Re: I got a live one! - Spam source
Could you elaborate on what constitutes correct swip information?
Sure, you just opened the door to my opinions on this :) -- WRONG -- OrgName: FortressITX OrgID: FORTR-5 Address: 100 Delawanna Ave City: Clifton StateProv: NJ PostalCode: 07014 Country: US Found a referral to rwhois.fortressitx.com:4443. Timeout. -- ----------------- The argument that whois information should not be made public, is ridiculous. I here people saying that they don't publish whois information because they don't want the email's made public. Okay, at least the registered company name, or individual who presented the ID should be there. -- WRONG -- OrgName: Peer 1 Dedicated Hosting OrgID: P1DH-1 Address: 101 Marietta Street Address: Suite 500 City: Atlanta StateProv: GA PostalCode: 30303 Country: US NetRange: 216.150.0.0 - 216.150.31.255 CIDR: 216.150.0.0/19 ------------------------------ Okay, you REALLY want people to get tired of playing whack a mole? This is why many list operators block large ranges.. according to this listing, one responsible party for the whole list.. (oh, and don't get me started on reporting.. the quote i heard here was .. 'Oh, we don't do anything about spammers unless it affects other customers') So, how big a range should you block when you start seeing a pattern? Remember, organizations like UCE-PROTECT tend to base a reputation on /24 This is probably because in a lot of cases, you cannot tell does the person own the whole range, or just the top /25 -- RIGHT -- OrgName: Network Operations Center Inc. OrgID: NOC Address: PO Box 591 City: Scranton network:Network-Name:NET-96.9.145.224/28 network:IP-Network:96.9.145.224/28 network:Organization;I:org--6898 network:Org-Name:ServerPlaceNet c/o Network Operations Center, Inc. -------------- Simple, if the IP's reflect some behavior we don't like, we know exactly which ranges should be affected. Basically, if you absolve yourself of the responsibility for the conduct of part of your networks, to a 3rd party.. you should SWIP it. Some hosting companies are really good about this, even as far as SWIP'ing down to the /32. There is a chain of responsbilitly, and when a hosting company has a known offender using portion(s) of their space, it makes it much easier to decide how much of that space should be blocked. Should we block the whole /24 or only a portion? Say you see... 66.104.246.36: mail1.clubdelivery.net 66.104.246.37: mail1.deliverydirect.info 66.104.246.38: mail1.deliverymobile.net 66.104.246.39: mail1.deliveryonline.info 66.104.246.40: mail1.deliveryrama.net 66.104.246.41: mail1.deliveryusa.net 66.104.246.42: mail1.deliveryzilla.net 66.104.246.43: mail1.godelivery.info 66.104.246.44: mail1.instantdelivery.info 66.104.246.45: mail1.date-meet.net 66.104.246.46: mail1.uchatfree.net 66.104.246.47: mail1.secureeasypay.net 66.104.246.48: mail1.idevelopthings.com 66.104.246.49: mail1.whocanvote.com 66.104.246.50: mail1.freedvdz.net 66.104.246.51: mail1.freecybercam.com 66.104.246.53: mail2.clubdelivery.net 66.104.246.54: mail2.deliverydirect.info 66.104.246.55: mail2.deliverymobile.net 66.104.246.56: mail2.deliveryonline.info 66.104.246.57: mail2.deliveryrama.net 66.104.246.58: mail2.deliveryusa.net 66.104.246.59: mail2.deliveryzilla.net 66.104.246.60: mail2.godelivery.info 66.104.246.61: mail2.instantdelivery.info 66.104.246.62: mail2.date-meet.net It's listed as.. network:Organization;I:Precision Technology, Inc (286563-1) network:IP-Network:66.104.244.0/22 Well, we don't have to affect the whole XO block.. but who is the operator responsible for the activities of these servers? The SWIP should reflect that. Also, it makes it easier to see relevant activities from other ranges that the customer might own.. Like older IP Ranges... -- Precision Technology INC mycouponsavingsmailcom MYCOUPONSAVINGSMAILCOM 24.155.144.16 - 24.155.144.31 # 24.155.144.16/28 Guess business was good.. but now of course, with proper SWIP, we know that those IP's are no longer controlled by the same party . (we hope) Of course, it can still be abused.. if the hosting provider is in colusion.. changes the SWIP regularly to hide that it is the same operator.. but even then, we will see such patterns.. if a hosting company 'constantly' gets a new 'problem customer' <sic> then we can see that as well. -- -- "Catch the Magic of Linux..." ------------------------------------------------------------------------ Michael Peddemors - President/CEO - LinuxMagic Products, Services, Support and Development Visit us at http://www.linuxmagic.com ------------------------------------------------------------------------ A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd. ------------------------------------------------------------------------ 604-589-0037 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
On Wed, 25 Nov 2009 09:25:27 -0800 Michael Peddemors <michael@linuxmagic.com> wrote:
Could you elaborate on what constitutes correct swip information?
Sure, you just opened the door to my opinions on this :)
hmmm - odd that the 2 you chose to show as wrong, both feature highly in my postfix reject_clients map..... -- John
On Wed, Nov 25, 2009 at 10:55 PM, Michael Peddemors <michael@linuxmagic.com> wrote:
Could you elaborate on what constitutes correct swip information?
