Someone at Spamhaus please contact me concerning your second consecutive preemptive strike against our IP space. Fun Fact: No one at Spamhaus has ever successfully sent us an abuse complaint. Also, some rocket scientist decided that their sbl-removals@ box should also filter e-mail so blocked parties can't even get in touch. As such, it will be necessary to reply to jeffrey.lyon@gmail.com vs. @blacklotus.net . You claim to monitor sbl-removals@ but it seems i've been ignored for several hours. -- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
I'm not Spamhaus. I don't necessarily agree with their listing policies, but reading your SBL record, http://www.spamhaus.org/sbl/sbl.lasso?query=SBL100691, it appears that someone from your ISP has been in contact with Spamhaus, and were less than thorough in removing the spam gang you guys signed on (PTR records?), or were less than honest about removing them in the first place. For the rest of my life I will mentally equate "DDoS protection solutions" with "foonet". It hasn't failed me since 2001, and doesn't seem to fail me today. Andrew On 1/17/2011 3:15 PM, Jeffrey Lyon wrote:
Someone at Spamhaus please contact me concerning your second consecutive preemptive strike against our IP space.
Fun Fact: No one at Spamhaus has ever successfully sent us an abuse complaint. Also, some rocket scientist decided that their sbl-removals@ box should also filter e-mail so blocked parties can't even get in touch. As such, it will be necessary to reply to jeffrey.lyon@gmail.com vs. @blacklotus.net .
You claim to monitor sbl-removals@ but it seems i've been ignored for several hours.
Our listing is misleading. They show me specifically what needs to be done and why and we will act on it. The problem is that they expect me to dig through our customer database and correlate various customers to ROKSO listings. I don't have the resources for this. If they show me where the problem exists I will fix it but so far they do nothing but preemptively block our entire /21 in an attempt to scare us into mass removal of customers. Someone there needs to reply to my questions so I can act on their request. Also, they need to get in touch with ME DIRECTLY before they ban an entire ISP on multiple occasions. I liken their strategy to setting ants on fire and watching them scurry. I've showed a willingness to work with them and correct problems but they think their only option is to list the entire company each time they need something done. Jeff On Mon, Jan 17, 2011 at 4:23 PM, Andrew Kirch <trelane@trelane.net> wrote:
I'm not Spamhaus. I don't necessarily agree with their listing policies, but reading your SBL record, http://www.spamhaus.org/sbl/sbl.lasso?query=SBL100691, it appears that someone from your ISP has been in contact with Spamhaus, and were less than thorough in removing the spam gang you guys signed on (PTR records?), or were less than honest about removing them in the first place. For the rest of my life I will mentally equate "DDoS protection solutions" with "foonet". It hasn't failed me since 2001, and doesn't seem to fail me today.
Andrew
On 1/17/2011 3:15 PM, Jeffrey Lyon wrote:
Someone at Spamhaus please contact me concerning your second consecutive preemptive strike against our IP space.
Fun Fact: No one at Spamhaus has ever successfully sent us an abuse complaint. Also, some rocket scientist decided that their sbl-removals@ box should also filter e-mail so blocked parties can't even get in touch. As such, it will be necessary to reply to jeffrey.lyon@gmail.com vs. @blacklotus.net .
You claim to monitor sbl-removals@ but it seems i've been ignored for several hours.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
On Mon, 2011-01-17 at 17:12 -0500, Jeffrey Lyon wrote:
Our listing is misleading. They show me specifically what needs to be done and why and we will act on it. The problem is that they expect me to dig through our customer database and correlate various customers to ROKSO listings. I don't have the resources for this.
Is it really? They list the domains in question and the IPs they resolve to. You should not need such resources, if you have a system that ties the accountability of your users to either a domain name OR an IP address. (Or at the very least, narrows it down to the point where you have little to no guesswork remaining.) I agree that this can be highly frustrating, but it sounds more like a hosting company unprepared for the inevitable 'oh god the sales guys have sold servers to a ROKSO spammer!'. Good luck. :) Tom
Tom, They list domains. For one, these listings are recent and I had no idea they existed until now. One of them was actually received by our abuse@ (the first one ever!) on the 14th and the complaint was already sent to the customer for action. Meanwhile back at Camp Spamhaus, they can't wait three days for us to sort this out despite the sites having been online for months. Second, I still have no idea why they're being listed. I don't see any spam records and I guarantee you that none of the spam came from our network. Oh wait, that's right, Spamhaus' policy is to punish us and thousands of customers for hosting people who are somehow projected to spam at some future point in time based on a top secret formula for which only the holiest of spam crusaders are allowed to bear witness. No actual abuse is required, just the projected possibility of abuse. Highly frustrating is one way of putting it. I prefer the terms "tortuous" and "libelous to go along side "asinine" and "ridiculous." I reached out to them about 5 hours ago, still no response but certainly tens of thousands of mailings rejected. I can only imagine that this would entail a substantial amount of business our non-possible-spammers are losing at the moment. Jeff On Mon, Jan 17, 2011 at 5:57 PM, Tom Hill <tom@ninjabadger.net> wrote:
On Mon, 2011-01-17 at 17:12 -0500, Jeffrey Lyon wrote:
Our listing is misleading. They show me specifically what needs to be done and why and we will act on it. The problem is that they expect me to dig through our customer database and correlate various customers to ROKSO listings. I don't have the resources for this.
Is it really? They list the domains in question and the IPs they resolve to.
You should not need such resources, if you have a system that ties the accountability of your users to either a domain name OR an IP address.
(Or at the very least, narrows it down to the point where you have little to no guesswork remaining.)
I agree that this can be highly frustrating, but it sounds more like a hosting company unprepared for the inevitable 'oh god the sales guys have sold servers to a ROKSO spammer!'.
Good luck. :)
Tom
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Spamhaus, I just blocked a bunch of customer space without any form of due process or evidence from you: 208.64.123.176/30 208.64.127.64/27 This should resolve SBL101835, SBL101662, and SBL100691. Let me know if any of our customers have any outstanding parking tickets, because I would like to null route them as well. If at any point you would like to actually explain why we were compelled to do this please feel free to contact us at any time that is most convenient to you. Don't worry about our customers, they'll be OK. They understand that that you need to arbitrarily block their e-mail for the common good. Thanks, Jeff On Mon, Jan 17, 2011 at 5:12 PM, Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
Our listing is misleading. They show me specifically what needs to be done and why and we will act on it. The problem is that they expect me to dig through our customer database and correlate various customers to ROKSO listings. I don't have the resources for this. If they show me where the problem exists I will fix it but so far they do nothing but preemptively block our entire /21 in an attempt to scare us into mass removal of customers.
Someone there needs to reply to my questions so I can act on their request. Also, they need to get in touch with ME DIRECTLY before they ban an entire ISP on multiple occasions. I liken their strategy to setting ants on fire and watching them scurry. I've showed a willingness to work with them and correct problems but they think their only option is to list the entire company each time they need something done.
Jeff
On Mon, Jan 17, 2011 at 4:23 PM, Andrew Kirch <trelane@trelane.net> wrote:
I'm not Spamhaus. I don't necessarily agree with their listing policies, but reading your SBL record, http://www.spamhaus.org/sbl/sbl.lasso?query=SBL100691, it appears that someone from your ISP has been in contact with Spamhaus, and were less than thorough in removing the spam gang you guys signed on (PTR records?), or were less than honest about removing them in the first place. For the rest of my life I will mentally equate "DDoS protection solutions" with "foonet". It hasn't failed me since 2001, and doesn't seem to fail me today.
Andrew
On 1/17/2011 3:15 PM, Jeffrey Lyon wrote:
Someone at Spamhaus please contact me concerning your second consecutive preemptive strike against our IP space.
Fun Fact: No one at Spamhaus has ever successfully sent us an abuse complaint. Also, some rocket scientist decided that their sbl-removals@ box should also filter e-mail so blocked parties can't even get in touch. As such, it will be necessary to reply to jeffrey.lyon@gmail.com vs. @blacklotus.net .
You claim to monitor sbl-removals@ but it seems i've been ignored for several hours.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
On Mon, Jan 17, 2011 at 5:12 PM, Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
Our listing is misleading. They show me specifically what needs to be done and why and we will act on it. The problem is that they expect me to dig through our customer database and correlate various customers to ROKSO listings. I don't have the resources for this. If they show me where the problem exists I will fix it but so far they do nothing but preemptively block our entire /21 in an attempt to scare us into mass removal of customers.
Jeff, I pulled up http://www.spamhaus.org/sbl/sbl.lasso?query=SBL100691 . There is a rather long list at that page of offending IP addresses and names. Just for grins, I picked one at random: 208.64.120.186 canadian-rx-store.org I connected to 208.64.120.186 on TCP port 80 and finger-boned an HTTP request for http://canadian-rx-store.org/ and the server responded as I would expect a server configured with that name to respond. canadian-rx-store.org? Really? Before you cast too many stones, I think you have some work to do. Regards, Bill Herrin P.S. Once this is all done and over with, may I respectfully suggest you carefully review your customer acquisition process? The object lessons are likely to get more expensive. Principals of a Virginia company are not well shielded against liability for facilitating unlawful prescription drug scams. Civil or criminal. -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Bill, That is not in our IP space. These are the only SBL's we have outstanding: SBL101835 208.64.127.64/27 blacklotus.net 17-Jan-2011 14:44 GMT Drug spam domain hosting SBL101662 208.64.123.176/28 blacklotus.net 14-Jan-2011 10:31 GMT Drug spam domain hosting Those assignments have been null routed (/30 instead of /28 on the latter, since the remaining space is not assigned). Thanks, Jeff On Mon, Jan 17, 2011 at 6:58 PM, William Herrin <bill@herrin.us> wrote:
On Mon, Jan 17, 2011 at 5:12 PM, Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
Our listing is misleading. They show me specifically what needs to be done and why and we will act on it. The problem is that they expect me to dig through our customer database and correlate various customers to ROKSO listings. I don't have the resources for this. If they show me where the problem exists I will fix it but so far they do nothing but preemptively block our entire /21 in an attempt to scare us into mass removal of customers.
Jeff,
I pulled up http://www.spamhaus.org/sbl/sbl.lasso?query=SBL100691 . There is a rather long list at that page of offending IP addresses and names. Just for grins, I picked one at random:
208.64.120.186 canadian-rx-store.org
I connected to 208.64.120.186 on TCP port 80 and finger-boned an HTTP request for http://canadian-rx-store.org/ and the server responded as I would expect a server configured with that name to respond.
canadian-rx-store.org? Really?
Before you cast too many stones, I think you have some work to do.
Regards, Bill Herrin
P.S. Once this is all done and over with, may I respectfully suggest you carefully review your customer acquisition process? The object lessons are likely to get more expensive. Principals of a Virginia company are not well shielded against liability for facilitating unlawful prescription drug scams. Civil or criminal.
-- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
On Mon, Jan 17, 2011 at 7:01 PM, Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
On Mon, Jan 17, 2011 at 6:58 PM, William Herrin <bill@herrin.us> wrote:
I pulled up http://www.spamhaus.org/sbl/sbl.lasso?query=SBL100691 . There is a rather long list at that page of offending IP addresses and names. Just for grins, I picked one at random:
208.64.120.186 canadian-rx-store.org
That is not in our IP space.
http://whois.arin.net/rest/nets;q=208.64.120.186?showDetails=true&showARIN=false Respectfully yours, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Bill, I'm getting 72.215.225.9 for that host. Jeff On Mon, Jan 17, 2011 at 7:10 PM, William Herrin <bill@herrin.us> wrote:
On Mon, Jan 17, 2011 at 7:01 PM, Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
On Mon, Jan 17, 2011 at 6:58 PM, William Herrin <bill@herrin.us> wrote:
I pulled up http://www.spamhaus.org/sbl/sbl.lasso?query=SBL100691 . There is a rather long list at that page of offending IP addresses and names. Just for grins, I picked one at random:
208.64.120.186 canadian-rx-store.org
That is not in our IP space.
http://whois.arin.net/rest/nets;q=208.64.120.186?showDetails=true&showARIN=false
Respectfully yours, Bill Herrin
-- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Hi, On Mon, 17 Jan 2011 19:13:16 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
Bill,
I'm getting 72.215.225.9 for that host.
The nameservers just changed to ns2/ns4.codiz.net. ns2 is a bogon, the real deal is ns4 hosted at corbina.ru, which has an abuse@ that goes to /dev/null so whatever. Man. Hosting Yandex. Really? How did you manage to not catch that? William
William, I had no idea what "Yandex" was until Spamhaus brought it to my attention. I still don't really know, taking them at their word at this point. Jeff On Mon, Jan 17, 2011 at 7:26 PM, William Pitcock <nenolod@systeminplace.net> wrote:
Hi,
On Mon, 17 Jan 2011 19:13:16 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
Bill,
I'm getting 72.215.225.9 for that host.
The nameservers just changed to ns2/ns4.codiz.net.
ns2 is a bogon, the real deal is ns4 hosted at corbina.ru, which has an abuse@ that goes to /dev/null so whatever.
Man. Hosting Yandex. Really? How did you manage to not catch that?
William
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
On Mon, 17 Jan 2011 19:13:16 -0500, Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
I'm getting 72.215.225.9 for that host.
[root:pts/0{4}]debian1:~/[09:53 PM]:whois canadian-rx-store.org | grep ^Name Name Server:NS2.CODIZ.NET Name Server:NS4.CODIZ.NET ... [root:pts/0{4}]debian1:~/[09:53 PM]:host canadian-rx-store.org. NS2.CODIZ.NET Using domain server: Name: NS2.CODIZ.NET Address: 76.76.96.42#53 Aliases: Host canadian-rx-store.org not found: 5(REFUSED) [root:pts/0{4}]debian1:~/[09:53 PM]:host canadian-rx-store.org. NS4.CODIZ.NET Using domain server: Name: NS4.CODIZ.NET Address: 95.31.133.201#53 Aliases: Host canadian-rx-store.org not found: 5(REFUSED) The reason a /21 is listed is because you have trash all over the space. *I* do the same thing all the time. I'm not paying whack-a-mole with spammers. (Granted, that only effects my own networks.) --Ricky
Hi!
208.64.120.186 canadian-rx-store.org
That is not in our IP space.
http://whois.arin.net/rest/nets;q=208.64.120.186?showDetails=true&showARIN=false
If they claim its not theirs lets ask ARIN to revoke the space. Bye, Raymond.
Hi!
That is not in our IP space. These are the only SBL's we have outstanding:
SBL101835 208.64.127.64/27 blacklotus.net 17-Jan-2011 14:44 GMT Drug spam domain hosting
SBL101662 208.64.123.176/28 blacklotus.net 14-Jan-2011 10:31 GMT Drug spam domain hosting
208.64.120.186 canadian-rx-store.org
I connected to 208.64.120.186 on TCP port 80 and finger-boned an HTTP request for http://canadian-rx-store.org/ and the server responded as I would expect a server configured with that name to respond.
canadian-rx-store .org? Really?
