-----BEGIN PGP SIGNED MESSAGE----- As people are complaining all around about ISP's, here is my small question. Who has a _working_ contact at "CalPOP" (216.240.128.0/19 and others). It is not in puck :( If anybody has a working one please mail it me offlist so that the following long version of the problem can be solved. Is there anything alive at CalPOP that doesn't try to abuse open proxies for massively spamming hotmail ? These are the hits from Sep 3rd: 216.240.140.204 - - [03/Sep/2003:06:27:15 +0200] "CONNECT 65.54.253.99:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:17 +0200] "CONNECT 65.54.167.5:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:19 +0200] "CONNECT 65.54.253.230:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:20 +0200] "CONNECT 65.54.167.230:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:22 +0200] "CONNECT 65.54.254.151:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:24 +0200] "CONNECT 65.54.252.99:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:25 +0200] "CONNECT 65.54.254.145:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:26 +0200] "CONNECT 65.54.252.230:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:26 +0200] "CONNECT 65.54.254.140:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:28 +0200] "CONNECT 65.54.254.145:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:29 +0200] "CONNECT 65.54.252.230:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:30 +0200] "CONNECT 65.54.254.140:25 HTTP/1.0" 200 2366 "-" "-" Since 29 Sep they did that 13007 times to the same box. Quite persistent apparently as previously at 10-15 August they used 216.240.129.201 + .205 to hit that box for another 17502 times and that one stopped mysteriously after mailing abuse@calpop.com & noc@calpop.com & sam@calpop.com (as shown in whois). Unfortunatly without any reply whatsoever and apparently they are continuing to scan for open http connect proxies. I know the 200 response should indicate a CONNECT succes. But unfortunatly if one loads up an apache2 with PHP suddenly it starts passing _all_ methods to PHP which nicely responds a 200. But it is perfect for logging some nice data from the wanna-be-spammer. <Limit CONNECT>Deny from all</Limit> solves that ofcourse but that spammer needs to go, but the contacts don't work. This acts as a perfect spamtrap honeypot btw especially as they keep trying. Before anyone asks the IP being hit is on a DSL line so they are quite probably scanning all the DSL networks for open proxies. Greets, Jeroen -----BEGIN PGP SIGNATURE----- Version: Unfix PGP for Outlook Alpha 13 Int. Comment: Jeroen Massar / jeroen@unfix.org / http://unfix.org/~jeroen/ iQA/AwUBP1aErymqKFIzPnwjEQJy9QCfSQep7SBrrZ6xaQySWJ/LTwgqFNEAoKkB TErNe82mRJXd5JyoLMneYEVw =xLmY -----END PGP SIGNATURE-----
On 9/3/2003 at 8:17 PM, "Jeroen Massar" <jeroen@unfix.org> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
As people are complaining all around about ISP's, here is my small question. Who has a _working_ contact at "CalPOP" (216.240.128.0/19 and others). It is not in puck :(
If anybody has a working one please mail it me offlist so that the following long version of the problem can be solved.
Is there anything alive at CalPOP that doesn't try to abuse open proxies for massively spamming hotmail ?
These are the hits from Sep 3rd:
[Spam-L] BLOCK,MISC: WHO'S SPAMMING YOU? (2003-08-27) Top 40 Proxy-Hijacker-Friendly Nets http://www.monkeys.com/phl/top-20030827.post 10. 216.240.140(4) level3.net - calpop.com (Los Angeles, CA) days.cblock=2 29. 216.240.149(3) level3.net - calpop.com (Los Angeles, CA) days.cblock=5 We consider them a 'possibly rogue operator' at this point. We have numerous logged instances of unlawful trespass from their IP space - mail or attempted mail to spamtraps - and real uglyness like 66.250.115.0/24 (no longer announced by them) housing the proxy-scanning criminals at nextdatacorp.com/ newengineroom.com. Never a darn word from them, except auto-replies. Their appearance in RFG's "top-40" list is definitely paving the way for death-by-ASN-filter (joining 90+ others). ARIN has marked the contact info for AS 7796 as invalid - BACK IN MAY(!) - and "Network Operations Account" <nocc-at-webvision.com> has confirmed to us that they (AS 13374) are not the registrant of that ASN, but CalPOP is. CalPOP has certainly had every opportunity to correct the false record(s) in question with ARIN by now. Unless ARIN steps into this discussion and gives us a good reason why they haven't updated anything (e.g.: no or false documentation provided by CalPOP), I'll assume that this lack of even remotely accurate records for the ASN is deliberate, rather than mere negligence, and evokes strong suspicions of this ASN being hijacked, bar evidence to the contrary. The fact that their upstreams are or have been: - Level3 (known spammer-tolerant, complaint-ignorant, deliberately hiding customers in their IP space without SWIP/rwhois) - rogue operator AS 22298 (ewan1.com) (RIS says they are gone since 2003-08-25) - Cogent (known spammer-tolerant, complaint-ignorant) (RIS says they are gone since 2003-08-06) lets you expect nothing good coming from calpop.com . AS 7796 announcing 216.240.128.0/19 as 32 /24's should make some people here wonder: who the hell am I wasting my router's RAM for, and why am I still accepting /24's from space other than the traditional swamp? bye,Kai ps: RFG's monkeys.com is undergoing a joe-job right now - with the suspects most certainly present within (or acting on behalf and in concert with) the group of hard-core computer criminals listed in his "Top 40" list. Which criminals does your employer support?
