spammer's activity. As far as I know they prevailed. The point is, we have not seen MCI go down valiantly on the field of battle against the spammers in court or anywhere else. I proposed a complete open-and-shut legal case to MCI, with the perp's legal service address, and Neil Patel refused to take any action. The management's intention was clear: continue to profit rather than take the perps to court. All this talk about how difficult it would be blah blah blah is just a smokescreen for inaction Jeffrey Race
First, I'd like to see this thread end, not due to the beetings, but due to the severity of the offtopic-ness of it :) BUT... see below. On Thu, 24 Jun 2004 Valdis.Kletnieks@vt.edu wrote:
On Thu, 24 Jun 2004 15:22:02 +0700, "Dr. Jeffrey Race" <jrace@attglobal.net> said:
Not at all. You can terminate for actions prejudicial to the safety and security of the system. Has nothing to do with anti-trust.
I suspect that the spammer can find a lawyer who is willing to argue the idea that the "safety and security" of the AS701 backbone was not prejudiced by the spammer's actions, unless AS701 is able to show mtrg graphs and the like showing that the spammer was actually sending enough of a volume to swamp their core routers....
This is true. The 'security' or 'safety' of the backbone is not affected by: 1) portscaning by morons for openshares 2) spam mail sending 3) spam mail recieving (atleast not to my view, though I'm no lawyer, just a chemical engineer) So, the issue of termination for this reason isn't really valid. Hence the off-topic-ness of this thread. -Chris
On Thu, 24 Jun 2004 21:33:35 +0000 (GMT), Christopher L. Morrow wrote:
This is true. The 'security' or 'safety' of the backbone is not affected by: 1) portscaning by morons for openshares 2) spam mail sending 3) spam mail recieving
(atleast not to my view, though I'm no lawyer, just a chemical engineer)
So, the issue of termination for this reason isn't really valid. Hence the off-topic-ness of this thread.
Compromise to connectivity due to harboring spammers is a security and safety issue by any reasonable definition. Being a vector for trojan horse mechanisms is a security issue.
On Thu, 24 Jun 2004 14:16:49 -0400, Valdis.Kletnieks@vt.edu wrote:
I suspect that the spammer can find a lawyer who is willing to argue the idea that the "safety and security" of the AS701 backbone was not prejudiced by the spammer's actions,
OK, let them sue. If you are against spam, you have to stand up in court and say so. Anyway all the spamming is now in violation of contracts. These people would come to court with 'dirty hands' in the term of art, and the court would not look favorably on any case they might try to make Jeffrey Race
On Thu, 24 Jun 2004, Dr. Jeffrey Race wrote:
On Thu, 24 Jun 2004 03:05:41 +0000 (GMT), Christopher L. Morrow wrote:
Sure, customer of a customer we got emailtools.com kicked from their original 'home' now they've moved off (probably several times since 2000) to another customer. This happens to every ISP, each time they appear we start the process to disconnect them.
This is too flagrant to let pass without comment.
This "endless loop" situation does NOT happen to every ISP, only to those who have not emplaced procedures to prevent serial signups of serial abusers. This is
Sorry, you mistook my statement, or I mis-spoke it such that you would misunderstand it :( So, the point I was trying to make I'll try again with an example: (situtation not made up, parties made up) 1) spammer#12 signs up as a webhosting customer of Exodus who is a customer of As701 2) 701 gets complaints, notifies good customer Exodus who terms the spammer's website/box/blah 3) spammer#12 signs up with next 50$/month hosting site Abovenet off 1239 4) 1239 gets complaints notifies the good customer abovenet who terms the customer. . . . 12) spammer#12 signs up with webhosting group rackspace who is a 701 customer 13) return to step 2 This process happens repeatedly, spammers know they can get about a month of time (or more, depending on upstreams and hosting providers in question) of life, either way it's just 50 bucks.... At all times, they are not customers of 1239, 701, whomever... they are a customer of a customer. So, 701 or 1239 never know who the downstream is, in the particular case of emailtools.com this is the case... Or, that's what seems to have happened since they were a customer of some NYC based customer 4 years ago, and are now a customer of some TPA based customer now.
trivially easy to do and your firm's failure to do so and to enforce this rule on your contracting parties definitively proves your management's decision to profit from spam rather than to stop spam.