So they need, and will add more. NetRange: 208.64.120.0 - 208.64.127.255 CIDR: 208.64.120.0/21 OriginAS: AS32421 NetName: NET-208-64-120-0-1 NetHandle: NET-208-64-120-0-1 Parent: NET-208-0-0-0-0 NetType: Direct Allocation NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET RegDate: 2005-12-22 Updated: 2009-11-11 Ref: http://whois.arin.net/rest/net/NET-208-64-120-0-1 OrgName: Black Lotus Communications OrgId: BLC-92 Address: 3419 Virginia Beach Blvd. #D5 Thats not your IP space? Really? How come. apothekeosterreich .at -> 208.64.120.197 vertrouwdeapotheek .nl -> 208.64.120.197 viagra-shopping .com -> 208.64.127.78 medicin-24 .com -> 208.64.127.78 apothekeohnerezept .at -> 208.64.127.66 www.medicin-24 .com -> 208.64.127.78 www.viagra-shopping .com -> 208.64.127.78 This is just like 3 minutes digging in todays spamfolders. Instead of typing here, i would be rather nervous and placing null routes wherever i could. Bye, Raymond.
Raymond, Spam does not make me nervous, it's a practical matter that we will address in due course. The null routes we have set are pretty recent so you may have received some spam prior to that time but I absolutely guarantee you that it did not come from our network, otherwise we would have detected it and stopped it on the spot. Thanks, Jeff On Mon, Jan 17, 2011 at 7:12 PM, Raymond Dijkxhoorn <raymond@prolocation.net> wrote:
Hi!
That is not in our IP space. These are the only SBL's we have outstanding:
SBL101835 208.64.127.64/27 blacklotus.net 17-Jan-2011 14:44 GMT Drug spam domain hosting
SBL101662 208.64.123.176/28 blacklotus.net 14-Jan-2011 10:31 GMT Drug spam domain hosting
208.64.120.186 canadian-rx-store.org
I connected to 208.64.120.186 on TCP port 80 and finger-boned an HTTP request for http://canadian-rx-store.org/ and the server responded as I would expect a server configured with that name to respond.
canadian-rx-store .org? Really?
So they need, and will add more.
NetRange: 208.64.120.0 - 208.64.127.255 CIDR: 208.64.120.0/21 OriginAS: AS32421 NetName: NET-208-64-120-0-1 NetHandle: NET-208-64-120-0-1 Parent: NET-208-0-0-0-0 NetType: Direct Allocation NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET RegDate: 2005-12-22 Updated: 2009-11-11 Ref: http://whois.arin.net/rest/net/NET-208-64-120-0-1
OrgName: Black Lotus Communications OrgId: BLC-92 Address: 3419 Virginia Beach Blvd. #D5
Thats not your IP space? Really? How come.
apothekeosterreich .at -> 208.64.120.197 vertrouwdeapotheek .nl -> 208.64.120.197
viagra-shopping .com -> 208.64.127.78 medicin-24 .com -> 208.64.127.78
apothekeohnerezept .at -> 208.64.127.66
www.medicin-24 .com -> 208.64.127.78 www.viagra-shopping .com -> 208.64.127.78
This is just like 3 minutes digging in todays spamfolders.
Instead of typing here, i would be rather nervous and placing null routes wherever i could.
Bye, Raymond.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Hi!
Spam does not make me nervous, it's a practical matter that we will address in due course. The null routes we have set are pretty recent so you may have received some spam prior to that time but I absolutely guarantee you that it did not come from our network, otherwise we would have detected it and stopped it on the spot.
Thats not your IP space? Really? How come.
apothekeosterreich .at -> 208.64.120.197 vertrouwdeapotheek .nl -> 208.64.120.197
viagra-shopping .com -> 208.64.127.78 medicin-24 .com -> 208.64.127.78
apothekeohnerezept .at -> 208.64.127.66
www.medicin-24 .com -> 208.64.127.78 www.viagra-shopping .com -> 208.64.127.78
This is just like 3 minutes digging in todays spamfolders.
www.apothekeosterreich .at is still up at the mentioned ip. Instead of telling you are soooo good on terminating stuff. Can you walk over the list and act? I have sended in many requests for termination. You or your network dont respond to this at all. Its a waste of time even telling it seems. I will stop posting here, spam-l is a much better place for this. But please dont act like you dont know anything whats going on. You have been warned. You have gotten many many reports. But we dont see stuff changing. Good luck with your listing at SpamHaus. Bye, Raymond.
Raymond, We've acted on every report that we're aware of and instead you want to play pharmacy domain scavenger hunt. This domain at 208.64.120.197 redirects to IP space we already null routed. It's the same customer. Just to calm your nerves we'll also null route that space (208.64.120.176/28) Thanks, Jeff P.S. Someone at Spamhaus PLEASE remove the /21 listing? On Mon, Jan 17, 2011 at 7:25 PM, Raymond Dijkxhoorn <raymond@prolocation.net> wrote:
Hi!
Spam does not make me nervous, it's a practical matter that we will address in due course. The null routes we have set are pretty recent so you may have received some spam prior to that time but I absolutely guarantee you that it did not come from our network, otherwise we would have detected it and stopped it on the spot.
Thats not your IP space? Really? How come.
apothekeosterreich .at -> 208.64.120.197 vertrouwdeapotheek .nl -> 208.64.120.197
viagra-shopping .com -> 208.64.127.78 medicin-24 .com -> 208.64.127.78
apothekeohnerezept .at -> 208.64.127.66
www.medicin-24 .com -> 208.64.127.78 www.viagra-shopping .com -> 208.64.127.78
This is just like 3 minutes digging in todays spamfolders.
www.apothekeosterreich .at is still up at the mentioned ip. Instead of telling you are soooo good on terminating stuff. Can you walk over the list and act?
I have sended in many requests for termination. You or your network dont respond to this at all.
Its a waste of time even telling it seems.
I will stop posting here, spam-l is a much better place for this. But please dont act like you dont know anything whats going on. You have been warned. You have gotten many many reports. But we dont see stuff changing.
Good luck with your listing at SpamHaus.
Bye, Raymond.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Hi!
We've acted on every report that we're aware of and instead you want to play pharmacy domain scavenger hunt. This domain at 208.64.120.197 redirects to IP space we already null routed. It's the same customer.
Either you place strange nullroutes or you did not at all. [root@mi10 tmp]# wget -S www.vertrouwdeapotheek.nl --01:37:29-- http://www.vertrouwdeapotheek.nl/ => `index.html' Resolving www.vertrouwdeapotheek.nl... done. Connecting to www.vertrouwdeapotheek.nl[208.64.120.197]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 301 Moved Permanently 2 Cache-Control: private 3 Content-Length: 0 4 Location: http://www.vertrouwdeapotheek.nl/Home.aspx 5 Server: Microsoft-IIS/7.0 6 X-AspNet-Version: 4.0.30319 7 X-Powered-By: ASP.NET 8 Date: Tue, 18 Jan 2011 00:37:04 GMT 9 Connection: close Location: http://www.vertrouwdeapotheek.nl/Home.aspx [following] --01:37:29-- http://www.vertrouwdeapotheek.nl/Home.aspx => `Home.aspx' Connecting to www.vertrouwdeapotheek.nl[208.64.120.197]:80... connected. HTTP request sent, awaiting response... Does this look as its nullrouted?
P.S. Someone at Spamhaus PLEASE remove the /21 listing?
I highly doubt. There is much more to clean on your network before i hope they would even reconsider. Bye, Raymond.
I fat fingered the netmask, try now. Thanks, Jeff On Mon, Jan 17, 2011 at 7:39 PM, Raymond Dijkxhoorn <raymond@prolocation.net> wrote:
Hi!
We've acted on every report that we're aware of and instead you want to play pharmacy domain scavenger hunt. This domain at 208.64.120.197 redirects to IP space we already null routed. It's the same customer.
Either you place strange nullroutes or you did not at all.
[root@mi10 tmp]# wget -S www.vertrouwdeapotheek.nl --01:37:29-- http://www.vertrouwdeapotheek.nl/ => `index.html' Resolving www.vertrouwdeapotheek.nl... done. Connecting to www.vertrouwdeapotheek.nl[208.64.120.197]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 301 Moved Permanently 2 Cache-Control: private 3 Content-Length: 0 4 Location: http://www.vertrouwdeapotheek.nl/Home.aspx 5 Server: Microsoft-IIS/7.0 6 X-AspNet-Version: 4.0.30319 7 X-Powered-By: ASP.NET 8 Date: Tue, 18 Jan 2011 00:37:04 GMT 9 Connection: close Location: http://www.vertrouwdeapotheek.nl/Home.aspx [following] --01:37:29-- http://www.vertrouwdeapotheek.nl/Home.aspx => `Home.aspx' Connecting to www.vertrouwdeapotheek.nl[208.64.120.197]:80... connected. HTTP request sent, awaiting response...
Does this look as its nullrouted?
P.S. Someone at Spamhaus PLEASE remove the /21 listing?
I highly doubt. There is much more to clean on your network before i hope they would even reconsider.
Bye, Raymond.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Hi!
I fat fingered the netmask, try now.
HTTP request sent, awaiting response... 1 HTTP/1.1 301 Moved Permanently 2 Cache-Control: private 3 Content-Length: 0 4 Location: http://www.vertrouwdeapotheek.nl/Home.aspx 5 Server: Microsoft-IIS/7.0 6 X-AspNet-Version: 4.0.30319 7 X-Powered-By: ASP.NET 8 Date: Tue, 18 Jan 2011 00:37:04 GMT 9 Connection: close Location: http://www.vertrouwdeapotheek.nl/Home.aspx [following] --01:37:29-- http://www.vertrouwdeapotheek.nl/Home.aspx => `Home.aspx' Connecting to www.vertrouwdeapotheek.nl[208.64.120.197]:80... connected. HTTP request sent, awaiting response...
Does this look as its nullrouted?
P.S. Someone at Spamhaus PLEASE remove the /21 listing?
I highly doubt. There is much more to clean on your network before i hope they would even reconsider.
Resolving www.vertrouwdeapotheek.nl... done. Connecting to www.vertrouwdeapotheek.nl[208.64.120.197]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 301 Moved Permanently 2 Cache-Control: private 3 Content-Length: 0 4 Location: http://www.vertrouwdeapotheek.nl/Home.aspx 5 Server: Microsoft-IIS/7.0 6 X-AspNet-Version: 4.0.30319 7 X-Powered-By: ASP.NET 8 Date: Tue, 18 Jan 2011 00:43:18 GMT 9 Connection: close Location: http://www.vertrouwdeapotheek.nl/Home.aspx [following] --01:43:43-- http://www.vertrouwdeapotheek.nl/Home.aspx => `Home.aspx.1' Connecting to www.vertrouwdeapotheek.nl[208.64.120.197]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 200 OK 2 Cache-Control: private 3 Content-Length: 126007 4 Content-Type: text/html; charset=utf-8 5 Server: Microsoft-IIS/7.0 6 X-AspNet-Version: 4.0.30319 7 WL-Version: 2475.0 8 Set-Cookie: ASP.NET_SessionId=4o3uhvfkqw3uanvriystoe2d; path=/; HttpOnly 9 X-Powered-By: ASP.NET 10 Date: Tue, 18 Jan 2011 00:43:19 GMT 11 Connection: close Still there. All the best Jeffrey ... you are playing games with the wrong people. Bye, Raymond.
Raymond, I do not take you for a fool, the assignment is legitimately null routed. My traceroutes are dropping at my home ISP. Jeff On Mon, Jan 17, 2011 at 7:45 PM, Raymond Dijkxhoorn <raymond@prolocation.net> wrote:
Hi!
I fat fingered the netmask, try now.
HTTP request sent, awaiting response... 1 HTTP/1.1 301 Moved Permanently 2 Cache-Control: private 3 Content-Length: 0 4 Location: http://www.vertrouwdeapotheek.nl/Home.aspx 5 Server: Microsoft-IIS/7.0 6 X-AspNet-Version: 4.0.30319 7 X-Powered-By: ASP.NET 8 Date: Tue, 18 Jan 2011 00:37:04 GMT 9 Connection: close Location: http://www.vertrouwdeapotheek.nl/Home.aspx [following] --01:37:29-- http://www.vertrouwdeapotheek.nl/Home.aspx => `Home.aspx' Connecting to www.vertrouwdeapotheek.nl[208.64.120.197]:80... connected. HTTP request sent, awaiting response...
Does this look as its nullrouted?
P.S. Someone at Spamhaus PLEASE remove the /21 listing?
I highly doubt. There is much more to clean on your network before i hope they would even reconsider.
Resolving www.vertrouwdeapotheek.nl... done. Connecting to www.vertrouwdeapotheek.nl[208.64.120.197]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 301 Moved Permanently 2 Cache-Control: private 3 Content-Length: 0 4 Location: http://www.vertrouwdeapotheek.nl/Home.aspx 5 Server: Microsoft-IIS/7.0 6 X-AspNet-Version: 4.0.30319 7 X-Powered-By: ASP.NET 8 Date: Tue, 18 Jan 2011 00:43:18 GMT 9 Connection: close Location: http://www.vertrouwdeapotheek.nl/Home.aspx [following] --01:43:43-- http://www.vertrouwdeapotheek.nl/Home.aspx => `Home.aspx.1' Connecting to www.vertrouwdeapotheek.nl[208.64.120.197]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 200 OK 2 Cache-Control: private 3 Content-Length: 126007 4 Content-Type: text/html; charset=utf-8 5 Server: Microsoft-IIS/7.0 6 X-AspNet-Version: 4.0.30319 7 WL-Version: 2475.0 8 Set-Cookie: ASP.NET_SessionId=4o3uhvfkqw3uanvriystoe2d; path=/; HttpOnly 9 X-Powered-By: ASP.NET 10 Date: Tue, 18 Jan 2011 00:43:19 GMT 11 Connection: close
Still there.
All the best Jeffrey ... you are playing games with the wrong people.
Bye, Raymond.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Hi, On Mon, 17 Jan 2011 19:46:55 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
Raymond,
I do not take you for a fool, the assignment is legitimately null routed. My traceroutes are dropping at my home ISP.
I call bollocks. It's alive and kicking via BGP here. edge1.lax01# show ip bgp 208.64.120.197/32 BGP routing table entry for 208.64.120.0/24, version 2014041464 Paths: (6 available, best #3, table default) [...] And I can reach it from my house. William
On Mon, Jan 17, 2011 at 8:21 PM, William Pitcock <nenolod@systeminplace.net> wrote:
Hi,
On Mon, 17 Jan 2011 19:46:55 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
Raymond,
I do not take you for a fool, the assignment is legitimately null routed. My traceroutes are dropping at my home ISP.
I call bollocks. It's alive and kicking via BGP here.
edge1.lax01# show ip bgp 208.64.120.197/32 BGP routing table entry for 208.64.120.0/24, version 2014041464 Paths: (6 available, best #3, table default) [...]
And I can reach it from my house.
William
So it's dead on Cox Cable and the L3 Looking Glass but not at your house? How is that possible? -- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Hi!
I do not take you for a fool, the assignment is legitimately null routed. My traceroutes are dropping at my home ISP.
I call bollocks. It's alive and kicking via BGP here.
edge1.lax01# show ip bgp 208.64.120.197/32 BGP routing table entry for 208.64.120.0/24, version 2014041464 Paths: (6 available, best #3, table default) [...]