On Thu, Sep 04, 2003 at 05:29:17PM -0400, Kai Schlichting wrote:
On 9/3/2003 at 8:17 PM, "Jeroen Massar" <jeroen@unfix.org> wrote:
As people are complaining all around about ISP's, here is my small question. Who has a _working_ contact at "CalPOP" (216.240.128.0/19 and others). It is not in puck :(
If anybody has a working one please mail it me offlist so that the following long version of the problem can be solved.
Is there anything alive at CalPOP that doesn't try to abuse open proxies for massively spamming hotmail ?
[Spam-L] BLOCK,MISC: WHO'S SPAMMING YOU? (2003-08-27) Top 40 Proxy-Hijacker-Friendly Nets http://www.monkeys.com/phl/top-20030827.post 10. 216.240.140(4) level3.net - calpop.com (Los Angeles, CA) days.cblock=2 29. 216.240.149(3) level3.net - calpop.com (Los Angeles, CA) days.cblock=5
We consider them a 'possibly rogue operator' at this point. We have numerous logged instances of unlawful trespass from their IP space - mail or attempted mail to spamtraps - and real uglyness like 66.250.115.0/24 (no longer announced by them) housing the proxy-scanning criminals at nextdatacorp.com/ newengineroom.com. Never a darn word from them, except auto-replies. Their appearance in RFG's "top-40" list is definitely paving the way for death-by-ASN-filter (joining 90+ others).
I've received responses from Calpop in recent memory. They do seem to be taking a turn for the worse, however. Whether this is due to malice, lack of clue, or some combination remains to be seen. (We had some of those blocks swipped to us from WAY back and it took forever to get them removed). Last I checked, the phone number listed (+1-213-351-1355) worked. A call over there might be helpful. If anyone from Level3 is around, now would be a good time to smack some clue into them.
ARIN has marked the contact info for AS 7796 as invalid - BACK IN MAY(!) - and "Network Operations Account" <nocc-at-webvision.com> has confirmed to us that they (AS 13374) are not the registrant of that ASN, but CalPOP is. CalPOP has certainly had every opportunity to correct the false record(s) in question with ARIN by now.
7796 *was* webvision at one point, although they're no longer using this ASN.[1] Calpop obtained some of Webvision's assets after Webvision closed their facility in Torrance. I can only assume that ARIN did require them to re-justify the usage before allowing them to transfer the allocation, but it's still a little sketchy, as Webvision is still in business. I'm pretty sure that Kamron Hejazi hasn't worked there in ages, and hejazik@webvision.com hasn't been a valid address for quite some time. I did get a response from ken-at-calpop.com about this issue, although he didn't quite seem to understand why it mattered that the ASN had an invalid contact. To be fair, Webvision COULD fix this problem if they wanted to, since they could easily reactivate the address and change the POC for 7796.
The fact that their upstreams are or have been: - Level3 (known spammer-tolerant, complaint-ignorant, deliberately hiding customers in their IP space without SWIP/rwhois) - rogue operator AS 22298 (ewan1.com) (RIS says they are gone since 2003-08-25) - Cogent (known spammer-tolerant, complaint-ignorant) (RIS says they are gone since 2003-08-06)
I did see some slight signs of life there at one point. However, it does seem that they're either totally rogue, totally clueless, or some combination of the two at this point. [1] Incidentally, Webvision dropped pretty far into the spam sewer by the end; their whole /19 was listed in SPEWS, which sucked for us, since we had about 6-8 /24's out of that. -- "Since when is skepticism un-American? Dissent's not treason but they talk like it's the same..." (Sleater-Kinney - "Combat Rock")
CalPoP's owners/management are knowingly facilitating this behaviour. I know, since I (thankfully very briefly) was retained as their CTO and explicitly raised the spam issue as soon as I became aware of it. I personally saw machines which appeared to be running software designed to attempt to proxy relay against Hotmail. The response I received was that "if they did not generate complaints it was not an issue." For all the good it will do you, you can reach two of the owners, Richard Hoover aka Lynn at lynn@calpop.com or Ross Thayer at ross@calpop.com. On Thu, 4 Sep 2003, Jeroen Massar wrote:
As people are complaining all around about ISP's, here is my small question. Who has a _working_ contact at "CalPOP" (216.240.128.0/19 and others). It is not in puck :(
If anybody has a working one please mail it me offlist so that the following long version of the problem can be solved.