I'd also point out someting that any provider will tell you: "Spammers never pay their bills." This is, in fact (for you nanae watchers), the reason that most of them get canceled by us FASTER... Sadly, non-payment is often a quicker and easier method to term a customer than 'abuse', less checks since there is no 'percieved revenue' :( -Chris
Chris why do you give me such easy ones? :) This situation has been known for years and it is I repeat trivially easy to solve. 1-There are relatively small numbers of serious spammers and of ISPs. 2-In your contract you require all your customers to know the true identities of their customers (if juridical entities, their officers and directors) and to impose this requirement on every subcontract. ISP violators will be terminated immediately. 3-The end-user contract must state that spamming is forbidden; there are penalties for infraction, notionally $500 for the first offense, $5,000 for the next, $50,000 for the third, AT WHATEVER CARRIER IN THE SYSTEMWIDE DATABASE. The end-user must provide a validated credit card. Customer agrees that violation will result in immediate termination with prejudice which will be logged in a system-wide shared database. 4-No applicant can be accepted without first checking this database and ROKSO. Violation of such a contract is not just a civil matter resulting in penalties (charged against the credit card which affects the applicant's credit history). It is also the criminal offense of "fraud in the inducement" because the perp signed the agreement with the prior intention to violate it. Therefore when your downstream terminates a perp, they enter him (by real name) in the system-wide database, collect the penalty, and file a police report and have him criminally prosecuted. If they refuse, you terminate the downstream. Poof! MCI spam problem goes away in 30 days. I went through all this with your counsel Neil Patel. Your company refused to do anything, because it wanted to continue to profit from spam. The adventure continues. Chris--nothing personal. It's just business. These are the facts. Lots of companies have procedures like this in place which is why they don't have spam problems. Jeffrey Race On Thu, 24 Jun 2004 06:34:25 +0000 (GMT), Christopher L. Morrow wrote:
On Thu, 24 Jun 2004, Dr. Jeffrey Race wrote:
On Thu, 24 Jun 2004 03:05:41 +0000 (GMT), Christopher L. Morrow wrote:
Sure, customer of a customer we got emailtools.com kicked from their original 'home' now they've moved off (probably several times since 2000) to another customer. This happens to every ISP, each time they appear we start the process to disconnect them.
This is too flagrant to let pass without comment.
This "endless loop" situation does NOT happen to every ISP, only to those who have not emplaced procedures to prevent serial signups of serial abusers. This is
Sorry, you mistook my statement, or I mis-spoke it such that you would misunderstand it :( So, the point I was trying to make I'll try again with an example: (situtation not made up, parties made up)
1) spammer#12 signs up as a webhosting customer of Exodus who is a customer of As701 2) 701 gets complaints, notifies good customer Exodus who terms the spammer's website/box/blah 3) spammer#12 signs up with next 50$/month hosting site Abovenet off 1239 4) 1239 gets complaints notifies the good customer abovenet who terms the customer. . . . 12) spammer#12 signs up with webhosting group rackspace who is a 701 customer 13) return to step 2
This process happens repeatedly, spammers know they can get about a month of time (or more, depending on upstreams and hosting providers in question) of life, either way it's just 50 bucks.... At all times, they are not customers of 1239, 701, whomever... they are a customer of a customer. So, 701 or 1239 never know who the downstream is, in the particular case of emailtools.com this is the case... Or, that's what seems to have happened since they were a customer of some NYC based customer 4 years ago, and are now a customer of some TPA based customer now.
trivially easy to do and your firm's failure to do so and to enforce this rule on your contracting parties definitively proves your management's decision to profit from spam rather than to stop spam.
I'd also point out someting that any provider will tell you: "Spammers never pay their bills." This is, in fact (for you nanae watchers), the reason that most of them get canceled by us FASTER... Sadly, non-payment is often a quicker and easier method to term a customer than 'abuse', less checks since there is no 'percieved revenue' :(
I must have missed the signpost reading NANAE at the last curve, but while we're off topic... Previously, Christopher L. Morrow (christopher.morrow@mci.com) wrote:
I'd also point out someting that any provider will tell you: "Spammers never pay their bills." This is, in fact (for you nanae watchers), the reason that most of them get canceled by us FASTER... Sadly, non-payment is often a quicker and easier method to term a customer than 'abuse', less checks since there is no 'percieved revenue' :(
I've got to agree with Chris here... Spammers never pay their bills. I've heard for years about how NSPs were getting rich off of spam, but I've never seen one do it... What I have seen is spammers sign outrageous contracts for large volumes of bandwidth creating this fictional renenue stream that Chris refers to which makes it so difficult to term them. "Oh come on, they're paying $20k / mo., we can't just shut them off because of x complaints." (x = 3, 6, 20, 2000 ... depends on who you're talking to.) "Besides, they told me it's not really spam, it's all opt-in and the folks are just confused that they opted in at one point. They said they'll provide records..." yada yada. Of course, after being 30 days out on their bill, it was a heck of a lot easier to wave the abuse flag. Of course, most of us already know rule #1... spammers lie. Getting a commission based sales organization to understand that is another story. (I might add as a personal aside, managing the abuse team is the most unglamourous, dirty, annoying position anyone can have. Dealing with scumbag customers on one hand, fighting with executive on the other. Worst year of my life.) Previously, Dr. Jeffrey Race (jrace@attglobal.net) wrote:
This situation has been known for years and it is I repeat trivially easy to solve.