And I can reach it from my house.
William
So it's dead on Cox Cable and the L3 Looking Glass but not at your house? How is that possible?
Its your network isnt it. If you dont know whats happening. ... Mail me your router logins and i'll make sure its peoperly null routed. And some more. Bye, Raymond.
Rhetorical question. Probably PCCW isn't accepting the null routes. Why not blacklist them for having messed up communities? Jeff On Mon, Jan 17, 2011 at 8:26 PM, Raymond Dijkxhoorn <raymond@prolocation.net> wrote:
Hi!
I do not take you for a fool, the assignment is legitimately null routed. My traceroutes are dropping at my home ISP.
I call bollocks. It's alive and kicking via BGP here.
edge1.lax01# show ip bgp 208.64.120.197/32 BGP routing table entry for 208.64.120.0/24, version 2014041464 Paths: (6 available, best #3, table default) [...]
And I can reach it from my house.
William
So it's dead on Cox Cable and the L3 Looking Glass but not at your house? How is that possible?
Its your network isnt it. If you dont know whats happening. ...
Mail me your router logins and i'll make sure its peoperly null routed. And some more.
Bye, Raymond.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
On Mon, 17 Jan 2011 20:28:55 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
Rhetorical question. Probably PCCW isn't accepting the null routes. Why not blacklist them for having messed up communities?
Why not actually nullroute the IPs instead of depending on BGP tagging? Again: "ip route 208.64.120.197 255.255.255.255 Null0" William
It's a problem with PCCW not accepting the tags, we've had this issue with them occasionally and will need to address it with them directly. The machine itself has also been shut down so there should not be any further heartache. Jeff On Mon, Jan 17, 2011 at 8:36 PM, William Pitcock <nenolod@systeminplace.net> wrote:
On Mon, 17 Jan 2011 20:28:55 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
Rhetorical question. Probably PCCW isn't accepting the null routes. Why not blacklist them for having messed up communities?
Why not actually nullroute the IPs instead of depending on BGP tagging? Again: "ip route 208.64.120.197 255.255.255.255 Null0"
William
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
On Mon, 17 Jan 2011 20:38:54 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
It's a problem with PCCW not accepting the tags, we've had this issue with them occasionally and will need to address it with them directly. The machine itself has also been shut down so there should not be any further heartache.
$ wget -S yourdrugsdiscount.com --2011-01-17 19:46:57-- http://yourdrugsdiscount.com/ Resolving yourdrugsdiscount.com... 208.64.122.10 Connecting to yourdrugsdiscount.com|208.64.122.10|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Tue, 18 Jan 2011 01:47:10 GMT Server: Apache/2.2.17 (CentOS) X-Powered-By: PHP/5.2.17 P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA" ETag: PUB1295315230 Last-Modified: Wed, 03 Nov 2010 13:01:01 GMT Expires: Tue, 18 Jan 2011 04:47:10 GMT Pragma: no-cache Cache-Control: public, max-age=10800 Set-Cookie: __store_sid=66ofgeqrfa51nt20nc63j9o003; path=/ Set-Cookie: token=7d010443693eec253a121e2aa2ba177c; expires=Wed, 19-Jan-2011 01:47:11 GMT; path=/ Connection: close Content-Type: text/html; charset=utf-8 Length: unspecified [text/html] Saving to: `index.html' [ <=> ] 57,377 225K/s in 0.2s 2011-01-17 19:46:59 (225 KB/s) - `index.html' saved [57377] Wow you managed to sure clean up your spam problem. One box down, hundreds to go? William
On Mon, Jan 17, 2011 at 8:36 PM, William Pitcock <nenolod@systeminplace.net>wrote:
On Mon, 17 Jan 2011 20:28:55 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
Rhetorical question. Probably PCCW isn't accepting the null routes. Why not blacklist them for having messed up communities?
Why not actually nullroute the IPs instead of depending on BGP tagging? Again: "ip route 208.64.120.197 255.255.255.255 Null0"
William
I prefer ip route 208.64.120.197 255.255.255.255 Null0 tag <nullroute community> Serves both purposes well
On Mon, 17 Jan 2011 20:23:17 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
On Mon, Jan 17, 2011 at 8:21 PM, William Pitcock <nenolod@systeminplace.net> wrote:
Hi,
On Mon, 17 Jan 2011 19:46:55 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
Raymond,
I do not take you for a fool, the assignment is legitimately null routed. My traceroutes are dropping at my home ISP.
I call bollocks. It's alive and kicking via BGP here.
edge1.lax01# show ip bgp 208.64.120.197/32 BGP routing table entry for 208.64.120.0/24, version 2014041464 Paths: (6 available, best #3, table default) [...]
And I can reach it from my house.
William
So it's dead on Cox Cable and the L3 Looking Glass but not at your house? How is that possible?
Because you haven't nullrouted shit. You're just tagging the IP with a specific BGP community and not all networks will respect your tagging. The ones that don't allow the traffic to pass right on through to your network, and due to BGP convergence that there will always be a working route this way. Again, I ask: how hard is it to type "ip route 208.64.120.197 255.255.255.255 Null0"? For someone who is "first and leading in DDoS Protection Solutions" you sure seem to not be able to effectively nullroute, no offense. William
Raymond,
I do not take you for a fool, the assignment is legitimately null routed. My traceroutes are dropping at my home ISP.
Jeff Come on Jeff, I googled the listed address for blacklotus.net, and look what comes up: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=3419+Virginia+Beach+Blvd.+%23D5 <http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=3419+Virginia+Beach+Blvd.+%23D5> Scams, spam, garbage, etc. Guys, it looks like we are dealing with the spammer/scammer himself. The quicker his peering turfs him, the better. Incidentally, this /21 is being announced using MZIMA's AS number... (providing our much needed EFNet Connection) This is very interesting. Couldn't you afford your own?
Andrew
We were offering a privacy protected domain registration service at one point which we have since discontinued for obvious reasons. Jeff On Mon, Jan 17, 2011 at 8:29 PM, Andrew Kirch <trelane@trelane.net> wrote:
Raymond,
I do not take you for a fool, the assignment is legitimately null routed. My traceroutes are dropping at my home ISP.
Jeff Come on Jeff, I googled the listed address for blacklotus.net, and look what comes up: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=3419+Virginia+Beach+Blvd.+%23D5 <http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=3419+Virginia+Beach+Blvd.+%23D5> Scams, spam, garbage, etc. Guys, it looks like we are dealing with the spammer/scammer himself. The quicker his peering turfs him, the better. Incidentally, this /21 is being announced using MZIMA's AS number... (providing our much needed EFNet Connection) This is very interesting. Couldn't you afford your own?
Andrew
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
All, I would like to extend a special thanks to one of the Spamhaus team members for reaching out to me and offering dialogue on this matter. He was quite polite and understanding of the situation and we came to terms on what needed to occur on both sides. I didn't catch his name as the connection was bad but I would like to say "Thank You" and express my gratitude that we can potentially resolve future issues on more familiar terms. Thanks, -- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Hi, On Mon, 17 Jan 2011 21:45:40 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
All,
I would like to extend a special thanks to one of the Spamhaus team members for reaching out to me and offering dialogue on this matter. He was quite polite and understanding of the situation and we came to terms on what needed to occur on both sides. I didn't catch his name as the connection was bad but I would like to say "Thank You" and express my gratitude that we can potentially resolve future issues on more familiar terms.
Thanks,
Still waiting on clarification on your abuse policy. Is a spamhaus SBL listing mandatory for you to shutdown cyber-criminals or have you learned *anything* at all from this? We don't *care* if you got this issue with Spamhaus resolved. You turned it into a much *larger* problem than that. William
We don't *care* if you got this issue with Spamhaus resolved. You turned it into a much *larger* problem than that.
Really? Problem solved: % cat - >> sendmail-access From:jeffrey.lyon@gmail.com 550 Mail refused From:jeffrey.lyon@blacklotus.net 550 Mail refused Connect:199.59.160 550 Mail refused Connect:199.59.161 550 Mail refused Connect:199.59.162 550 Mail refused Connect:199.59.163 550 Mail refused Connect:199.59.164 550 Mail refused Connect:199.59.165 550 Mail refused Connect:199.59.166 550 Mail refused Connect:199.59.167 550 Mail refused Connect:208.64.120 550 Mail refused Connect:208.64.121 550 Mail refused Connect:208.64.122 550 Mail refused Connect:208.64.123 550 Mail refused Connect:208.64.124 550 Mail refused Connect:208.64.125 550 Mail refused Connect:208.64.126 550 Mail refused Connect:208.64.127 550 Mail refused ^D % sh update-mxers % Life simplification through automation / shell scripting. (Which reminds me, I really need a tool to add an ASN to the Sendmail access file automatically.) ... Oh, wait, you meant a problem for *Jeffrey.* Yes, that could be. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Mon, 17 Jan 2011 21:34:49 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
We were offering a privacy protected domain registration service at one point which we have since discontinued for obvious reasons.
Ah yes! That *was* you guys. Did you know that you're still being recommended on 4chan /b/ for no-questions-asked fully-anonymous bullet-proof hosting? Is there a reason why /b/ seems to be recommending you still? I would figure they wouldn't be recommending something you're no longer doing. William
On Jan 17, 2011, at 6:42 PM, Jeffrey Lyon wrote:
I fat fingered the netmask, try now.
I've asked privately but would it really be too much to take this off NANOG? Spammer complaining he is on a RBL is hardly relevant. Chris -- ------------------------------------------------------------------------- Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 - A stupidity tax Hubris Communications Inc www.hubris.net -------------------------------------------------------------------------
I'm not a spammer. I'm an ISP asking to be removed from Spamhaus for having fixed the SBL listings set in the last < 72 hours. I'm not exactally ROKSO material. Jeff On Mon, Jan 17, 2011 at 8:07 PM, Chris Owen <owenc@hubris.net> wrote:
On Jan 17, 2011, at 6:42 PM, Jeffrey Lyon wrote:
I fat fingered the netmask, try now.
I've asked privately but would it really be too much to take this off NANOG?
Spammer complaining he is on a RBL is hardly relevant.
Chris
-- ------------------------------------------------------------------------- Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 - A stupidity tax Hubris Communications Inc www.hubris.net -------------------------------------------------------------------------
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
On 17/01/11 5:40 PM, Jeffrey Lyon wrote:
I'm not a spammer. I'm an ISP asking to be removed from Spamhaus for having fixed the SBL listings set in the last< 72 hours. I'm not exactally ROKSO material.
Jeff
On Mon, Jan 17, 2011 at 8:07 PM, Chris Owen<owenc@hubris.net> wrote:
On Jan 17, 2011, at 6:42 PM, Jeffrey Lyon wrote:
I fat fingered the netmask, try now. I've asked privately but would it really be too much to take this off NANOG?
Spammer complaining he is on a RBL is hardly relevant.
Chris
Sigh. First, please quit with the top posting Jeff. (I refer you to the NANOG FAQ for elaboration on why this is not an acceptable format for posting to this list.) Second, this entire thread IS OFF TOPIC for NANOG. Which you would know if you had bothered to read the FAQ before posting. There are many discussion forums for talking about spam and RBLs, and NANOG is not one of them. http://www.nanog.org/mailinglist/listfaqs/otherlists.php Third, you are not doing your reputation any good with this thread. Your entire tone is one of "I'm so important that the rules don't apply to me. They need to stop blocking me right now. Even when I'm wrong (when spammer's sites are still active because I don't know how to properly null-route their IPs, or shut down their server, or I fat fingered the "fix" and didn't bother to double check that it's really blocked now. They still need to stop blocking me Right Now." You may not be aware that this list is publicly archived on the web in several different locations. Anyone who bothers to google your name (e.g. a future employer) is likely to discover this thread and be less than impressed. Any future posts are only going to add to the problem, not help fix it. jc
On Mon, Jan 17, 2011 at 11:59 PM, JC Dill <jcdill.lists@gmail.com> wrote:
On 17/01/11 5:40 PM, Jeffrey Lyon wrote:
I'm not a spammer. I'm an ISP asking to be removed from Spamhaus for having fixed the SBL listings set in the last< 72 hours. I'm not exactally ROKSO material.
Jeff
On Mon, Jan 17, 2011 at 8:07 PM, Chris Owen<owenc@hubris.net> wrote:
On Jan 17, 2011, at 6:42 PM, Jeffrey Lyon wrote:
I fat fingered the netmask, try now.
I've asked privately but would it really be too much to take this off NANOG?
Spammer complaining he is on a RBL is hardly relevant.
Chris
Sigh.
First, please quit with the top posting Jeff. (I refer you to the NANOG FAQ for elaboration on why this is not an acceptable format for posting to this list.)
Second, this entire thread IS OFF TOPIC for NANOG. Which you would know if you had bothered to read the FAQ before posting. There are many discussion forums for talking about spam and RBLs, and NANOG is not one of them.
http://www.nanog.org/mailinglist/listfaqs/otherlists.php
Third, you are not doing your reputation any good with this thread. Your entire tone is one of "I'm so important that the rules don't apply to me. They need to stop blocking me right now. Even when I'm wrong (when spammer's sites are still active because I don't know how to properly null-route their IPs, or shut down their server, or I fat fingered the "fix" and didn't bother to double check that it's really blocked now. They still need to stop blocking me Right Now." You may not be aware that this list is publicly archived on the web in several different locations. Anyone who bothers to google your name (e.g. a future employer) is likely to discover this thread and be less than impressed. Any future posts are only going to add to the problem, not help fix it.
jc
JC, It was blocked and I did verify it. A very small amount of our traffic comes in on PCCW and *they* were not honoring a tag that they've contractually agreed to honor. I can understand why it may be fun to make this look like a product of my own incompetence, and perhaps it is something I would have noticed if I wasn't busy responding to flames. -- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
On 17/01/11 5:40 PM, Jeffrey Lyon wrote:
I'm not a spammer. I'm an ISP asking to be removed from Spamhaus for having fixed the SBL listings set in the last< 72 hours. I'm not exactally ROKSO material.
Jeff
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS:32421 Safe Browsing Diagnostic page for AS32421 (BLCC) What happened when Google visited sites hosted on this network? Of the 837 site(s) we tested on this network over the past 90 days, 13 site(s), including, for example, temagay.com/, inndir.com/, ivbux.com/, served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2011-01-17, and the last time suspicious content was found was on 2011-01-17. Has this network hosted sites acting as intermediaries for further malware distribution? Over the past 90 days, this network has not hosted any sites that appeared to function as intermediaries for the infection of any other sites. Has this network hosted sites that have distributed malware? Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 2 site(s), including, for example, aresdownload.net/, xvid.com/, that infected 74 other site(s), including, for example, just4cruisers.com/, filmindirsene.tk/, skootterini.com/.