Is there anything alive at CalPOP that doesn't try to abuse open proxies for massively spamming hotmail ?
These are the hits from Sep 3rd:
216.240.140.204 - - [03/Sep/2003:06:27:15 +0200] "CONNECT 65.54.253.99:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:17 +0200] "CONNECT 65.54.167.5:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:19 +0200] "CONNECT 65.54.253.230:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:20 +0200] "CONNECT 65.54.167.230:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:22 +0200] "CONNECT 65.54.254.151:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:24 +0200] "CONNECT 65.54.252.99:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:25 +0200] "CONNECT 65.54.254.145:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:26 +0200] "CONNECT 65.54.252.230:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:26 +0200] "CONNECT 65.54.254.140:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:28 +0200] "CONNECT 65.54.254.145:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:29 +0200] "CONNECT 65.54.252.230:25 HTTP/1.0" 200 2366 "-" "-" 216.240.140.204 - - [03/Sep/2003:06:27:30 +0200] "CONNECT 65.54.254.140:25 HTTP/1.0" 200 2366 "-" "-"
Since 29 Sep they did that 13007 times to the same box. Quite persistent apparently as previously at 10-15 August they used 216.240.129.201 + .205 to hit that box for another 17502 times and that one stopped mysteriously after mailing abuse@calpop.com & noc@calpop.com & sam@calpop.com (as shown in whois). Unfortunatly without any reply whatsoever and apparently they are continuing to scan for open http connect proxies.
I know the 200 response should indicate a CONNECT succes. But unfortunatly if one loads up an apache2 with PHP suddenly it starts passing _all_ methods to PHP which nicely responds a 200. But it is perfect for logging some nice data from the wanna-be-spammer. <Limit CONNECT>Deny from all</Limit> solves that ofcourse but that spammer needs to go, but the contacts don't work. This acts as a perfect spamtrap honeypot btw especially as they keep trying.
Before anyone asks the IP being hit is on a DSL line so they are quite probably scanning all the DSL networks for open proxies.
Greets, Jeroen ------------ Output from pgp ------------ Pretty Good Privacy(tm) Version 6.5.8 Internal development version only - not for general release. (c) 1999 Network Associates Inc. Export of this software may be restricted by the U.S. government. File is signed. signature not checked. Signature made 2003/09/04 00:18 GMT key does not meet validity threshold. WARNING: Because this public key is not certified with a trusted signature, it is not known with high confidence that this public key actually belongs to: "(KeyID: 0x333E7C23)". wiping file pgptemp.$00pattern is: 0xffffffff pattern is: 0xaaa pattern is: 0x0 pattern is: 0xbbb pattern is: 0x111 pattern is: 0x222 pattern is: 0x888 pattern is: 0xfff pattern is: 0x492 pattern is: 0x999 pattern is: 0xb6d pattern is: 0x249 pattern is: 0xdb6 pattern is: 0xffffffff pattern is: 0x666 pattern is: 0xccc pattern is: 0xffffffff pattern is: 0x777 pattern is: 0x924 pattern is: 0xddd pattern is: 0x555 pattern is: 0x333 pattern is: 0x6db pattern is: 0xeee pattern is: 0x444 pattern is: 0xffffffff wiping file pgptemp.$01pattern is: 0xffffffff pattern is: 0xccc pattern is: 0xeee pattern is: 0x492 pattern is: 0xfff pattern is: 0x666 pattern is: 0x6db pattern is: 0x111 pattern is: 0xbbb pattern is: 0x0 pattern is: 0x888 pattern is: 0xb6d pattern is: 0x333 pattern is: 0xffffffff pattern is: 0x444 pattern is: 0xdb6 pattern is: 0x924 pattern is: 0x222 pattern is: 0x777 pattern is: 0x555 pattern is: 0x249 pattern is: 0xddd pattern is: 0x999 pattern is: 0xffffffff pattern is: 0xaaa pattern is: 0xffffffff
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Greenwell Asking the wrong questions is the leading cause of wrong answers \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
participants (4)
-
Jeroen Massar
-
Kai Schlichting
-
Patrick
-
william+nanog@hq.dreamhost.com