[Long process involving sharing customer information between potential competitors/downstream customers and their upstream providers, a database network to maintain, and a service agreement that provides for penalties that are unenforceable and highly unlikely to survive arbitration or a judicial hearing....]
Violation of such a contract is not just a civil matter resulting in penalties (charged against the credit card which affects the applicant's credit history). It is also the criminal offense of "fraud in the inducement" because the perp signed the agreement with the prior intention to violate it.
Therefore when your downstream terminates a perp, they enter him (by real name) in the system-wide database, collect the penalty, and file a police report and have him criminally prosecuted. If they refuse, you terminate the downstream.
*snicker* Is this the point where the pigs fly out of my fundament, or does that come later? Exactly who is going to carry out this prosecution... looks to me more like a dispute over a civil contract. Perhaps you can fund that legal action with the penalty you're going to collect.... oh wait, that credit card charge was contested. Hmmm, let's just be glad they went away.
Poof! MCI spam problem goes away in 30 days.
Except, said spammers re-incorporate in Florida under yet another name with some new cronies listed as officers and sign up for service from other unsuspecting customers downstream of AS701. Rinse. Repeat.
Chris--nothing personal. It's just business. These are the facts. Lots of companies have procedures like this in place which is why they don't have spam problems.
*laugh* Who, Jeffrey? I'll be interested to see how many large scale national and international NSPs have the procedures you describe in place... I mean, I'm sure the folks at Uncle Bob's Inturnet in Grove City, PA have time to research all 3 of their T1 customers. Most people on this list deal with a slightly larger scale of customer base... -doug
"Dr. Jeffrey Race" <jrace@attglobal.net> writes:
Poof! MCI spam problem goes away in 30 days.
http://www.rhyolite.com/anti-spam/you-might-be.html I think the discussion is over. ---Rob
Is it possible for some people to chime in on backbone scaling issues that have a linksys cable modem "router" to test on? On Thu, 24 Jun 2004, Robert E. Seastrom wrote:
"Dr. Jeffrey Race" <jrace@attglobal.net> writes:
Poof! MCI spam problem goes away in 30 days.
http://www.rhyolite.com/anti-spam/you-might-be.html
I think the discussion is over.
---Rob
On 24 Jun 2004 09:26:15 -0400, Robert E. Seastrom wrote:
"Dr. Jeffrey Race" <jrace@attglobal.net> writes:>
Poof! MCI spam problem goes away in 30 days.> http://www.rhyolite.com/anti-spam/you-might-be.html> I think the discussion is over.
Ha ha ha! Well the FACT is that lots of firms have cleaned up their networks after management or policy changes. We see this all the time on Spam-L. It shows up quickly in the numbers when there is a management decision. Jeffrey Race
----- Original Message ----- From: "Dr. Jeffrey Race" <jrace@attglobal.net> To: "Robert E. Seastrom" <rs@seastrom.com> Cc: "Christopher L. Morrow" <christopher.morrow@mci.com>; <nanog@merit.edu> Sent: Thursday, June 24, 2004 9:59 AM Subject: Re: Attn MCI/UUNet - Massive abuse from your network
On 24 Jun 2004 09:26:15 -0400, Robert E. Seastrom wrote:
"Dr. Jeffrey Race" <jrace@attglobal.net> writes:>
-- snip --
We see this all the time on Spam-L. It shows up quickly in the numbers when there is a management decision.
perhaps we can move this discussion there, then? paul
This process happens repeatedly, spammers know they can get about a month of time (or more, depending on upstreams and hosting providers in question) of life, either way it's just 50 bucks....
forgive my question, but why does it take a month? If you had a bad route causing an outage for the spammer, would it take a month for the involved ISPs to fix that? Geo.