On 18 January 2011 10:00, Michael Painter <tvhawaii@shaka.com> wrote:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS:32421
I'm completely neutral in all of this but to be fair to BL - Here's the well respected Level3's results: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS:3356 (who also actually provide bandwidth for google) 231 malicious sites, 14 infection intermediaries and has hosted 29 sites that have infected 111 other sites. Then we have Global Crossing http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS:3549. Should we all stop using these ISPs because they have hosted some bad guys? Obviously they know about them because google has the information. Does this mean they don't have proper monitoring or control of their network? (FTR those are rhetorical questions) I used to work for a company that had some mailing lists that users explicitly and knowingly signed up for, and lazy people used to click the "Spam" button on AOL and other providers - either because it was right beside "delete" or because they were too lazy to click the unsubscribe link. As a result, Level 3 used to forward on the automated spam compaints to our abuse department and we would usually act on them by unsubscribing the person ourselves (although they usually tried to munge most of the complainants identifiable credentials from the forwarded emails). They were very responsive and demanded "respect" (in the sense that they don't like spammers), yet they are hosting hundreds of malicious sites. Had they shut us down due to a few spam complaints (which were never actually unsolicited) I have no doubt they would be immediately encountering severe legal action. Black Lotus are pretty much in the same boat but are in a bit of a worse situation since people rely on them for "protection" so they are more exposed to the transparency limelight. They provide clean pipe bandwidth for some sites but might not always know what is on those sites. Regards, Ken
On 18 January 2011 13:10, Simon Waters <simonw@zynet.net> wrote:
Obviously they know about them because google has the information.
I'm not sure this is a reasonable deduction.
Correct - It is completely unreasonable. I was using it as an example in reference to a larger, well known provider since earlier someone had mentioned that obviously since google had this information that BL's monitoring was inadequate as they didn't know about it themselves. Google knows about lots of things that people in general probably don't know about themselves. FTR - I have no doubt that Level 3 have amazing monitoring and infrastructure, and think I understand why it might be hard to find 231 bad apples in a basket of over 292492.
On 01/18/2011 06:21 AM, Ken Gilmour wrote:
On 18 January 2011 13:10, Simon Waters <simonw@zynet.net> wrote:
Obviously they know about them because google has the information.
I'm not sure this is a reasonable deduction.
Correct - It is completely unreasonable. I was using it as an example in reference to a larger, well known provider since earlier someone had mentioned that obviously since google had this information that BL's monitoring was inadequate as they didn't know about it themselves.
Google knows about lots of things that people in general probably don't know about themselves.
FTR - I have no doubt that Level 3 have amazing monitoring and infrastructure, and think I understand why it might be hard to find 231 bad apples in a basket of over 292492.
I think it's important to point out that this statistic is "over the past 90 days" as well. It doesn't identify enough sites to make it possible to verify whether it's representative of current problems. The 231 sites may have been cleaned relatively quickly and still count in the statistic if Google ever found them to be doing something malicious. I do not think this report is a useful one unless the number is constantly growing and is a large percentage of sites Google has spidered on the network. -- Kevin Stange Chief Technology Officer Steadfast Networks http://steadfast.net Phone: 312-602-2689 ext. 203 | Fax: 312-602-2688 | Cell: 312-320-5867
It was blocked and I did verify it. A very small amount of our traffic comes in on PCCW and *they* were not honoring a tag that they've contractually agreed to honor. I can understand why it may be fun to make this look like a product of my own incompetence, and perhaps it is something I would have noticed if I wasn't busy responding to flames.
It may be a good policy going forward to do your own null-routes. I realize that for a DDOS protection company, the ability to tag nullroutes upstream is handy, but you also need to nullroute the traffic on your own gear, or shut down the switch port. Something that is completely independent of another organization, regardless of their contractual obligations to you. If you were my employee, I would find the fact that you fat-fingered a nullroute to be highly concerning. I would recommend that in addition to changing the way you do nullroutes, you also implement a change control policy which screens commands for approval before making configuration changes upon which your public declarations, and your reputation as a decent operator, rely. Nathan Eisenberg
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yo Jeffrey! On Mon, 17 Jan 2011, Jeffrey Lyon wrote:
I fat fingered the netmask, try now.
Still up: # nmap -sS 208.64.120.197 Starting Nmap 5.21 ( http://nmap.org ) at 2011-01-17 17:07 PST Nmap scan report for 208.64.120.197 Host is up (0.033s latency). Not shown: 989 filtered ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 443/tcp open https 1723/tcp open pptp 1801/tcp open unknown 2103/tcp open zephyr-clt 2105/tcp open eklogin 2107/tcp open unknown 49154/tcp open unknown 49157/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 4.77 seconds RGDS GARY - --------------------------------------------------------------------------- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97701 gem@rellim.com Tel:+1(541)382-8588
Thanks, Jeff
On Mon, Jan 17, 2011 at 7:39 PM, Raymond Dijkxhoorn <raymond@prolocation.net> wrote:
Hi!
We've acted on every report that we're aware of and instead you want to play pharmacy domain scavenger hunt. This domain at 208.64.120.197 redirects to IP space we already null routed. It's the same customer.
Either you place strange nullroutes or you did not at all.
[root@mi10 tmp]# wget -S www.vertrouwdeapotheek.nl --01:37:29-- http://www.vertrouwdeapotheek.nl/ => `index.html' Resolving www.vertrouwdeapotheek.nl... done. Connecting to www.vertrouwdeapotheek.nl[208.64.120.197]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 301 Moved Permanently 2 Cache-Control: private 3 Content-Length: 0 4 Location: http://www.vertrouwdeapotheek.nl/Home.aspx 5 Server: Microsoft-IIS/7.0 6 X-AspNet-Version: 4.0.30319 7 X-Powered-By: ASP.NET 8 Date: Tue, 18 Jan 2011 00:37:04 GMT 9 Connection: close Location: http://www.vertrouwdeapotheek.nl/Home.aspx [following] --01:37:29-- http://www.vertrouwdeapotheek.nl/Home.aspx => `Home.aspx' Connecting to www.vertrouwdeapotheek.nl[208.64.120.197]:80... connected. HTTP request sent, awaiting response...
Does this look as its nullrouted?
P.S. Someone at Spamhaus PLEASE remove the /21 listing?
I highly doubt. There is much more to clean on your network before i hope they would even reconsider.
Bye, Raymond.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFNNOgkBmnRqz71OvMRAlvyAJ9iB4xleue08ZFvUXhDc+/vmga4KwCeKsEQ 556DfEqv3CINUxO2GyxmBJ0= =8XnB -----END PGP SIGNATURE-----
On Mon, 17 Jan 2011 19:42:22 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
I fat fingered the netmask, try now.
$ wget -S www.vertrouwdeapotheek.nl --2011-01-17 19:07:59-- http://www.vertrouwdeapotheek.nl/ Resolving www.vertrouwdeapotheek.nl... 208.64.120.197 Connecting to www.vertrouwdeapotheek.nl|208.64.120.197|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 301 Moved Permanently Cache-Control: private Content-Length: 0 Location: http://www.vertrouwdeapotheek.nl/Home.aspx Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Tue, 18 Jan 2011 01:07:46 GMT Connection: close Location: http://www.vertrouwdeapotheek.nl/Home.aspx [following] --2011-01-17 19:08:00-- http://www.vertrouwdeapotheek.nl/Home.aspx Connecting to www.vertrouwdeapotheek.nl|208.64.120.197|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Cache-Control: private Content-Length: 126007 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 WL-Version: 2475.0 Set-Cookie: ASP.NET_SessionId=bcs4bluvt3dqdfqd1udupey3; path=/; HttpOnly X-Powered-By: ASP.NET Date: Tue, 18 Jan 2011 01:07:47 GMT Connection: close Length: 126007 (123K) [text/html] Saving to: `Home.aspx' 100%[======================================================================================================================================================================>] 126,007 364K/s in 0.3s 2011-01-17 19:08:01 (364 KB/s) - `Home.aspx' saved [126007/126007] How hard is it really to type in "ip route 208.64.120.197 255.255.255.255 Null0" on your busted up 6509? Don't forget to "conf t"! William
Thanks, Jeff
On Mon, Jan 17, 2011 at 7:39 PM, Raymond Dijkxhoorn <raymond@prolocation.net> wrote:
Hi!
We've acted on every report that we're aware of and instead you want to play pharmacy domain scavenger hunt. This domain at 208.64.120.197 redirects to IP space we already null routed. It's the same customer.
Either you place strange nullroutes or you did not at all.
[root@mi10 tmp]# wget -S www.vertrouwdeapotheek.nl --01:37:29-- http://www.vertrouwdeapotheek.nl/ => `index.html' Resolving www.vertrouwdeapotheek.nl... done. Connecting to www.vertrouwdeapotheek.nl[208.64.120.197]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 301 Moved Permanently 2 Cache-Control: private 3 Content-Length: 0 4 Location: http://www.vertrouwdeapotheek.nl/Home.aspx 5 Server: Microsoft-IIS/7.0 6 X-AspNet-Version: 4.0.30319 7 X-Powered-By: ASP.NET 8 Date: Tue, 18 Jan 2011 00:37:04 GMT 9 Connection: close Location: http://www.vertrouwdeapotheek.nl/Home.aspx [following] --01:37:29-- http://www.vertrouwdeapotheek.nl/Home.aspx => `Home.aspx' Connecting to www.vertrouwdeapotheek.nl[208.64.120.197]:80... connected. HTTP request sent, awaiting response...
Does this look as its nullrouted?
P.S. Someone at Spamhaus PLEASE remove the /21 listing?
I highly doubt. There is much more to clean on your network before i hope they would even reconsider.
Bye, Raymond.
On Jan 17, 2011, at 4:42 PM, Jeffrey Lyon wrote:
I fat fingered the netmask, try now.
Mmm hmm. platter steve$ telnet 208.64.127.78 80 Trying 208.64.127.78... Connected to 208.64.127.78. Escape character is '^]'. HEAD / HTTP/1.1 Host: viagra-shopping.com HTTP/1.1 301 Moved Permanently Cache-Control: private Content-Length: 0 Location: http://www.viagra-shopping.com/Home.aspx Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Tue, 18 Jan 2011 00:57:55 GMT Connection: close If you've given spamhaus the same sort of response you're showing here I'm not surprised they're not prioritizing dealing with you. Cheers, Steve
Thanks, Jeff
On Mon, Jan 17, 2011 at 7:39 PM, Raymond Dijkxhoorn <raymond@prolocation.net> wrote:
Hi!
We've acted on every report that we're aware of and instead you want to play pharmacy domain scavenger hunt. This domain at 208.64.120.197 redirects to IP space we already null routed. It's the same customer.
Either you place strange nullroutes or you did not at all.
[root@mi10 tmp]# wget -S www.vertrouwdeapotheek.nl --01:37:29-- http://www.vertrouwdeapotheek.nl/ => `index.html' Resolving www.vertrouwdeapotheek.nl... done. Connecting to www.vertrouwdeapotheek.nl[208.64.120.197]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 301 Moved Permanently 2 Cache-Control: private 3 Content-Length: 0 4 Location: http://www.vertrouwdeapotheek.nl/Home.aspx 5 Server: Microsoft-IIS/7.0 6 X-AspNet-Version: 4.0.30319 7 X-Powered-By: ASP.NET 8 Date: Tue, 18 Jan 2011 00:37:04 GMT 9 Connection: close Location: http://www.vertrouwdeapotheek.nl/Home.aspx [following] --01:37:29-- http://www.vertrouwdeapotheek.nl/Home.aspx => `Home.aspx' Connecting to www.vertrouwdeapotheek.nl[208.64.120.197]:80... connected. HTTP request sent, awaiting response...
Does this look as its nullrouted?
P.S. Someone at Spamhaus PLEASE remove the /21 listing?
I highly doubt. There is much more to clean on your network before i hope they would even reconsider.
Bye, Raymond.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
On Mon, Jan 17, 2011 at 7:42 PM, Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
I fat fingered the netmask, try now.
Jeff, You have some work left to do. Much of it is exhibited in the Spamhaus listing. wget -nd http://eros-pharmacy.com/ --2011-01-17 19:54:44-- http://eros-pharmacy.com/ Resolving eros-pharmacy.com... 208.64.120.206 Connecting to eros-pharmacy.com|208.64.120.206|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://www.eros-pharmacy.com/Home.aspx [following] --2011-01-17 19:54:45-- http://www.eros-pharmacy.com/Home.aspx Resolving www.eros-pharmacy.com... 208.64.120.206 Connecting to www.eros-pharmacy.com|208.64.120.206|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 128759 (126K) [text/html] Saving to: `index.html' 100%[======================================>] 128,759 328K/s in 0.4s 2011-01-17 19:54:46 (328 KB/s) - `index.html' saved [128759/128759] lynx --dump index.html [...] Join eros-pharmacy.com's top affiliate program. We offer our affiliates more than ever, 3rd tier payouts, high comissions and much more. Want to join us and start earning top $$$ ? Contact us today. More Info [...] http://whois.arin.net/rest/nets;q=208.64.120.206?showDetails=true&showARIN=false CIDR 208.64.120.0/21 Organization Black Lotus Communications (BLC-92) On Mon, Jan 17, 2011 at 7:33 PM, Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
We've acted on every report that we're aware of and instead you want to play pharmacy domain scavenger hunt.
In the situation in which you find yourself, passive reaction to precise reports is not good enough. You've been careless and you're paying the price. If getting on top of the situation means you have to play pharmacy domain scavenger hunt then that's what you need to spend the next 24 hours doing. Not criticizing Spamhaus or debating on NANOG. Respectfully, Bill Herrin P.S. I don't mean to add to your woes, but top-posting on a mailing list is generally considered faux pas. It makes it difficult to follow a conversation. Notice how the rest of us place our replies directly below the text we're replying to? -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Mon, Jan 17, 2011 at 8:18 PM, William Herrin <bill@herrin.us> wrote:
On Mon, Jan 17, 2011 at 7:42 PM, Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
I fat fingered the netmask, try now.
Jeff,
You have some work left to do. Much of it is exhibited in the Spamhaus listing.
wget -nd http://eros-pharmacy.com/ --2011-01-17 19:54:44-- http://eros-pharmacy.com/ Resolving eros-pharmacy.com... 208.64.120.206 Connecting to eros-pharmacy.com|208.64.120.206|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://www.eros-pharmacy.com/Home.aspx [following] --2011-01-17 19:54:45-- http://www.eros-pharmacy.com/Home.aspx Resolving www.eros-pharmacy.com... 208.64.120.206 Connecting to www.eros-pharmacy.com|208.64.120.206|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 128759 (126K) [text/html] Saving to: `index.html'
100%[======================================>] 128,759 328K/s in 0.4s
2011-01-17 19:54:46 (328 KB/s) - `index.html' saved [128759/128759]
lynx --dump index.html [...] Join eros-pharmacy.com's top affiliate program. We offer our affiliates more than ever, 3rd tier payouts, high comissions and much more. Want to join us and start earning top $$$ ? Contact us today. More Info [...]
http://whois.arin.net/rest/nets;q=208.64.120.206?showDetails=true&showARIN=false
CIDR 208.64.120.0/21 Organization Black Lotus Communications (BLC-92)
On Mon, Jan 17, 2011 at 7:33 PM, Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
We've acted on every report that we're aware of and instead you want to play pharmacy domain scavenger hunt.
In the situation in which you find yourself, passive reaction to precise reports is not good enough. You've been careless and you're paying the price. If getting on top of the situation means you have to play pharmacy domain scavenger hunt then that's what you need to spend the next 24 hours doing. Not criticizing Spamhaus or debating on NANOG.
