RE: Re[2]: williams spamhaus blacklist
That describes the escalation procedure of SPEWS, but is not at all accurate for the SBL, we do not expand listings sideways into customer space or block whole ISPs [*].
Mr. Linford's Spamhaus has recently blocked our entire ISP because of 2 entities on our network we are working to terminate (it is a bit more complicated than simply pulling the plug). In addition, we have recently requested removal of listings once we have terminated the customer in question, but received no response. We can vouch for the fact that www.spamhaus.org blocks far more than just sources of UCE. In our case, it is our entire network. -----Original Message----- From: Steve Linford [mailto:linford@spamhaus.org] Sent: Thursday, September 25, 2003 8:22 AM To: Hank Nussbacher; nanog@merit.edu Subject: Re[2]: williams spamhaus blacklist At 12:50 +0200 (GMT) 25/9/03, Hank Nussbacher wrote:
AS3339 has a zero tolerance for spamming. With just one spam complaint we block the IP in question. We have a downstream customer
that has many cybercafes in Africa that generate http and smtp spam and we block each complaint within 48 hours.
None the less, here is a recent email extract I received from someone:
"Hank, I am not a Spamhaus.org representative in any shape or form. I do not claim to speak for Spamhaus.org in any capacity. The University of xxxxxx is, however, a customer (i.e. as of this morning, we block e-mails from IP addresses listed on Spamhaus SBL).
I am just guessing what might happen if the problem is not sorted out.
I am sure you already know that the standard escalation procedure for
many blocklists is first to block the single offending IP address, then the immediate smallest block that it is contained in according to WHOIS, then the entire block of the ISP, and if that fails to stop
the spam, then the corporate MXes of the upstream ISP may be blocklisted."
That describes the escalation procedure of SPEWS, but is not at all accurate for the SBL, we do not expand listings sideways into customer space or block whole ISPs [*].
Basically, we are being told if we don't drop the customer, our corporate MXes will be blocked. I would not call this an "extreme case", but it would appear that overzealous anti-spammers are perhaps
going a bit overboard.
Luckily he claimed up-front to not be speaking for Spamhaus. I can sympathize with the level of frustration of someone being bombarded in spam, however we do not run escalations for single spammers (unless the problem is chronic, but even then we'd always contact the ISP and exhaust all other avenues). [*] Although we do not list whole U.S. or European ISPs, that's not strictly true for other areas of the net the "offshore" spammers have gravitated to. We are currently leaning on China heavily and are at this moment blocking large parts of Chinanet Shanghai (online.sh.cn) ADSL netblocks, as it's the worst of the China spam problems with 120 separate SBL listings all of US-based spammers (all the usual make-penis-fast crowd) hosted mainly on Shanghai ADSL lines. Spammers like Alan Ralsky these days pump everything out via SoBig-opened proxies with everything hosted in China, all run from Detroit using VPN. The Chinese are now understanding this but it's taken some time. That escalation should resolve itself 'any moment now' too as they say they're starting the process of tracking down and kicking off the hoard of pests they've acquired these last months. -- Steve Linford The Spamhaus Project http://www.spamhaus.org
From netadm, received 25/9/03, 9:02 -0400 (GMT):
That describes the escalation procedure of SPEWS, but is not at all accurate for the SBL, we do not expand listings sideways into customer space or block whole ISPs [*].
Mr. Linford's Spamhaus has recently blocked our entire ISP because of 2 entities on our network we are working to terminate (it is a bit more complicated than simply pulling the plug).
In addition, we have recently requested removal of listings once we have terminated the customer in question, but received no response.
We can vouch for the fact that www.spamhaus.org blocks far more than just sources of UCE. In our case, it is our entire network.
Ehm, that was because you, infolink.com WERE the spam outfit, of course we block your 'entire network', it was an entire network of spammers with no real customers. You can pretend Infolink is an 'EyeEshPee' all you like Mr Leary but what we see is this, from your ROKSO record: Prieur Leary's Infolink Communication Services, Inc. (64.251.0.0/19) initially got bandwidth from Yipes.com circa February 2002. Infolink (and Yipes) ignored tremendous numbers of spam reports for months on end. When E-xpedient.com bought that chunk of Yipes circa late June 2002, they continued spam hosting and were booted in a week or so. Next, Infolink headed for WCG.net, and commenced routing there during early July. It may have looked like a tasty morsel to Williams, but they soon realized it had a bitter aftertaste. It took until August 21 2002 before the mallet swung at WCG. Then UU.net took a whack at at it. By August 21, Infolink was already spamming via that route. That lasted until about August 28, and it was three strikes and they were in ROKSO. But other networks are still willing to experience the thrill of a flooded abuse queue, it seems, and these persistent spammers are still on the air. There was apparently a route via cw.net during August 28 and 29, but as of August 29 they seem to have transit via host.net, go-net.net, and go-intl.net, downstream of Verio.net. Among Infolink's notorious partners in spam, Infolink hosts Eddy Marin (OneRoute.net), John Ritzer, and Daniel Amato. http://www.spamhaus.org/rokso/search.lasso?evidencefile=1955 Spammers pretending to be ISPs don't qualify. -- Steve Linford The Spamhaus Project http://www.spamhaus.org
participants (2)
-
netadm
-
Steve Linford