On Thu, 24 Jun 2004, George Roettger wrote:
This process happens repeatedly, spammers know they can get about a month of time (or more, depending on upstreams and hosting providers in question) of life, either way it's just 50 bucks....
forgive my question, but why does it take a month? If you had a bad route causing an outage for the spammer, would it take a month for the involved ISPs to fix that?
spammer comes, starts work, spams, complaints arrive, downstream customer is notified of 'problem', they get their 3 strikes to deal with said problem, then the ip is null routed. Sometimes it's a month, sometimes less. It's situationally dependent :( I picked a round number because saying: "Spammers get 9.759 days on average per webhosting adventure" is cumbersome.
At 11:34 PM 6/23/2004, Christopher L. Morrow wrote:
I'd also point out someting that any provider will tell you: "Spammers never pay their bills."
Yes, but this is not a problem for a large carrier, as the people that receive it sure do. In other words, the money you lose on the spammer is subsidized by all the people that pay you to receive it.
This is, in fact (for you nanae watchers), the reason that most of them get canceled by us FASTER... Sadly, non-payment is often a quicker and easier method to term a customer than 'abuse', less checks since there is no 'percieved revenue' :(
A revenue check has no place in abuse terminations. --- Ben Browning <benb@theriver.com> The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
On Thu, 24 Jun 2004, Ben Browning wrote:
At 11:34 PM 6/23/2004, Christopher L. Morrow wrote:
I'd also point out someting that any provider will tell you: "Spammers never pay their bills."
Yes, but this is not a problem for a large carrier, as the people that receive it sure do. In other words, the money you lose on the spammer is subsidized by all the people that pay you to receive it.
this is not entirely true, a majority of these far-end customers are paying the same price regardless of utilization. Even the utilization charged customers are not having their 95th Percentile changed because of spam, or that'd be my guess. In the end there is no money for mci from spammers. -chris
----- Original Message ----- From: "Christopher L. Morrow" <christopher.morrow@mci.com> To: "Ben Browning" <benb@theriver.com> Cc: "Dr. Jeffrey Race" <jrace@attglobal.net>; <nanog@merit.edu> Sent: Thursday, June 24, 2004 5:55 PM Subject: Re: Attn MCI/UUNet - Massive abuse from your network --- snipped ---
this is not entirely true, a majority of these far-end customers are paying the same price regardless of utilization. Even the utilization charged customers are not having their 95th Percentile changed because of spam, or that'd be my guess. In the end there is no money for mci from spammers.
agreed, in the majority of the cases. on the other had, implementing the FUSSP jrace proposed would cost mci (or any other carrier) revenue as they would be seen as frothing-at-the-mouth fanatics that present a business risk when used for upstream transit even for folks that run clean networks and deal with abuse complaints properly. and yes, it's time for this thread to die. paul
On Thu, 24 Jun 2004, Ben Browning wrote:
This is, in fact (for you nanae watchers), the reason that most of them get canceled by us FASTER... Sadly, non-payment is often a quicker and easier method to term a customer than 'abuse', less checks since there is no 'percieved revenue' :(
A revenue check has no place in abuse terminations.
That would be nice, but this is the real world. We (presumably technical people) don't get to make all of the choices in life. If we did, things might be a lot better, but then again maybe only 10-15% of us would still be employed :)
chris has been answering a lot of complaintage here today. here's my omnibus:
... 2) 701 gets complaints, notifies good customer Exodus who terms the ... 13) return to step 2
This process happens repeatedly, spammers know they can get about a month of time (or more, depending on upstreams and hosting providers in question) ...
so, normal business case or risk analysis would seem to have led uunet to put procedures in place that would try to break this loop. for example, if a complaint indicated that a known spammer was back downstream of as701 but through a different customer of yours, you'd null-route their cidr block BEFORE "notifying good customer who terminates". all you have to do to break this kind of loop is make it less profitable, or more expensive, for the person who is presently benefitting from your lack of procedures. you don't have to stop the spam, merely reverse the shifting of costs. but that presumes it's costing you more than you're making from it, which is probably a very difficult business case to make to upper management. by the lack of ordinary cost control and risk analysis, your management team shows their true colours.
The 'security' or 'safety' of the backbone is not affected by:
1) portscaning by morons for openshares 2) spam mail sending 3) spam mail recieving ... So, the issue of termination for this reason isn't really valid. Hence the off-topic-ness of this thread.
what about 4) using receiver-side blackholes to make up for lack of sender-side policy you can terminate the thread, but the fact that you and sean aren't willing to disco spewing endsystems is leading to intentional internet instability, and that means sooner or later, this thread will be back, just like always. -- Paul Vixie
[Thu, Jun 24, 2004 at 10:20:33AM +0700] Dr. Jeffrey Race Inscribed these words...