Respectfully, Bill Herrin
P.S. I don't mean to add to your woes, but top-posting on a mailing list is generally considered faux pas. It makes it difficult to follow a conversation. Notice how the rest of us place our replies directly below the text we're replying to?
-- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Bill, Is it NANOG/Spamhaus' job to punish us or perhaps its better to simply be satisfied that we're listening to what is being said? Andrew, If they're not going to delist us we will lose all of our legitimate customers, at which point the only ones we would have left are the ones you expect me to remove. How does that make any sense? -- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
On Mon, Jan 17, 2011 at 8:22 PM, Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
Is it NANOG/Spamhaus' job to punish us or perhaps its better to simply be satisfied that we're listening to what is being said?
Jeff, Neither is correct. It's Spamhaus' job to flag the folks who haven't done a rudimentary job of keeping criminals off their network so that the rest of us can more easily keep them out of ours. It's NANOG's job to help us all communicate so that those who have a desire to fix operational problems can find and understand the key knowledge we need to do so. Spamhaus has provided you with the keys to the knowledge you need to fix the criminal intrusion into your network and these past few messages on NANOG have hopefully helped you understand that knowledge. If you have a desire to fix the operational problem, the rest is really up to you. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Mon, Jan 17, 2011 at 8:43 PM, William Herrin <bill@herrin.us> wrote:
On Mon, Jan 17, 2011 at 8:22 PM, Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
Is it NANOG/Spamhaus' job to punish us or perhaps its better to simply be satisfied that we're listening to what is being said?
Jeff,
Neither is correct. It's Spamhaus' job to flag the folks who haven't done a rudimentary job of keeping criminals off their network so that the rest of us can more easily keep them out of ours. It's NANOG's job to help us all communicate so that those who have a desire to fix operational problems can find and understand the key knowledge we need to do so.
Spamhaus has provided you with the keys to the knowledge you need to fix the criminal intrusion into your network and these past few messages on NANOG have hopefully helped you understand that knowledge. If you have a desire to fix the operational problem, the rest is really up to you.
Regards, Bill Herrin
-- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Bill, Each issue has been addressed. We're just waiting for Spamhaus' "around the clock" delisting service to pull through. Jeff -- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
From: Jeffrey Lyon [mailto:jeffrey.lyon@blacklotus.net] Sent: Tuesday, January 18, 2011 1:42 AM
I fat fingered the netmask, try now.
Thanks, Jeff
I don't think it is yet solved. The listed time is CET (GMT+1). tmp@support:~$ wget -S www.vertrouwdeapotheek.nl --2011-01-18 02:18:15-- http://www.vertrouwdeapotheek.nl/ Resolving www.vertrouwdeapotheek.nl... 208.64.120.197 Connecting to www.vertrouwdeapotheek.nl|208.64.120.197|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 301 Moved Permanently Cache-Control: private Content-Length: 0 Location: http://www.vertrouwdeapotheek.nl/Home.aspx Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Tue, 18 Jan 2011 01:17:50 GMT Connection: close Location: http://www.vertrouwdeapotheek.nl/Home.aspx [following] --2011-01-18 02:18:15-- http://www.vertrouwdeapotheek.nl/Home.aspx Connecting to www.vertrouwdeapotheek.nl|208.64.120.197|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Cache-Control: private Content-Length: 126007 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 WL-Version: 2475.0 Set-Cookie: ASP.NET_SessionId=olbzhbkanrerwwzqeoho22ws; path=/; HttpOnly X-Powered-By: ASP.NET Date: Tue, 18 Jan 2011 01:17:51 GMT Connection: close Length: 126007 (123K) [text/html] Saving to: `index.html' 100%[======================================================================= ============>] 126,007 154K/s in 0.8s 2011-01-18 02:18:17 (154 KB/s) - `index.html' saved [126007/126007] I did check the content of index.html and it shows a page I expect at that domain. Giving a suspend page is also acceptable for me (or a page with a message that the site was removed). How difficult is it for you to nullroute it? For me (and probably for others) it is also acceptable if you put a firewall between them and the internet with the rule to DROP everything for that IP. I'm even prepared to give an example config (based on Debian 5) to drop the traffic for all IPs mentioned on this list and on SBL. How you do it isn't important for me, but please clean your network for as far as possible with the given information (and looking through your clients). Regards, Mark
Actually, it does not: $ host apothekeosterreich.at apothekeosterreich.at has address 208.64.120.197 apothekeosterreich.at mail is handled by 10 mail.apothekeosterreich.at. $ curl -I -L apothekeosterreich.at HTTP/1.1 301 Moved Permanently Cache-Control: private Content-Length: 0 Location: http://www.apothekeosterreich.at/Home.aspx Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Tue, 18 Jan 2011 00:54:59 GMT Connection: close HTTP/1.1 200 OK Cache-Control: private Content-Length: 126574 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 WL-Version: 2475.0 Set-Cookie: ASP.NET_SessionId=a3brplvgwfsdk3pd1g1zgdtj; path=/; HttpOnly X-Powered-By: ASP.NET Date: Tue, 18 Jan 2011 00:55:00 GMT Connection: close On Jan 17, 2011, at 7:33 PM, Jeffrey Lyon wrote:
Raymond,
We've acted on every report that we're aware of and instead you want to play pharmacy domain scavenger hunt. This domain at 208.64.120.197 redirects to IP space we already null routed. It's the same customer.
Just to calm your nerves we'll also null route that space (208.64.120.176/28)
Thanks, Jeff
P.S. Someone at Spamhaus PLEASE remove the /21 listing?
On Mon, Jan 17, 2011 at 7:25 PM, Raymond Dijkxhoorn <raymond@prolocation.net> wrote:
Hi!
Spam does not make me nervous, it's a practical matter that we will address in due course. The null routes we have set are pretty recent so you may have received some spam prior to that time but I absolutely guarantee you that it did not come from our network, otherwise we would have detected it and stopped it on the spot.
Thats not your IP space? Really? How come.
apothekeosterreich .at -> 208.64.120.197 vertrouwdeapotheek .nl -> 208.64.120.197
viagra-shopping .com -> 208.64.127.78 medicin-24 .com -> 208.64.127.78
apothekeohnerezept .at -> 208.64.127.66
www.medicin-24 .com -> 208.64.127.78 www.viagra-shopping .com -> 208.64.127.78
This is just like 3 minutes digging in todays spamfolders.
www.apothekeosterreich .at is still up at the mentioned ip. Instead of telling you are soooo good on terminating stuff. Can you walk over the list and act?
I have sended in many requests for termination. You or your network dont respond to this at all.
Its a waste of time even telling it seems.
I will stop posting here, spam-l is a much better place for this. But please dont act like you dont know anything whats going on. You have been warned. You have gotten many many reports. But we dont see stuff changing.
Good luck with your listing at SpamHaus.
Bye, Raymond.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
TR, Again, it's been null routed. Customer has been served with notice. Unless you guys can help find some more related IP space I think the issue has been solved. Thanks, Jeff On Mon, Jan 17, 2011 at 7:57 PM, TR Shaw <tshaw@oitc.com> wrote:
Actually, it does not:
$ host apothekeosterreich.at apothekeosterreich.at has address 208.64.120.197 apothekeosterreich.at mail is handled by 10 mail.apothekeosterreich.at. $ curl -I -L apothekeosterreich.at HTTP/1.1 301 Moved Permanently Cache-Control: private Content-Length: 0 Location: http://www.apothekeosterreich.at/Home.aspx Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Tue, 18 Jan 2011 00:54:59 GMT Connection: close
HTTP/1.1 200 OK Cache-Control: private Content-Length: 126574 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 WL-Version: 2475.0 Set-Cookie: ASP.NET_SessionId=a3brplvgwfsdk3pd1g1zgdtj; path=/; HttpOnly X-Powered-By: ASP.NET Date: Tue, 18 Jan 2011 00:55:00 GMT Connection: close
On Jan 17, 2011, at 7:33 PM, Jeffrey Lyon wrote:
Raymond,
We've acted on every report that we're aware of and instead you want to play pharmacy domain scavenger hunt. This domain at 208.64.120.197 redirects to IP space we already null routed. It's the same customer.
Just to calm your nerves we'll also null route that space (208.64.120.176/28)
Thanks, Jeff
P.S. Someone at Spamhaus PLEASE remove the /21 listing?
On Mon, Jan 17, 2011 at 7:25 PM, Raymond Dijkxhoorn <raymond@prolocation.net> wrote:
Hi!
Spam does not make me nervous, it's a practical matter that we will address in due course. The null routes we have set are pretty recent so you may have received some spam prior to that time but I absolutely guarantee you that it did not come from our network, otherwise we would have detected it and stopped it on the spot.
Thats not your IP space? Really? How come.
apothekeosterreich .at -> 208.64.120.197 vertrouwdeapotheek .nl -> 208.64.120.197
viagra-shopping .com -> 208.64.127.78 medicin-24 .com -> 208.64.127.78
apothekeohnerezept .at -> 208.64.127.66
www.medicin-24 .com -> 208.64.127.78 www.viagra-shopping .com -> 208.64.127.78
This is just like 3 minutes digging in todays spamfolders.
www.apothekeosterreich .at is still up at the mentioned ip. Instead of telling you are soooo good on terminating stuff. Can you walk over the list and act?
I have sended in many requests for termination. You or your network dont respond to this at all.
Its a waste of time even telling it seems.
I will stop posting here, spam-l is a much better place for this. But please dont act like you dont know anything whats going on. You have been warned. You have gotten many many reports. But we dont see stuff changing.
Good luck with your listing at SpamHaus.
Bye, Raymond.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Hi!
Unless you guys can help find some more related IP space I think the issue has been solved.
You are not able to even shutdown one thats mentioned. You keep telling us its down and null routed. Its simply not. Its alive and kicking. Bullet proof hosting rocks doesnt it? This is now: [root@fallback ~]# wget -S www.vertrouwdeapotheek.nl --2011-01-18 02:02:20-- http://www.vertrouwdeapotheek.nl/ Resolving www.vertrouwdeapotheek.nl... 208.64.120.197 Connecting to www.vertrouwdeapotheek.nl|208.64.120.197|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 301 Moved Permanently Cache-Control: private Content-Length: 0 Location: http://www.vertrouwdeapotheek.nl/Home.aspx Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Tue, 18 Jan 2011 01:02:02 GMT Connection: close Location: http://www.vertrouwdeapotheek.nl/Home.aspx [following] --2011-01-18 02:02:21-- http://www.vertrouwdeapotheek.nl/Home.aspx Connecting to www.vertrouwdeapotheek.nl|208.64.120.197|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Cache-Control: private Content-Length: 126007 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 WL-Version: 2475.0 Set-Cookie: ASP.NET_SessionId=eknnhn43j4kcqxzqwk24ewjs; path=/; HttpOnly X-Powered-By: ASP.NET Date: Tue, 18 Jan 2011 01:02:03 GMT Connection: close Length: 126007 (123K) [text/html] Saving to: "Home.aspx.2" 100%[===========================================================================================================================================================>] 126,007 162K/s in 0.8s 2011-01-18 02:02:22 (162 KB/s) - "Home.aspx.2" saved [126007/126007] [root@fallback ~]# more Home.aspx.2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Vertrouwde Apotheek - Viagra ... You either have a funny way of nullrouting stuff. OR someone just stole your netspace and put the same content online ;) Bye, Raymond.
Raymond, Negative, it is null routed: http://lg.level3.net Show Level 3 (San Diego, CA) Traceroute to 208.64.120.197 1 ae-5-5.ebr1.LosAngeles1.Level3.net (4.69.133.206) 4 msec 4 msec 12 msec 2 ae-4-90.edge1.LosAngeles9.Level3.net (4.69.144.202) 4 msec 4 msec ae-3-80.edge1.LosAngeles9.Level3.net (4.69.144.138) 4 msec 3 * * * 4 * * * Jeff On Mon, Jan 17, 2011 at 8:05 PM, Raymond Dijkxhoorn <raymond@prolocation.net> wrote:
Hi!
Unless you guys can help find some more related IP space I think the issue has been solved.
You are not able to even shutdown one thats mentioned. You keep telling us its down and null routed. Its simply not. Its alive and kicking. Bullet proof hosting rocks doesnt it?
This is now:
[root@fallback ~]# wget -S www.vertrouwdeapotheek.nl --2011-01-18 02:02:20-- http://www.vertrouwdeapotheek.nl/ Resolving www.vertrouwdeapotheek.nl... 208.64.120.197 Connecting to www.vertrouwdeapotheek.nl|208.64.120.197|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 301 Moved Permanently Cache-Control: private Content-Length: 0 Location: http://www.vertrouwdeapotheek.nl/Home.aspx Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Tue, 18 Jan 2011 01:02:02 GMT Connection: close Location: http://www.vertrouwdeapotheek.nl/Home.aspx [following] --2011-01-18 02:02:21-- http://www.vertrouwdeapotheek.nl/Home.aspx Connecting to www.vertrouwdeapotheek.nl|208.64.120.197|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Cache-Control: private Content-Length: 126007 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 WL-Version: 2475.0 Set-Cookie: ASP.NET_SessionId=eknnhn43j4kcqxzqwk24ewjs; path=/; HttpOnly X-Powered-By: ASP.NET Date: Tue, 18 Jan 2011 01:02:03 GMT Connection: close Length: 126007 (123K) [text/html] Saving to: "Home.aspx.2"
100%[===========================================================================================================================================================>] 126,007 162K/s in 0.8s
2011-01-18 02:02:22 (162 KB/s) - "Home.aspx.2" saved [126007/126007]
[root@fallback ~]# more Home.aspx.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Vertrouwde Apotheek - Viagra ...
You either have a funny way of nullrouting stuff. OR someone just stole your netspace and put the same content online ;)
Bye, Raymond.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
-----Original Message----- From: Jeffrey Lyon [mailto:jeffrey.lyon@blacklotus.net] Sent: Tuesday, January 18, 2011 1:58 AM To: TR Shaw Cc: nanog@nanog.org Subject: Re: Request Spamhaus contact
TR,
Again, it's been null routed. Customer has been served with notice. Unless you guys can help find some more related IP space I think the issue has been solved.
Thanks, Jeff
Hello Jeffrey, At least a few moments back (after receiving the message above) it was possible to get the page at www . vertrouwdeapotheek . nl at IP 208.64.120.197. Do you really know if it has been solved? Regards, Mark
I've already stated that i'm having the server powered down. What else do you people want? Why not focus your energy on the providers who are NOT responding to complaints? Jeff On Mon, Jan 17, 2011 at 8:30 PM, Mark Scholten <mark@streamservice.nl> wrote:
-----Original Message----- From: Jeffrey Lyon [mailto:jeffrey.lyon@blacklotus.net] Sent: Tuesday, January 18, 2011 1:58 AM To: TR Shaw Cc: nanog@nanog.org Subject: Re: Request Spamhaus contact
TR,
Again, it's been null routed. Customer has been served with notice. Unless you guys can help find some more related IP space I think the issue has been solved.
