Re: Announcing a reserved ASN?
On 2/3/13 9:04 AM, "Rich Kulawiec" <rsk@gsp.org> wrote:
On Sun, Feb 03, 2013 at 06:12:32PM +0530, Suresh Ramasubramanian wrote:
AS23456 is currently announcing a good few netblocks (which don't have a very good smtp reputation, by the way).
To say the least. A quick rDNS scan reveals that those netblocks include:
8448 addresses 6932 return nxdomain 512 return servfail 1004 with rDNS entries
Those 1004 hosts with rDNS account for 36 domains:
<snip long list of spammy domains> Just as another data point, the domain names you listed hit on enough URL blacklists that Spamassassin quarantined the message for me (and would have rejected it during the SMTP transaction had the NANOG server not been listed on DNSWL-High). Spam hosts plus fake ASN = paging the Spamhaus DROP maintainers to the white courtesy phone.... -- Dave Pooser Manager of Information Services Alford Media http://www.alfordmedia.com
I do believe, as has been pointed out to me elsewhere that this is what shows up when there's a 64 bit ASN and router software that doesn't grok 64 bit ASNs So, completely by chance that one such as belongs to what looks like a bulk mailer --srs (htc one x) On 03-Feb-2013 9:02 PM, "Dave Pooser" <dave.nanog@alfordmedia.com> wrote:
On 2/3/13 9:04 AM, "Rich Kulawiec" <rsk@gsp.org> wrote:
On Sun, Feb 03, 2013 at 06:12:32PM +0530, Suresh Ramasubramanian wrote:
AS23456 is currently announcing a good few netblocks (which don't have a very good smtp reputation, by the way).
To say the least. A quick rDNS scan reveals that those netblocks include:
8448 addresses 6932 return nxdomain 512 return servfail 1004 with rDNS entries
Those 1004 hosts with rDNS account for 36 domains:
<snip long list of spammy domains>
Just as another data point, the domain names you listed hit on enough URL blacklists that Spamassassin quarantined the message for me (and would have rejected it during the SMTP transaction had the NANOG server not been listed on DNSWL-High). Spam hosts plus fake ASN = paging the Spamhaus DROP maintainers to the white courtesy phone.... -- Dave Pooser Manager of Information Services Alford Media http://www.alfordmedia.com
I strongly recommend that you read about and fully understand how 4-byte ASNs work, and their use of AS23456 before you continue this thread. On Sun, 3 Feb 2013, Suresh Ramasubramanian wrote:
I do believe, as has been pointed out to me elsewhere that this is what shows up when there's a 64 bit ASN and router software that doesn't grok 64 bit ASNs
So, completely by chance that one such as belongs to what looks like a bulk mailer
--srs (htc one x) On 03-Feb-2013 9:02 PM, "Dave Pooser" <dave.nanog@alfordmedia.com> wrote:
On 2/3/13 9:04 AM, "Rich Kulawiec" <rsk@gsp.org> wrote:
On Sun, Feb 03, 2013 at 06:12:32PM +0530, Suresh Ramasubramanian wrote:
AS23456 is currently announcing a good few netblocks (which don't have a very good smtp reputation, by the way).
To say the least. A quick rDNS scan reveals that those netblocks include:
8448 addresses 6932 return nxdomain 512 return servfail 1004 with rDNS entries
Those 1004 hosts with rDNS account for 36 domains:
<snip long list of spammy domains>
Just as another data point, the domain names you listed hit on enough URL blacklists that Spamassassin quarantined the message for me (and would have rejected it during the SMTP transaction had the NANOG server not been listed on DNSWL-High). Spam hosts plus fake ASN = paging the Spamhaus DROP maintainers to the white courtesy phone.... -- Dave Pooser Manager of Information Services Alford Media http://www.alfordmedia.com
-- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667 ICQ: 2269442 Schedule a meeting: https://doodle.com/bross Skype: brandonross
Some links: http://www.nanog.org/meetings/nanog45/presentations/Tuesday/Hankins_4byteASN... https://tools.ietf.org/html/rfc6793 On Sun, Feb 3, 2013 at 11:15 AM, Brandon Ross <bross@pobox.com> wrote:
I strongly recommend that you read about and fully understand how 4-byte ASNs work, and their use of AS23456 before you continue this thread.
On Sun, 3 Feb 2013, Suresh Ramasubramanian wrote:
I do believe, as has been pointed out to me elsewhere that this is what
shows up when there's a 64 bit ASN and router software that doesn't grok 64 bit ASNs
So, completely by chance that one such as belongs to what looks like a bulk mailer
--srs (htc one x) On 03-Feb-2013 9:02 PM, "Dave Pooser" <dave.nanog@alfordmedia.com> wrote:
On 2/3/13 9:04 AM, "Rich Kulawiec" <rsk@gsp.org> wrote:
On Sun, Feb 03, 2013 at 06:12:32PM +0530, Suresh Ramasubramanian wrote:
AS23456 is currently announcing a good few netblocks (which don't have a very good smtp reputation, by the way).
To say the least. A quick rDNS scan reveals that those netblocks include:
8448 addresses 6932 return nxdomain 512 return servfail 1004 with rDNS entries
Those 1004 hosts with rDNS account for 36 domains:
<snip long list of spammy domains>
Just as another data point, the domain names you listed hit on enough URL blacklists that Spamassassin quarantined the message for me (and would have rejected it during the SMTP transaction had the NANOG server not been listed on DNSWL-High). Spam hosts plus fake ASN = paging the Spamhaus DROP maintainers to the white courtesy phone.... -- Dave Pooser Manager of Information Services Alford Media http://www.alfordmedia.com
-- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667 ICQ: 2269442 Schedule a meeting: https://doodle.com/bross Skype: brandonross
participants (4)
-
Brandon Ross
-
Dave Pooser
-
Richard Barnes
-
Suresh Ramasubramanian