On Thu, 24 Jun 2004 03:05:41 +0000 (GMT), Christopher L. Morrow wrote:
Sure, customer of a customer we got emailtools.com kicked from their original 'home' now they've moved off (probably several times since 2000) to another customer. This happens to every ISP, each time they appear we start the process to disconnect them.
This is too flagrant to let pass without comment.
This "endless loop" situation does NOT happen to every ISP, only to those who have not emplaced procedures to prevent serial signups of serial abusers. This is trivially easy to do and your firm's failure to do so and to enforce this rule on your contracting parties definitively proves your management's decision to profit from spam rather than to stop spam.
I think you may be missing a major point. UUNET/MCI provides dedicated internet services to so many downstreams that it is impossible to stop spammers from signing up to those downstreams. Preventing spammers from signing up for UUNET/MCI services is, yes, trivial. Preventing spammers from signing up on a downstream of a downstream of a downstream etc is impossible.
Jeffrey Race
-- Stephen (routerg) irc.dks.ca
On Thu, 24 Jun 2004 09:20:30 -0400, Stephen Perciballi wrote:
I think you may be missing a major point. UUNET/MCI provides dedicated internet services to so many downstreams that it is impossible to stop spammers from signing up to those downstreams. Preventing spammers from signing up for UUNET/MCI services is, yes, trivial. Preventing spammers from signing up on a downstream of a downstream of a downstream etc is impossible.
With this procedure (please re-read it carefully, everyone in the entire contractual chainv) is bound) they can sign up ONCE. After that they go in the common database. It is the same way credit reporting works: you mess up, you get no credit. Come on guys, you are all smart engineers. This is not rocket science. Jeffrey Race
It is the same way credit reporting works: you mess up, you get no credit.
Come on guys, you are all smart engineers. This is not rocket science.
If anyone really cared about SPAM, then the credit reporting companies would already be collecting information about SPAMmers and network operators would pay them for that info when they sign up new customers. But most people are happy with things the way they are. They love SPAM because it gives them something to complain about and get emotional about. Personally, I find SPAM to be a minor annoyance. I just delete the dozen or so messages a day that make their way through the SPAM filter. But what concerns me far more than SPAM is the fundamental insecurity of the email system which makes it impossible to trust the source of any email message unless you have some prior knowledge of the sender. Back in the old days, at least we had alternatives like Compuserve and MCI-Mail. Now there is only one email system and it is rotten at the core. If we would fix that then most of the time, SPAM would be a minor annoyance like graffitti or vandalism is in the real world. As it currently stands, SPAM is like terrorism circa 1999, i.e. it's escalating and you ain't seen nuthin' yet... --Michael Dillon
--On Thursday, June 24, 2004 3:25 PM +0100 Michael.Dillon@radianz.com wrote:
f anyone really cared about SPAM, then the credit reporting companies would already be collecting information about SPAMmers
Why would the credit reporting companies care about my choice of tasty luncheon meat? ITYM spam, and spam-l is still two folders ---> thatta way
On Thu, 24 Jun 2004 Michael.Dillon@radianz.com wrote:
But most people are happy with things the way they are. They love SPAM because it gives them something to complain about and get emotional about.
I unfortunately have to agree there. There's a large portion of the internet who has nothing better to do than sit around and do essentially nothing. Be it IRC, read email, spam, complain about spam, complain about hijacked netblocks, complain about how slow their dialup is, complain about how slow their cablemodem is, complain about how slow their computer is, etc... Spammers and Spamcomplainers belong to eachother, eventually they'll get their own private intarweb, and they can torment eachother directly :)
spamhaus has gotten too agressive. Its now preventing too much legitimate email. Curtis -- Curtis Maurand mailto:curtis@maurand.com http://www.maurand.com On Thu, 24 Jun 2004, Christopher L. Morrow wrote:
On Mon, 21 Jun 2004, Ben Browning wrote:
At 12:28 PM 6/21/2004, Christopher L. Morrow wrote:
the ethics office doesn't need to see your complaints, they don't really deal with these anyway.
I am quite sure that the ethics department does not deal with spam complaints. My complaint is that your stated policy is clearly not being followed. MCI is currently the Number 1 spam source on many lists- certainly, your overall size skews that figure somewhat, but the listings I see (on the SBL anyway, I do not have the many hours needed to read all the documentation SPEWS has to offer) have reports that are at least 6 months old and are still alive...
The sbl lists quite a few /32 entries, while this is nice for blocking spam if you choose to use their RBL service I'm not sure it's a good measure of 'spamhaus size'. I'm not sure I know of a way to take this measurement, but given size and number if IPs that terminate inside AS701 there certainly are scope issues.