Thanks, Jeff
Hello Jeffrey,
At least a few moments back (after receiving the message above) it was possible to get the page at www . vertrouwdeapotheek . nl at IP 208.64.120.197.
Do you really know if it has been solved?
Regards, Mark
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
From: jeffrey.lyon@gmail.com [mailto:jeffrey.lyon@gmail.com] On Behalf Of Jeffrey Lyon Sent: Tuesday, January 18, 2011 2:32 AM
I've already stated that i'm having the server powered down. What else do you people want? Why not focus your energy on the providers who are NOT responding to complaints?
Jeff
Actual action taken would be nice idea. After the server is powered down feel free to inform us about that fact. Don't say that you did nullroute something that we can see that that is a lie. If you need to wait for someone else mention that it will be solved within XX hours and inform everyone when it is done. I (and probably others) would like to know when the nullroute will be in place or the server is taken down. Sometimes I also need some time to process something, in such cases I mention that it could take X hour or reply after it has been fixed. Regards, Mark PS.: If providers don't reply at all we have our own (internal) blacklist. If they reply and say that they'll fix it within a day we normally don't put them on the internal blacklist.
On Mon, Jan 17, 2011 at 8:44 PM, Mark Scholten <mark@streamservice.nl> wrote:
From: jeffrey.lyon@gmail.com [mailto:jeffrey.lyon@gmail.com] On Behalf Of Jeffrey Lyon Sent: Tuesday, January 18, 2011 2:32 AM
I've already stated that i'm having the server powered down. What else do you people want? Why not focus your energy on the providers who are NOT responding to complaints?
Jeff
Actual action taken would be nice idea. After the server is powered down feel free to inform us about that fact. Don't say that you did nullroute something that we can see that that is a lie. If you need to wait for someone else mention that it will be solved within XX hours and inform everyone when it is done.
I (and probably others) would like to know when the nullroute will be in place or the server is taken down.
Sometimes I also need some time to process something, in such cases I mention that it could take X hour or reply after it has been fixed.
Regards, Mark
PS.: If providers don't reply at all we have our own (internal) blacklist. If they reply and say that they'll fix it within a day we normally don't put them on the internal blacklist.
Mark, All of my sources were routing through Telia, I had no idea that PCCW was not accepting the tags. The null routes were set immediately once this issue came to my attention and the server was powered down immediately once I determined that PCCW was not accepting the discard tags. I've listened to and acted on every single Spamhaus listing since the founding of this company and all of a sudden in late 2010 a couple of pharmacy spammers pick up a dedicated server, thus warranting full blown witch trials on our company. I was very polite with Spamhaus at first but so far i've been treated like garbage. You would be angry as well. -- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
They /are/ focusing on a provider that doesnt respond to complaints. On Jan 17, 2011 9:20 PM, "Jeffrey Lyon" <jeffrey.lyon@blacklotus.net> wrote: I've already stated that i'm having the server powered down. What else do you people want? Why not focus your energy on the providers who are NOT responding to complaints? Jeff On Mon, Jan 17, 2011 at 8:30 PM, Mark Scholten <mark@streamservice.nl> wrote:
-----Original ...
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Co...
We don't want things like http://bit.ly/gGlKbF c On 1/17/2011 19:31, Jeffrey Lyon wrote:
I've already stated that i'm having the server powered down. What else do you people want? Why not focus your energy on the providers who are NOT responding to complaints?
Jeff
On Mon, Jan 17, 2011 at 8:30 PM, Mark Scholten <mark@streamservice.nl> wrote:
-----Original Message----- From: Jeffrey Lyon [mailto:jeffrey.lyon@blacklotus.net] Sent: Tuesday, January 18, 2011 1:58 AM To: TR Shaw Cc: nanog@nanog.org Subject: Re: Request Spamhaus contact
TR,
Again, it's been null routed. Customer has been served with notice. Unless you guys can help find some more related IP space I think the issue has been solved.
Thanks, Jeff
Hello Jeffrey,
At least a few moments back (after receiving the message above) it was possible to get the page at www . vertrouwdeapotheek . nl at IP 208.64.120.197.
Do you really know if it has been solved?
Regards, Mark
On Mon, 17 Jan 2011 20:31:58 -0500, Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
I've already stated that i'm having the server powered down. What else do you people want?
That's a fine first step, but then tomorrow when everyone has forgotten about all this, that server gets turned back on and the trash continues... On Mon, 17 Jan 2011 20:48:28 -0500, Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
I've listened to and acted on every single Spamhaus listing since the founding of this company and all of a sudden in late 2010 a couple of pharmacy spammers pick up a dedicated server, thus warranting full blown witch trials on our company.
If that were true, then we clearly would not have had this mess on NANOG. SBL lists are easy to find. And just as easy to understand. And yet we have any entire day of this BS because you wouldn't pull the plug on a customer. (as I read the thread, it's because you couldn't be bothered to track down what customer(s) were at the root of it???) I'd call it a comedy of errors, but nothing about it is funny. --Ricky PS: For the record, the only people I've ever seen publicly complain about an SBL listing *ARE SPAMMERS*. You've done nothing today that changes that perception.
Raymond,
We've acted on every report that we're aware of and instead you want to play pharmacy domain scavenger hunt. This domain at 208.64.120.197 redirects to IP space we already null routed. It's the same customer.
Just to calm your nerves we'll also null route that space (208.64.120.176/28)
Thanks, Jeff
P.S. Someone at Spamhaus PLEASE remove the /21 listing?
I agree with Jeff here, the listing should be removed. Would the admins @ PCCW and TeliaSonera please be so kind as to delist this person... via BGP? Short of me making another reference to firearms on this list and getting banned, I have no other way to prove that blacklotus.net is essentially bulletproof hosting. Andrew
So the fact that you host the spamvertized pill and other spam sites makes it OK because the spamming email came from residential machines that were coopted? That's weird logic but maybe that's why your abuse never responded to us nor shuts them down. Tom On Jan 17, 2011, at 7:14 PM, Jeffrey Lyon wrote:
Raymond,
Spam does not make me nervous, it's a practical matter that we will address in due course. The null routes we have set are pretty recent so you may have received some spam prior to that time but I absolutely guarantee you that it did not come from our network, otherwise we would have detected it and stopped it on the spot.
Thanks, Jeff
On Mon, Jan 17, 2011 at 7:12 PM, Raymond Dijkxhoorn <raymond@prolocation.net> wrote:
Hi!
That is not in our IP space. These are the only SBL's we have outstanding:
SBL101835 208.64.127.64/27 blacklotus.net 17-Jan-2011 14:44 GMT Drug spam domain hosting
SBL101662 208.64.123.176/28 blacklotus.net 14-Jan-2011 10:31 GMT Drug spam domain hosting
208.64.120.186 canadian-rx-store.org
I connected to 208.64.120.186 on TCP port 80 and finger-boned an HTTP request for http://canadian-rx-store.org/ and the server responded as I would expect a server configured with that name to respond.
canadian-rx-store .org? Really?
So they need, and will add more.
NetRange: 208.64.120.0 - 208.64.127.255 CIDR: 208.64.120.0/21 OriginAS: AS32421 NetName: NET-208-64-120-0-1 NetHandle: NET-208-64-120-0-1 Parent: NET-208-0-0-0-0 NetType: Direct Allocation NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET RegDate: 2005-12-22 Updated: 2009-11-11 Ref: http://whois.arin.net/rest/net/NET-208-64-120-0-1
OrgName: Black Lotus Communications OrgId: BLC-92 Address: 3419 Virginia Beach Blvd. #D5
Thats not your IP space? Really? How come.
apothekeosterreich .at -> 208.64.120.197 vertrouwdeapotheek .nl -> 208.64.120.197
viagra-shopping .com -> 208.64.127.78 medicin-24 .com -> 208.64.127.78
apothekeohnerezept .at -> 208.64.127.66
www.medicin-24 .com -> 208.64.127.78 www.viagra-shopping .com -> 208.64.127.78
This is just like 3 minutes digging in todays spamfolders.
Instead of typing here, i would be rather nervous and placing null routes wherever i could.
Bye, Raymond.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Actually, that was just a brain lapse. The domain didn't resolve at all (misspelled?) and it returned the Cox default resolution. Jeff On Mon, Jan 17, 2011 at 7:30 PM, TR Shaw <tshaw@oitc.com> wrote:
So the fact that you host the spamvertized pill and other spam sites makes it OK because the spamming email came from residential machines that were coopted?
That's weird logic but maybe that's why your abuse never responded to us nor shuts them down.
Tom
On Jan 17, 2011, at 7:14 PM, Jeffrey Lyon wrote:
Raymond,
Spam does not make me nervous, it's a practical matter that we will address in due course. The null routes we have set are pretty recent so you may have received some spam prior to that time but I absolutely guarantee you that it did not come from our network, otherwise we would have detected it and stopped it on the spot.
Thanks, Jeff
On Mon, Jan 17, 2011 at 7:12 PM, Raymond Dijkxhoorn <raymond@prolocation.net> wrote:
Hi!
That is not in our IP space. These are the only SBL's we have outstanding:
SBL101835 208.64.127.64/27 blacklotus.net 17-Jan-2011 14:44 GMT Drug spam domain hosting
SBL101662 208.64.123.176/28 blacklotus.net 14-Jan-2011 10:31 GMT Drug spam domain hosting
208.64.120.186 canadian-rx-store.org
I connected to 208.64.120.186 on TCP port 80 and finger-boned an HTTP request for http://canadian-rx-store.org/ and the server responded as I would expect a server configured with that name to respond.
canadian-rx-store .org? Really?
So they need, and will add more.
NetRange: 208.64.120.0 - 208.64.127.255 CIDR: 208.64.120.0/21 OriginAS: AS32421 NetName: NET-208-64-120-0-1 NetHandle: NET-208-64-120-0-1 Parent: NET-208-0-0-0-0 NetType: Direct Allocation NameServer: NS1.ENTERPRISE.BLACKLOTUS.NET NameServer: NS2.ENTERPRISE.BLACKLOTUS.NET RegDate: 2005-12-22 Updated: 2009-11-11 Ref: http://whois.arin.net/rest/net/NET-208-64-120-0-1
OrgName: Black Lotus Communications OrgId: BLC-92 Address: 3419 Virginia Beach Blvd. #D5
Thats not your IP space? Really? How come.
apothekeosterreich .at -> 208.64.120.197 vertrouwdeapotheek .nl -> 208.64.120.197
viagra-shopping .com -> 208.64.127.78 medicin-24 .com -> 208.64.127.78
apothekeohnerezept .at -> 208.64.127.66
www.medicin-24 .com -> 208.64.127.78 www.viagra-shopping .com -> 208.64.127.78
This is just like 3 minutes digging in todays spamfolders.
Instead of typing here, i would be rather nervous and placing null routes wherever i could.
Bye, Raymond.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Hi!
Actually, that was just a brain lapse. The domain didn't resolve at all (misspelled?) and it returned the Cox default resolution.
Instead of looking at typo's or misspelled stuff, can you null route the rest of the abuse reports that came in? Or should we get it added on the SBL listing since it seems thats the only way to get your attention.
apothekeosterreich .at -> 208.64.120.197 vertrouwdeapotheek .nl -> 208.64.120.197
viagra-shopping .com -> 208.64.127.78 medicin-24 .com -> 208.64.127.78
apothekeohnerezept .at -> 208.64.127.66
www.medicin-24 .com -> 208.64.127.78 www.viagra-shopping .com -> 208.64.127.78
This is just like 3 minutes digging in todays spamfolders.
Instead of typing here, i would be rather nervous and placing null routes wherever i could.
Bye, Raymond.
Raymond, All of this IP space is null routed. The customer has been served with notice to vacate. What more are you asking for? Best regards, Jeff On Mon, Jan 17, 2011 at 7:35 PM, Raymond Dijkxhoorn <raymond@prolocation.net> wrote:
Hi!
Actually, that was just a brain lapse. The domain didn't resolve at all (misspelled?) and it returned the Cox default resolution.
Instead of looking at typo's or misspelled stuff, can you null route the rest of the abuse reports that came in? Or should we get it added on the SBL listing since it seems thats the only way to get your attention.
apothekeosterreich .at -> 208.64.120.197 vertrouwdeapotheek .nl -> 208.64.120.197
viagra-shopping .com -> 208.64.127.78 medicin-24 .com -> 208.64.127.78
apothekeohnerezept .at -> 208.64.127.66
www.medicin-24 .com -> 208.64.127.78 www.viagra-shopping .com -> 208.64.127.78
This is just like 3 minutes digging in todays spamfolders.
Instead of typing here, i would be rather nervous and placing null routes wherever i could.
Bye, Raymond.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Hmmm. Null routed? Lets see.... http://www.apothekeosterreich.at/Home.aspx http://www.viagra-shopping.com/Home.aspx Do I really need to show you more? Tom On Jan 17, 2011, at 7:38 PM, Jeffrey Lyon wrote:
Raymond,
All of this IP space is null routed. The customer has been served with notice to vacate. What more are you asking for?
Best regards, Jeff
On Mon, Jan 17, 2011 at 7:35 PM, Raymond Dijkxhoorn <raymond@prolocation.net> wrote:
Hi!
Actually, that was just a brain lapse. The domain didn't resolve at all (misspelled?) and it returned the Cox default resolution.
Instead of looking at typo's or misspelled stuff, can you null route the rest of the abuse reports that came in? Or should we get it added on the SBL listing since it seems thats the only way to get your attention.
apothekeosterreich .at -> 208.64.120.197 vertrouwdeapotheek .nl -> 208.64.120.197
viagra-shopping .com -> 208.64.127.78 medicin-24 .com -> 208.64.127.78
apothekeohnerezept .at -> 208.64.127.66
www.medicin-24 .com -> 208.64.127.78 www.viagra-shopping .com -> 208.64.127.78
This is just like 3 minutes digging in todays spamfolders.
Instead of typing here, i would be rather nervous and placing null routes wherever i could.
Bye, Raymond.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
On 18/01/2011 00:38, Jeffrey Lyon wrote:
All of this IP space is null routed. The customer has been served with notice to vacate. What more are you asking for?
Summarising other people positions: a functional abuse desk, a less defensive attitude when people point out serious abuse going on in your network, and the slightest inclination to investigate really serious crap on your network when it's brought to your attention in the clearest terms possible. E&OE Nick -- p.s. less megaphone diplomacy would help, if you can clean enough egg off your face to manage this.
I've tried taking it to Spamhaus directly on a few occasions but we continue to get treated like crap. At least this way the public can see that we have infact acted on the complaints. Jeff On Mon, Jan 17, 2011 at 8:04 PM, Nick Hilliard <nick@foobar.org> wrote:
On 18/01/2011 00:38, Jeffrey Lyon wrote:
All of this IP space is null routed. The customer has been served with notice to vacate. What more are you asking for?
Summarising other people positions: a functional abuse desk, a less defensive attitude when people point out serious abuse going on in your network, and the slightest inclination to investigate really serious crap on your network when it's brought to your attention in the clearest terms possible.
E&OE
Nick -- p.s. less megaphone diplomacy would help, if you can clean enough egg off your face to manage this.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
On Mon, Jan 17, 2011 at 8:32 PM, Jeffrey Lyon <jeffrey.lyon@blacklotus.net>wrote:
I've tried taking it to Spamhaus directly on a few occasions but we continue to get treated like crap. At least this way the public can see that we have infact acted on the complaints.