All that said, I'm certainly not saying "spam is good", I also believe that over the last 4.5 years uunet's abuse group has done quite a few good things with respect to the main spammers.
As an example, I see a posting that says emailtools.com was alive on 206.67.63.41 in 2000. They aren't there any more... But now:
[me@host]$ telnet mail.emailtools.com 25 Trying 65.210.168.34... Connected to mail.emailtools.com. Escape character is '^]'.
Sure, customer of a customer we got emailtools.com kicked from their original 'home' now they've moved off (probably several times since 2000) to another customer. This happens to every ISP, each time they appear we start the process to disconnect them. I'm checking on the current status of their current home to see why we have either: 1) not gotten complaints about them, 2) have not made progress kicking them again.
On Mon, 21 Jun 2004, Ben Browning wrote:
At 11:42 AM 6/21/2004, Christopher L. Morrow wrote:
curious, why did you not send this to the abuse@ alias?
I wanted it to get read.
messages to abuse@ do infact get read...
Allow me to rephrase- I wanted it to be read and hoped someone would act on complaints. I have no doubt MCI is serious about stopping DDOS and other abusive traffic of that ilk- when it comes to proxy hijacking and spamming, though, abuse@ turns a blind eye. What other conclusion can I draw from the
This is not true, the action might not happen in the time you'd like, but there are actions being taken. I'd be the first to admit that the timelinees are lengthy :( but part of that is the large company process, getting all the proper people to realize that this abuse is bad and the offendors need to be dealt with.
200ish SBL entries under MCI's name? Why else would emailtools.com(for example) still be around despite their wholesale raping of misconfigured proxies?
emailtools will be around in one form or another, all the owner must do is purchase 9$ virtual-hosting from some other poor ISP out there who needs the money... they may not even know who emailtools is, if that ISP is a uunet/mci customer then we'll have to deal with them as well, just like their current home. you must realize you can't just snap your fingers and make these things go away.
All I want is a couple of straight-up answers. Why do complaints to uunet go unanswered and the abusers remain connected if, in fact, the complaints
I believe you do get an answer, if not the auto-acks are off still from a previous mail flood ;( Please let me know if you are NOT getting ticket numbers back. They might be connected still if there were: 1) not enough info in the complaints to take action on them 2) not enough complaints to terminate the account, but working with the downstream to get the problem resolved 3) action is awaiting proper approvals.
There might be a few more steps things could be in, but in general all complaints that have proper/actionable info are dealt with.
are read? Why has MCI gone from 111 SBL listings as of January 1 to 190 as
I think the answer is shifting winds in spammer homelands, I'll look through the list and see if we know about the problem children in the list and what we are doing about them.
If I am a kook and an idiot for wanting a cleaner internet, well then I guess I am a kook and an idiot.
not for that, just for taking this up in the wrong place... but people call me kooky too, so maybe I'm just skewed.
spamhaus has gotten too agressive. Its now preventing too much legitimate email.
Spammers have gotten too agressive. If you don't filter you would not see any legitimate email.
a couple of days before my primary email server crashed, so i configured a backup machine. the backup machine does not have spam filtering database at first. i managed to install bogofilter, but anyways, it became apparent that i get 50+ Mbytes of spams per day. what a waste of electrons! we need to conserve electrons!! itojun
spamhaus has gotten too agressive. Its now preventing too much legitimate email.
that's funny, really funny. s/spamhaus/maps/ or s/spamhaus/sorbs/ or indeed look at any receiver-side filtering mechanism that gets a little traction, and sooner or later folks will say it's too aggressive and prevents too much legitimate e-mail. "the internet" as a disintermediator is going to cause more things like maps and spamhaus and sorbs to be created and to become successful/effective over time. the only way to remain a successful sender of e-mail is to find a way to thread all of those needles at once, plus new ones that come along later. same thing for anti-spam features of common MTA's. once in a while someone can't get e-mail to me because they don't have a DNS-PTR or DNS-MX, or because their SMTP-HELO doesn't match their DNS-PTR, and they complain, quite rightly, that RFC821 doesn't require them to do it and that i'm in violation of the protocol by rejecting their e-mail. i usually respond by telling them my fax number. they usually respond by changing their DNS or SMTP configuration to conform to my violations of the protocol. lather, rinse, repeat. somebody told me the other day that we couldn't implement graylisting here because a lot of mail relays wouldn't retry for way too long, or would retry too quickly, or would retry from a different ip address each time, or etc. i said "our fax number is on the web page, so senders will have recourse." spam is fundamentally an exercise in unilateral cost shifting, by advertisers toward eyeballs, with all kinds of middlemen. to cope with this, these costs are going to have to be shifted elsewhere. it would be loverly to shift them back toward advertisers, with fines and lawsuits and lost connectivity and increased transit disconnection/reconnection fees, but that's not working. (compare the u.s. federal anti-spam law with california's to see what i mean.) so, the costs are being shifted toward legitimate e-mail senders. oh well. if somebody can't reach you because they don't know how to thread the needle, then send them your fax number or postal address. getting legitimate e-mail has to become the sender's problem, because receiver costs are too high now. i'm not preaching that this should be so; i'm explaining that it's become so. it's like with chris and sean not being able to disco their spewing endsystems: just because the source-provider or transit-provider doesn't make connectivity less available to these spewers, doesn't mean it won't become less available. all it does is change who does it, and it usually ends up getting done by folks whose tools aren't as sharp as the (source|transit)-provider's. it's a very twisted variation on "you broke it, you bought it."
Chris, To start off, thank you for taking this issue seriously and investigating it. At 08:05 PM 6/23/2004, Christopher L. Morrow wrote:
The sbl lists quite a few /32 entries, while this is nice for blocking spam if you choose to use their RBL service I'm not sure it's a good measure of 'spamhaus size'. I'm not sure I know of a way to take this measurement, but given size and number if IPs that terminate inside AS701 there certainly are scope issues.
Netmasks aside, a spammer is a spammer. One spammer sending 100,000 emails from 4 machines is functionally equivalent to one sending 100,000 from 1 machine.
All that said, I'm certainly not saying "spam is good", I also believe that over the last 4.5 years uunet's abuse group has done quite a few good things with respect to the main spammers.
That's possible, I suppose, but the view from outside sees only the bad(and there's plenty).
As an example, I see a posting that says emailtools.com was alive on 206.67.63.41 in 2000. They aren't there any more... But now:
[me@host]$ telnet mail.emailtools.com 25 Trying 65.210.168.34... Connected to mail.emailtools.com. Escape character is '^]'.
Sure, customer of a customer we got emailtools.com kicked from their original 'home' now they've moved off (probably several times since 2000) to another customer. This happens to every ISP, each time they appear we start the process to disconnect them. I'm checking on the current status of their current home to see why we have either: 1) not gotten complaints about them, 2) have not made progress kicking them again.
Excellent! I (and I am sure the rest of the antispam community) will be looking forward to hearing how all this pans out, and I am very glad I could bring some of this to your attention.
On Mon, 21 Jun 2004, Ben Browning wrote: Allow me to rephrase- I wanted it to be read and hoped someone would act on complaints. I have no doubt MCI is serious about stopping DDOS and other abusive traffic of that ilk- when it comes to proxy hijacking and spamming, though, abuse@ turns a blind eye. What other conclusion can I draw from the
This is not true, the action might not happen in the time you'd like, but there are actions being taken. I'd be the first to admit that the timelinees are lengthy :( but part of that is the large company process, getting all the proper people to realize that this abuse is bad and the offendors need to be dealt with.
A lengthy timeline for action to be taken, from the viewpoint of the attacked, is indistinguishable from tacit approval of the attacks. I don't imagine MCI has a lengthy timeline when replying to sales email or billing issues.
200ish SBL entries under MCI's name? Why else would emailtools.com(for example) still be around despite their wholesale raping of misconfigured proxies?
emailtools will be around in one form or another, all the owner must do is purchase 9$ virtual-hosting from some other poor ISP out there who needs the money... they may not even know who emailtools is, if that ISP is a uunet/mci customer then we'll have to deal with them as well, just like their current home. you must realize you can't just snap your fingers and make these things go away.
Omaha Steaks has been there for 3+ weeks (since being added to the SBL). Scott Richter has likewise been spamming from there for a month. Do you need a permission slip to terminate him? Does it take a month to get one? I can snap my fingers many times in a month! According to ARIN records, both of these are swipped space only one step below yours(IE not a customer-of-a-customer). It's nice to say "Oh well they move around and we can't stop them", but the point is that if they got terminated in a timely fashion (measured in hours or days at the most, *not* weeks and months) they would not keep moving around on your network; they would find another one to abuse instead. As it stands, they get a month to spam, then they have to move- that's pink gold in spammerland.
All I want is a couple of straight-up answers. Why do complaints to uunet go unanswered and the abusers remain connected if, in fact, the complaints
I believe you do get an answer, if not the auto-acks are off still from a previous mail flood ;(
An auto-ack is not an answer.