We have found Spamhaus to work well with us. In the bringing we had to prove responsibly but after that they are one of the easier to work with.
Jeff
On Mon, Jan 17, 2011 at 8:04 PM, Nick Hilliard <nick@foobar.org> wrote:
On 18/01/2011 00:38, Jeffrey Lyon wrote:
All of this IP space is null routed. The customer has been served with notice to vacate. What more are you asking for?
Summarising other people positions: a functional abuse desk, a less defensive attitude when people point out serious abuse going on in your network, and the slightest inclination to investigate really serious crap on your network when it's brought to your attention in the clearest terms possible.
E&OE
Nick -- p.s. less megaphone diplomacy would help, if you can clean enough egg off your face to manage this.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
On Mon, Jan 17, 2011 at 9:28 PM, Mark Wall <ospfisisis@gmail.com> wrote:
On Mon, Jan 17, 2011 at 8:32 PM, Jeffrey Lyon <jeffrey.lyon@blacklotus.net>wrote:
I've tried taking it to Spamhaus directly on a few occasions but we continue to get treated like crap. At least this way the public can see that we have infact acted on the complaints.
We have found Spamhaus to work well with us. In the bringing we had to prove responsibly but after that they are one of the easier to work with.
Jeff
On Mon, Jan 17, 2011 at 8:04 PM, Nick Hilliard <nick@foobar.org> wrote:
On 18/01/2011 00:38, Jeffrey Lyon wrote:
All of this IP space is null routed. The customer has been served with notice to vacate. What more are you asking for?
Summarising other people positions: a functional abuse desk, a less defensive attitude when people point out serious abuse going on in your network, and the slightest inclination to investigate really serious crap on your network when it's brought to your attention in the clearest terms possible.
E&OE
Nick -- p.s. less megaphone diplomacy would help, if you can clean enough egg off your face to manage this.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Mark, Indeed, despite my angry ranting one of their staff was kind enough to reach out by telephone and I believe all outstanding concerns have been resolved. Thanks, Jeff -- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Nick Hilliard wrote:
Summarising other people positions: a functional abuse desk, a less defensive attitude when people point out serious abuse going on in your network, and the slightest inclination to investigate really serious crap on your network when it's brought to your attention in the clearest terms possible.
p.s. less megaphone diplomacy would help, if you can clean enough egg off your face to manage this.
I appreciate the effort, but it's pretty much impossible to "convert" someone who is a spammer or who hosts spammmers, or both, and make them behave in an appropriate manner. The best approach is to block and forget. Regards, Jeroen -- http://goldmark.org/jeff/stupid-disclaimers/ http://linuxmafia.com/~rick/faq/plural-of-virus.html
On 01/17/2011 02:15 PM, Jeffrey Lyon wrote:
Someone at Spamhaus please contact me concerning your second consecutive preemptive strike against our IP space.
Fun Fact: No one at Spamhaus has ever successfully sent us an abuse complaint. Also, some rocket scientist decided that their sbl-removals@ box should also filter e-mail so blocked parties can't even get in touch. As such, it will be necessary to reply to jeffrey.lyon@gmail.com vs. @blacklotus.net .
You claim to monitor sbl-removals@ but it seems i've been ignored for several hours.
Spamhaus does monitor sbl-removals@ but they like to do research before they just remove listings. You'll have less luck getting yourself off the listings if they feel you're just there to yell at them for being stupid and don't care enough to take their listing seriously. They were willing to send us automated notifications about new listings matching our IP space as they are added, and you can request this via the removal address when you get a response. They do not file abuse complaints. If you care to explain why you think they made a mistake in a reasonable fashion, it's pretty likely you'll get removed and they'll probably be inclined to give you a bit of extra trust in the future. We started out very defensive against Spamhaus early on, sending angry, demanding messages to sbl-removals@. We found things went much better when we started showing that we considered the information in the listing and explained what we did to investigate and/or why we felt the listing was not warranted (either because we cleaned up the issue or because we felt it was a mistake). There are many RBLs which demand we wait weeks for the possibility of an unfriendly and unhelpful response. Spamhaus is by far the easiest to get along with and most responsive for our network. -- Kevin Stange Chief Technology Officer Steadfast Networks http://steadfast.net Phone: 312-602-2689 ext. 203 | Fax: 312-602-2688 | Cell: 312-320-5867
That's fine, but the listings don't even make sense. There is no evidence in the listing and i'm still trying to figure out a) why they think that these new listings have anything to do with the ones we already cleaned and b) which customers actually need to be removed and for specifically what reasons. Their entire mentality is "the site is pharmacy which means its part of a criminal spammer gang," regardless of whether or not that is true. My initial reply to sbl-removals@ was rather civil, my second reply not so much. At this point I just need them to check their e-mail and answer a few questions. I need intelligence to work with if they expect me to cooperate with them. I have no problem removing customers that need to be removed but I need to have all of the details to act on the request. Thanks, Jeff On Mon, Jan 17, 2011 at 4:37 PM, Kevin Stange <kevin@steadfast.net> wrote:
On 01/17/2011 02:15 PM, Jeffrey Lyon wrote:
Someone at Spamhaus please contact me concerning your second consecutive preemptive strike against our IP space.
Fun Fact: No one at Spamhaus has ever successfully sent us an abuse complaint. Also, some rocket scientist decided that their sbl-removals@ box should also filter e-mail so blocked parties can't even get in touch. As such, it will be necessary to reply to jeffrey.lyon@gmail.com vs. @blacklotus.net .
You claim to monitor sbl-removals@ but it seems i've been ignored for several hours.
Spamhaus does monitor sbl-removals@ but they like to do research before they just remove listings. You'll have less luck getting yourself off the listings if they feel you're just there to yell at them for being stupid and don't care enough to take their listing seriously. They were willing to send us automated notifications about new listings matching our IP space as they are added, and you can request this via the removal address when you get a response. They do not file abuse complaints.
If you care to explain why you think they made a mistake in a reasonable fashion, it's pretty likely you'll get removed and they'll probably be inclined to give you a bit of extra trust in the future.
We started out very defensive against Spamhaus early on, sending angry, demanding messages to sbl-removals@. We found things went much better when we started showing that we considered the information in the listing and explained what we did to investigate and/or why we felt the listing was not warranted (either because we cleaned up the issue or because we felt it was a mistake).
There are many RBLs which demand we wait weeks for the possibility of an unfriendly and unhelpful response. Spamhaus is by far the easiest to get along with and most responsive for our network.
-- Kevin Stange Chief Technology Officer Steadfast Networks http://steadfast.net Phone: 312-602-2689 ext. 203 | Fax: 312-602-2688 | Cell: 312-320-5867
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Hi, On Mon, 17 Jan 2011 17:09:07 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
That's fine, but the listings don't even make sense. There is no evidence in the listing and i'm still trying to figure out a) why they think that these new listings have anything to do with the ones we already cleaned and b) which customers actually need to be removed and for specifically what reasons. Their entire mentality is "the site is pharmacy which means its part of a criminal spammer gang," regardless of whether or not that is true.
Please stop pretending that you're not hosting e-trash. 208.64.122.114 is still hosting an active SEO poisoning site (myspace-codes.com). I think, frankly, it would make your life a lot simpler if you just accepted the fact that BlackLotus sells to e-trash, just like the rest of the "ddos-protected hosting solutions" companies do.
My initial reply to sbl-removals@ was rather civil, my second reply not so much. At this point I just need them to check their e-mail and answer a few questions. I need intelligence to work with if they expect me to cooperate with them. I have no problem removing customers that need to be removed but I need to have all of the details to act on the request.
You have all the intelligence you need. You host e-trash script kiddies and SEO poisoners. Just go get some wirecutters and snip the wires coming out of that busted up 6509 you used to tout on WHT and the problem will be solved. I have a slogan by the way, "Blacklotus AKA The IRC Company - making EFnet more trashy since FooNet got raided". William
William, I'm not certain that any Black Lotus IP's are even connected to EFnet. Secondly, we're more than happy to act on any data presented to us if they actually care to present it to us before listing the entire ISP. I'm not sure what non-spam related "e-trash" has to do this any of this. Thanks, Jeff On Mon, Jan 17, 2011 at 6:31 PM, William Pitcock <nenolod@systeminplace.net> wrote:
Hi,
On Mon, 17 Jan 2011 17:09:07 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
That's fine, but the listings don't even make sense. There is no evidence in the listing and i'm still trying to figure out a) why they think that these new listings have anything to do with the ones we already cleaned and b) which customers actually need to be removed and for specifically what reasons. Their entire mentality is "the site is pharmacy which means its part of a criminal spammer gang," regardless of whether or not that is true.
Please stop pretending that you're not hosting e-trash. 208.64.122.114 is still hosting an active SEO poisoning site (myspace-codes.com). I think, frankly, it would make your life a lot simpler if you just accepted the fact that BlackLotus sells to e-trash, just like the rest of the "ddos-protected hosting solutions" companies do.
My initial reply to sbl-removals@ was rather civil, my second reply not so much. At this point I just need them to check their e-mail and answer a few questions. I need intelligence to work with if they expect me to cooperate with them. I have no problem removing customers that need to be removed but I need to have all of the details to act on the request.
You have all the intelligence you need. You host e-trash script kiddies and SEO poisoners. Just go get some wirecutters and snip the wires coming out of that busted up 6509 you used to tout on WHT and the problem will be solved.
I have a slogan by the way, "Blacklotus AKA The IRC Company - making EFnet more trashy since FooNet got raided".
William
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
On Mon, 17 Jan 2011 18:35:22 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
William,
I'm not certain that any Black Lotus IP's are even connected to EFnet.
Maybe not presently, but your company has a history in the IRC community. And it's not a history I would define as "good." A history of selling "protection" which was in reality not a technical measure (infact, we know this because back then your employees said outright that DDoS mitigation was being done after the point, so no fancy IntruGuard-like stuff going on there.) but instead an intimidation measure. As in, "DDoS wars", "mutually-assured DoS", so on. Kinda like FooNet/Atrivo/etc. Actually, *exactly* like FooNet/Atrivo/etc.
Secondly, we're more than happy to act on any data presented to us if they actually care to present it to us before listing the entire ISP.
When you keep in mind that many people involved in the anti-abuse community originate from the IRC community, then it should be no surprise that they would not wish to waste their time dealing with people who were part of the "protection racket" of olden days.
I'm not sure what non-spam related "e-trash" has to do this any of this.
The fact that you willingly pollute the internet as a whole with SEO "optimization" pages says a lot about your company. In my opinion SEO "optimization" pages like myspace-codes.com *are* spam. That is the same opinion held by many others. Do not expect any pity from the rest of us who bust our proverbial asses to keep our netspace clean. William
William, Our company is primarily focused on the filtering of DDoS traffic. A significant amount of our IP space is routed elsewhere via proxy or GRE. If a customer pollutes, they pollute and thats their own business. If they abuse, we take action. If Spamhaus contacts us before ruining the business of others, we still take action (believe it or not). We don't actively decide to host any of this content. It sprouts up and really is not a concern of ours until it becomes an actual problem. Comparing us to FOONET and especially Atrivo is ignorant and short sighted. Perhaps you would understand if you were targeted by attacks. Jeff On Mon, Jan 17, 2011 at 6:49 PM, William Pitcock <nenolod@systeminplace.net> wrote:
On Mon, 17 Jan 2011 18:35:22 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
William,
I'm not certain that any Black Lotus IP's are even connected to EFnet.
Maybe not presently, but your company has a history in the IRC community. And it's not a history I would define as "good."
A history of selling "protection" which was in reality not a technical measure (infact, we know this because back then your employees said outright that DDoS mitigation was being done after the point, so no fancy IntruGuard-like stuff going on there.) but instead an intimidation measure. As in, "DDoS wars", "mutually-assured DoS", so on. Kinda like FooNet/Atrivo/etc. Actually, *exactly* like FooNet/Atrivo/etc.
Secondly, we're more than happy to act on any data presented to us if they actually care to present it to us before listing the entire ISP.
When you keep in mind that many people involved in the anti-abuse community originate from the IRC community, then it should be no surprise that they would not wish to waste their time dealing with people who were part of the "protection racket" of olden days.
I'm not sure what non-spam related "e-trash" has to do this any of this.
The fact that you willingly pollute the internet as a whole with SEO "optimization" pages says a lot about your company. In my opinion SEO "optimization" pages like myspace-codes.com *are* spam. That is the same opinion held by many others.
Do not expect any pity from the rest of us who bust our proverbial asses to keep our netspace clean.
William
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Hi, On Mon, 17 Jan 2011 18:54:37 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
William,
Our company is primarily focused on the filtering of DDoS traffic. A significant amount of our IP space is routed elsewhere via proxy or GRE. If a customer pollutes, they pollute and thats their own business. If they abuse, we take action. If Spamhaus contacts us before ruining the business of others, we still take action (believe it or not).
Maybe that is the case now. It was not the case 8 years ago with IRCCo.
We don't actively decide to host any of this content. It sprouts up and really is not a concern of ours until it becomes an actual problem. Comparing us to FOONET and especially Atrivo is ignorant and short sighted. Perhaps you would understand if you were targeted by attacks.
I used to operate DroneBL. DroneBL's DNSBL servers are basically under permanent DDoS attack, which is why Cisco/IronPort and other providers have to sponsor them now. While I understand the current aspect of your operation, you must understand that IRCCo did not make you many friends in the anti-abuse community. Sorry, that's just how it is. We look at BL/IRCCo and it does not make us feel warm and fuzzy. Being proactive by say, checking out your customers before lighting them up would go a long way toward improving the fuzziness perception in the anti-abuse community. But you don't do that. It's clear you don't do that. William
William, You're quite right, we don't. We presume that our customers are honorable until proven otherwise. We're a legitimate U.S. based corporation and we make ourselves available to the pertinent RBL's and authorities as appropriate. We take action where action needs to be taken. I take offense, however, to the assumption that our entire company is bad and that all of our customers should suffer because of the actions of a few. I've given Larry @ Spamhaus a direct link to myself and our VP of Ops. If he choose to use it all of these problems can be nipped in the bud. You're quite fortunate to be under the protection of a major corporation, most do not have that luxury. Jeff On Mon, Jan 17, 2011 at 7:07 PM, William Pitcock <nenolod@systeminplace.net> wrote:
Hi,
On Mon, 17 Jan 2011 18:54:37 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
William,
Our company is primarily focused on the filtering of DDoS traffic. A significant amount of our IP space is routed elsewhere via proxy or GRE. If a customer pollutes, they pollute and thats their own business. If they abuse, we take action. If Spamhaus contacts us before ruining the business of others, we still take action (believe it or not).
Maybe that is the case now. It was not the case 8 years ago with IRCCo.
We don't actively decide to host any of this content. It sprouts up and really is not a concern of ours until it becomes an actual problem. Comparing us to FOONET and especially Atrivo is ignorant and short sighted. Perhaps you would understand if you were targeted by attacks.
I used to operate DroneBL. DroneBL's DNSBL servers are basically under permanent DDoS attack, which is why Cisco/IronPort and other providers have to sponsor them now.
While I understand the current aspect of your operation, you must understand that IRCCo did not make you many friends in the anti-abuse community. Sorry, that's just how it is. We look at BL/IRCCo and it does not make us feel warm and fuzzy.
Being proactive by say, checking out your customers before lighting them up would go a long way toward improving the fuzziness perception in the anti-abuse community. But you don't do that. It's clear you don't do that.
William
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Hi, On Mon, 17 Jan 2011 19:11:37 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
William,
You're quite right, we don't. We presume that our customers are honorable until proven otherwise. We're a legitimate U.S. based corporation and we make ourselves available to the pertinent RBL's and authorities as appropriate. We take action where action needs to be taken.
How does refusing service to known spammers/spam operations make you any less of a legitimate U.S. corporation? How come all of the resources mentioned in this thread are still online?
I take offense, however, to the assumption that our entire company is bad and that all of our customers should suffer because of the actions of a few. I've given Larry @ Spamhaus a direct link to myself and our VP of Ops. If he choose to use it all of these problems can be nipped in the bud.
I do not assume your company is bad. I assume that trying to get anything shut down at BL is a waste of my time. A majority of the people posting on this thread seem to also attest to this point. Just because you're proxying to other networks does not make you unresponsible for their activity.
You're quite fortunate to be under the protection of a major corporation, most do not have that luxury.
I am not under anyone's protection. DroneBL is, but I no longer operate it due to it being a timesink. Nor should my opinions reflect them in any way. I just wanted to make it clear that I am aware of what it is like to be under permanent DDoS attack. William
William, It depends, we have criteria. You can't just e-mail abuse@blacklotus.net and expect any given web site to be immediately shut down. There is due process and we need to make a decision on the matter and serve it to our customer. If a customer is listed at Spamhaus this is sufficient. Being a legitimate corporation means that we're accountable for maintaining certain standards. Everyone assumes that because we mitigate DDoS that we're no better than some offshore spam haven. Jeff BTW: IP space is still null routed, still waiting on Spamhaus to stop nailing innocent customers. On Mon, Jan 17, 2011 at 7:17 PM, William Pitcock <nenolod@systeminplace.net> wrote:
Hi,
On Mon, 17 Jan 2011 19:11:37 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
William,
You're quite right, we don't. We presume that our customers are honorable until proven otherwise. We're a legitimate U.S. based corporation and we make ourselves available to the pertinent RBL's and authorities as appropriate. We take action where action needs to be taken.
How does refusing service to known spammers/spam operations make you any less of a legitimate U.S. corporation? How come all of the resources mentioned in this thread are still online?
I take offense, however, to the assumption that our entire company is bad and that all of our customers should suffer because of the actions of a few. I've given Larry @ Spamhaus a direct link to myself and our VP of Ops. If he choose to use it all of these problems can be nipped in the bud.
I do not assume your company is bad. I assume that trying to get anything shut down at BL is a waste of my time. A majority of the people posting on this thread seem to also attest to this point.
Just because you're proxying to other networks does not make you unresponsible for their activity.
You're quite fortunate to be under the protection of a major corporation, most do not have that luxury.
I am not under anyone's protection. DroneBL is, but I no longer operate it due to it being a timesink. Nor should my opinions reflect them in any way. I just wanted to make it clear that I am aware of what it is like to be under permanent DDoS attack.
William
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Hi, On Mon, 17 Jan 2011 19:21:19 -0500 Jeffrey Lyon <jeffrey.lyon@blacklotus.net> wrote:
William,
It depends, we have criteria. You can't just e-mail abuse@blacklotus.net and expect any given web site to be immediately shut down. There is due process and we need to make a decision on the matter and serve it to our customer. If a customer is listed at Spamhaus this is sufficient.
In other words, your abuse policy is strictly designed to avoid RBL listings and nothing else.
Being a legitimate corporation means that we're accountable for maintaining certain standards. Everyone assumes that because we mitigate DDoS that we're no better than some offshore spam haven.
No, we think that you're no better than some offshore spam haven because you're hosting spammers with an abuse policy strictly designed to avoid "getting listed in spamhaus" with nothing going above and beyond that. Most abuse contacts I e-mail will shut down a customer after looking at Netflow data. But you're not doing that. So you get classified as such. It is really simple. William
I've got no experience running a DNSBL, nor does William, but it seems to me that I'm not getting told the truth. Now, as I said, I don't always agree with Spamhaus' policies, but I'd bet a ham sandwich that you don't get delisted any time soon. Andrew
William,
It depends, we have criteria. You can't just e-mail abuse@blacklotus.net and expect any given web site to be immediately shut down. There is due process and we need to make a decision on the matter and serve it to our customer. If a customer is listed at Spamhaus this is sufficient.
Being a legitimate corporation means that we're accountable for maintaining certain standards. Everyone assumes that because we mitigate DDoS that we're no better than some offshore spam haven.
Jeff
BTW: IP space is still null routed, still waiting on Spamhaus to stop nailing innocent customers.
On Mon, 17 Jan 2011, Jeffrey Lyon wrote:
Being a legitimate corporation means that we're accountable for maintaining certain standards. Everyone assumes that because we mitigate DDoS that we're no better than some offshore spam haven.
Will you please stop using "legitimate corporation" for what you guys are doing?
<> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http://www.blinkmind.com
On 1/17/2011 7:11 PM, Jeffrey Lyon wrote:
William,
You're quite right, we don't. We presume that our customers are honorable until proven otherwise. We're a legitimate U.S. based corporation and we make ourselves available to the pertinent RBL's and authorities as appropriate. We take action where action needs to be taken.
I don't have a "dog in this fight" but could I point out, that somehow SpamHaus was able to determine more about what was going on in your network, than you were? Perhaps that should indicate to you (at the least) that you need to invest a little more in your monitoring infrastructure. Cordially Patrick
Hi!
That's fine, but the listings don't even make sense. There is no evidence in the listing and i'm still trying to figure out a) why they think that these new listings have anything to do with the ones we already cleaned and b) which customers actually need to be removed and for specifically what reasons. Their entire mentality is "the site is pharmacy which means its part of a criminal spammer gang," regardless of whether or not that is true.
Please stop pretending that you're not hosting e-trash. 208.64.122.114 is still hosting an active SEO poisoning site (myspace-codes.com). I think, frankly, it would make your life a lot simpler if you just accepted the fact that BlackLotus sells to e-trash, just like the rest of the "ddos-protected hosting solutions" companies do.
viagra-shopping .com potenzmittel-at .com medicin-24 .com apothekeohnerezept .at [root@noc log]# whois 208.64.122.234 [Querying whois.arin.net] [Redirected to rwhois.blacklotus.net:4321] [Querying rwhois.blacklotus.net] [rwhois.blacklotus.net] %rwhois V-1.0,V-1.5:00090h:00 support.blacklotus.net (Ubersmith RWhois Server V-1.8.0) autharea=208.64.120.0/21 xautharea=208.64.120.0/21 network:Class-Name:network network:Auth-Area:208.64.120.0/21 network:ID:NET-481.208.64.122.232/30 network:Network-Name:Nameserver IP Addresses network:IP-Network:208.64.122.232/30 network:IP-Network-Block:208.64.122.232 - 208.64.122.235 network:Org-Name:Aloli LTD network:Street-Address:3321 Road Town, Drake Chambers network:City:Tortola network:State:- network:Postal-Code:3321 network:Country-Code: network:Tech-Contact:MAINT-481.208.64.122.232/30 network:Created:20101015124139000 network:Updated:20101015124139000 network:Updated-By:support@blacklotus.net network:POC-Name:Network Operations Center network:POC-Email:support@blacklotus.net network:POC-Phone:(323) 657-5944 network:Tech-Name:Network Operations Center network:Tech-Email:support@blacklotus.net network:Tech-Phone:(323) 657-5944 This thread doesnt belong here. But hey, seems they are asking for it. Oh and yes all these botnet landing pages are still up... If i look back at November 2010 archives there is a whole bunch and its adding new domains daily. brandviagra23 .com brandviagra27 .com brandcialis26 .com brandviagra25 .com ... Neh, clean as it can be cough ... Bye, Raymond.
1) The sites were already null routed. The problem is with Spamhaus' inability to contact me prior to impacting other legitimate customers. 2) The presumed cleanness of a customer really isn't any of mine or your business, as long as they're not spamming or engaged in any other type of abuse they're free to host web content like anyone else. Jeff On Mon, Jan 17, 2011 at 6:46 PM, Raymond Dijkxhoorn <raymond@prolocation.net> wrote:
Hi!
That's fine, but the listings don't even make sense. There is no evidence in the listing and i'm still trying to figure out a) why they think that these new listings have anything to do with the ones we already cleaned and b) which customers actually need to be removed and for specifically what reasons. Their entire mentality is "the site is pharmacy which means its part of a criminal spammer gang," regardless of whether or not that is true.
Please stop pretending that you're not hosting e-trash. 208.64.122.114 is still hosting an active SEO poisoning site (myspace-codes.com). I think, frankly, it would make your life a lot simpler if you just accepted the fact that BlackLotus sells to e-trash, just like the rest of the "ddos-protected hosting solutions" companies do.
viagra-shopping .com potenzmittel-at .com medicin-24 .com apothekeohnerezept .at
[root@noc log]# whois 208.64.122.234 [Querying whois.arin.net] [Redirected to rwhois.blacklotus.net:4321] [Querying rwhois.blacklotus.net] [rwhois.blacklotus.net] %rwhois V-1.0,V-1.5:00090h:00 support.blacklotus.net (Ubersmith RWhois Server V-1.8.0) autharea=208.64.120.0/21 xautharea=208.64.120.0/21 network:Class-Name:network network:Auth-Area:208.64.120.0/21 network:ID:NET-481.208.64.122.232/30 network:Network-Name:Nameserver IP Addresses network:IP-Network:208.64.122.232/30 network:IP-Network-Block:208.64.122.232 - 208.64.122.235 network:Org-Name:Aloli LTD network:Street-Address:3321 Road Town, Drake Chambers network:City:Tortola network:State:- network:Postal-Code:3321 network:Country-Code: network:Tech-Contact:MAINT-481.208.64.122.232/30 network:Created:20101015124139000 network:Updated:20101015124139000 network:Updated-By:support@blacklotus.net network:POC-Name:Network Operations Center network:POC-Email:support@blacklotus.net network:POC-Phone:(323) 657-5944 network:Tech-Name:Network Operations Center network:Tech-Email:support@blacklotus.net network:Tech-Phone:(323) 657-5944
This thread doesnt belong here. But hey, seems they are asking for it. Oh and yes all these botnet landing pages are still up...
If i look back at November 2010 archives there is a whole bunch and its adding new domains daily.
brandviagra23 .com brandviagra27 .com brandcialis26 .com brandviagra25 .com ...
Neh, clean as it can be cough ...
Bye, Raymond.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Hi!
1) The sites were already null routed. The problem is with Spamhaus' inability to contact me prior to impacting other legitimate customers.
Null routed????? Its up! [root@master tmp]# host www.viagra-shopping.com www.viagra-shopping.com has address 208.64.127.78
viagra-shopping .com potenzmittel-at .com medicin-24 .com apothekeohnerezept .at
Please take more then 2 seconds to reply and clean up your act first! Jan 17 15:20:08 CET potenzmittel-at.com: [208.64.127.87] You didnt shut down what i put in this mail. Please act now, clean it. Clean more, there is zillions.... You seriously need to check your network first before complaining. Bye, Raymond.
I just have to chime in here besides Raymond and others data, I can attest that blacklotus abuse contact is worthless. I have tried to report abuse to blacklotus many times. My last attempt was back in September when I tried for a week to report Canadian Pharmacy pill spam on a blacklotus IP. No response from abuse (not really expected) but no takedown either after a week of reporting over and over again. We don't bother to report to you any more because your abuse email appears to us that its /dev/null'ed Tom On Jan 17, 2011, at 6:55 PM, Raymond Dijkxhoorn wrote:
Hi!
1) The sites were already null routed. The problem is with Spamhaus' inability to contact me prior to impacting other legitimate customers.
Null routed?????
Its up!
[root@master tmp]# host www.viagra-shopping.com www.viagra-shopping.com has address 208.64.127.78
viagra-shopping .com potenzmittel-at .com medicin-24 .com apothekeohnerezept .at
Please take more then 2 seconds to reply and clean up your act first!
Jan 17 15:20:08 CET potenzmittel-at.com: [208.64.127.87]
You didnt shut down what i put in this mail. Please act now, clean it. Clean more, there is zillions....
You seriously need to check your network first before complaining.
Bye, Raymond.
On 1/17/2011 6:55 PM, Raymond Dijkxhoorn wrote:
Hi!
1) The sites were already null routed. The problem is with Spamhaus' inability to contact me prior to impacting other legitimate customers.
Null routed?????
Its up!
[root@master tmp]# host www.viagra-shopping.com www.viagra-shopping.com has address 208.64.127.78
potenzmittel-at .com medicin-24 .com apothekeohnerezept .at
Please take more then 2 seconds to reply and clean up your act first!
Jan 17 15:20:08 CET potenzmittel-at.com: [208.64.127.87]
You didnt shut down what i put in this mail. Please act now, clean it. Clean more, there is zillions....
You seriously need to check your network first before complaining.
Bye, Raymond.
To be fair. At the time of this email: You can forward resolve viagra-shopping.com but I can't seem to ping the host. Traceroute shows traffic to that IP dying at presumably the edge of Black Lotus network after a handoff from PCCW in LAX. Or did I miss something?
Raymond Dijkxhoorn wrote:
of the "ddos-protected hosting solutions" companies do.
viagra-shopping .com potenzmittel-at .com medicin-24 .com apothekeohnerezept .at
# whois 208.64.122.234 [Querying whois.arin.net] [Redirected to rwhois.blacklotus.net:4321] [Querying rwhois.blacklotus.net] [rwhois.blacklotus.net] %rwhois V-1.0,V-1.5:00090h:00 support.blacklotus.net (Ubersmith RWhois Server V-1.8.0) autharea=208.64.120.0/21 xautharea=208.64.120.0/21
Thanks for the info, I will add 208.64.120.0/21 to my permanent blocklist (just in case spamhaus removes them at some point, or until it's re-assigned to a more well-behaving organisation) and will recommend others to do so too. Regards, Jeroen -- http://goldmark.org/jeff/stupid-disclaimers/ http://linuxmafia.com/~rick/faq/plural-of-virus.html
participants (27)
-
Andrew Kirch -
Atticus -
Chris Fuenty -
Chris Owen -
Gary E. Miller -
JC Dill -
Jeffrey Lyon -
Jeroen van Aart -
Joe Greco -
Ken Gilmour -
Kevin Stange -
Mark Scholten -
Mark Wall -
Michael Painter -
ML -
Nathan Eisenberg -
Nathan Stratton -
Nick Hilliard -
Patrick Giagnocavo -
Raymond Dijkxhoorn -
Ricky Beam -
Simon Waters -
Steve Atkins -
Tom Hill -
TR Shaw -
William Herrin -
William Pitcock