Please let me know if you are NOT getting ticket numbers back. They might be connected still if there were: 1) not enough info in the complaints to take action on them
I've never been asked to furnish more info.
2) not enough complaints to terminate the account, but working with the downstream to get the problem resolved
I've never been looped into this process either. What is the window you guys give your downstreams for ceasing such activities?
3) action is awaiting proper approvals.
What's the timeframe on these approvals happening? Do you need such approvals in the event of a DDOS or other abuse?
are read? Why has MCI gone from 111 SBL listings as of January 1 to 190 as
I think the answer is shifting winds in spammer homelands, I'll look through the list and see if we know about the problem children in the list and what we are doing about them.
Yes, they are drifting towards bulletproof hosting. MCI has a very wide reputation as being spam-friendly.
If I am a kook and an idiot for wanting a cleaner internet, well then I guess I am a kook and an idiot.
not for that, just for taking this up in the wrong place... but people call me kooky too, so maybe I'm just skewed.
What exactly makes NANOG the wrong place for this, given that MCI is mute in the more appropriate forum(news.admin.net-abuse.email)? --- Ben Browning <benb@theriver.com> The River Internet Access Co. WA Operations Manager 1-877-88-RIVER http://www.theriver.com
Ben Browning said:
<snip>
A lengthy timeline for action to be taken, from the viewpoint of the attacked, is indistinguishable from tacit approval of the attacks. I don't imagine MCI has a lengthy timeline when replying to sales email or billing issues.
You ARE kidding, right? -- Grant A. Kirkwood - grant(at)tnarg.org Fingerprint = D337 48C4 4D00 232D 3444 1D5D 27F6 055A BF0C 4AED
On Thu, 24 Jun 2004, Grant A. Kirkwood wrote:
Ben Browning said:
<snip>
A lengthy timeline for action to be taken, from the viewpoint of the attacked, is indistinguishable from tacit approval of the attacks. I don't imagine MCI has a lengthy timeline when replying to sales email or billing issues.
You ARE kidding, right?
Sorry, I'll reply to ben's message part here: "Actually getting sales involved is a timely process from my perspective :( I used to know a sales person I could count on, he got RIF'd so now finding someone to help a customer that needs an upgrade is a very difficult task." Keep in mind, this is a very large corporation, Abuse/Security is in an entirely different arm of the beast than the Sales/marketting folks :( Affecting change from either direction is often times 'challenging'. -Chris
On Mon, 21 Jun 2004 19:28:07 +0000 (GMT), Christopher L. Morrow wrote:
Did you includeany logs or other relevant data about the problems you are reporting? These problems are systemic and internet-wide. I can likely drudge up a great many examples if someone from UUNet can assure me they will be read and acted on. the best way to get abuse complaints handled is to infact send them to the abuse@
Messages are read and ignored. I went through the complete process all the way up to the staff attorney in charge of this matter. The firm ran then (see article cited in previous post) on the Environmental Polluter business model (externalize the costs, internalize the revenue) and clearly still does. It is a policy decision of senior management. This is why they are always high up in the list of internet scum enablers. Ben, that is your answer. Wish I had better news for you. It will go on this way until the management persons responsible for this continuing fraud upon us are led away in handcuffs just as were those members of this firm who were responsible for the (similar) financial frauds. Chris, if a massively insecure network by management choice is not an operational issue for the victims, what is? Jeffrey Race
On Mon, 21 Jun 2004 11:09:05 -0700, Ben Browning wrote:
At this point I am just curious what the answers to these questions are. I have not (yet) widely blocklisted uunet, but if things don't change I fear such a measure may be the only way to stop the abuse spewing from your networks. Seeing such a large (and once-respected) network go as completely black-hat rogue as UUNet has is a sad thing.> Any reply at all would be most welcome.
For my own amusing experience with this spam enabler, see <http://www.camblab.com/nugget/spam_03.pdf> You will find the answer to your questions Jeffrey Race
participants (23)
-
Ben Browning -
Brian W. Gemberling -
Christopher L. Morrow -
Curtis Maurand -
Deepak Jain -
Doug Dever -
Dr. Jeffrey Race -
George Roettger -
Grant A. Kirkwood -
itojun@itojun.org -
Jared Mauch -
John Payne -
Michael.Dillon@radianz.com -
Mike Lewinski -
Paul G -
Paul Vixie -
Petri Helenius -
Randy Bush -
Robert E. Seastrom -
Stephen Perciballi -
Tom (UnitedLayer) -
Valdis.Kletnieks@vt.edu -
william(at)elan.net