Sure, you just opened the door to my opinions on this :)
Dysfunctional rwhois servers sounds more like general brokenness than malice. The other interesting (!) characteristic of thie sort of bulk mailer discussed in this thread is that the netblock is most likely swipped / rwhois'd to a brand new shell company LLC, headquartered in what looks like a UPS store maildrop.
On Thu, 26 Nov 2009 05:16:15 +0530 Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
On Wed, Nov 25, 2009 at 10:55 PM, Michael Peddemors <michael@linuxmagic.com> wrote:
Could you elaborate on what constitutes correct swip information?
Sure, you just opened the door to my opinions on this :)
Dysfunctional rwhois servers sounds more like general brokenness than malice. The other interesting (!) characteristic of thie sort of bulk mailer discussed in this thread is that the netblock is most likely swipped / rwhois'd to a brand new shell company LLC, headquartered in what looks like a UPS store maildrop.
In the instances he quoted, I prefer, at best, a wish not to know about what is spewing from their address space. -- John
On Wed, Nov 25, 2009 at 09:25:27AM -0800, Michael Peddemors wrote:
I here people saying that they don't publish whois information because they don't want the email's made public. Okay, at least the registered company name, or individual who presented the ID should be there.
Without delving too far into this: there is no point whatsoever in attempting to conceal or obfuscate email addresses --not any more. It is an obsolete, "cargo cult" practice that many are still engaged in without grasping that it was quite thoroughly defeated by spammers and their associates years ago. That said, I concur in full with your opinions in re whois data and the need to assign it properly. I've long since stopped trying to deal with missing information and have adopted the rule that if the neighborhood looks sufficiently bad, I just block a /24 worth. That may sound arbitrary, but in practice it works extremely well. ---Rsk
Not to keep endlessly on this thread, but again with reference to good whois record keeping and bad.. 64.21.87.136: mx2.yvzus.com 64.21.87.141: mx3.xmabs.com 64.21.87.168: mx5.zgows.com 64.21.87.170: mx5.zntas.com <GOOD> We know the activity is probably limited to: Found a referral to whois.nac.net:43. NAC-Rwhoisd32 Server Ready - [hydrogen/43] Rwhoisd32 - 1.0.76 Private (NET-40155780-26) 1000 Elliott Ave W Seattle, WA 98119 US OrgID : NAC-40612 Netname : NET-40155780-26 Netblock: 64.21.87.128/26 NetUse : additional loopback ips for 66.246.252.57 Coordinator: Whitaker, Claude washwhitaker@aol.com Phone: 206-407-3201 67.229.101.206: hikmvo.leadingsolutionlinks.com 67.229.101.207: noqo.leadingsolutionlinks.com 67.229.101.208: rqecf.leadingsolutionlinks.com <GOOD> We know that the activity is probably limited to: VPLS Inc. d/b/a Krypt Technologies VPLSNET (NET-67-229-0-0-1) 67.229.0.0 - 67.229.255.255 Roy Diaz ROY (NET-67-229-96-0-1) 67.229.96.0 - 67.229.111.255 (Other than VPLS/Krypt seems to really like these type of customers) 70.97.119.58: mail1.ugallshwomange.com 70.97.119.59: mail1.ugouricarali.com 70.97.119.60: mail1.utanonesiana.com 70.97.119.61: mail1.vatetricarkose.com 70.97.119.62: mail1.venesiandsgu.com 70.97.119.63: mail1.viandslahass.com 70.97.119.64: mail1.vientianarica.com 70.97.119.65: mail1.vientuckyan.com <BAD> Integra Telecom, Inc. ELI-NETWORK-ELIX (NET-70-96-0-0-1) 70.96.0.0 - 70.99.255.255 Syptec ITCM-70-97-118-0-23 (NET-70-97-118-0-1) 70.97.118.0 - 70.97.119.255 This is a /23 but with Syptec's record... They sure like opening ranges to email marketers first :) Unless Syptec is operating those machines themselves.. but in that class C all the IP's don't appear to start on a normal boundary, .35-.65 with all the rest of the IP's having no reverse DNS. Does this client of theirs have control over the whole /23 or just a part? 205.251.11.130: loneas41.instantcasheasynow.com 205.251.11.163: lon69.instantcasheasynow.com 205.251.11.70: lon83.instantcasheasynow.com 205.251.7.144: click37.fallcreditcash.com 205.251.7.204: track42.fallcreditcash.com 205.251.7.253: click14.fallcreditcash.com 205.251.7.99: track4.fallcreditcash.com <BAD> InfoRelay Online Systems, Inc. INFORELAY-EST-02 (NET-205-251-0-0-1) 205.251.0.0 - 205.251.127.255 Reaction54 REACT54-03 (NET-205-251-8-0-1) 205.251.8.0 - 205.251.15.255 Is this two different clients on Reaction54, or is this Reaction54 themselves? I think you have to assume the later based on this whois information.. Especially when you see that the whole class C has the same naming patterns. 216.52.246.253: host6.chemistryearth.com 216.52.246.254: host6.consecutiveworld.com <GOOD> Internap Network Services Corporation PNAP-8-98 (NET-216-52-0-0-1) 216.52.0.0 - 216.52.255.255 Aurora Networking INAP-LAX-AURORA-34937 (NET-216-52-246-0-1) 216.52.246.0 - 216.52.246.255 More companies on Internap, but at least we know exactly what range is owned by this company.. We can just look at the one class 'C'. And of course we can see that this is quite typical right across the range.. 218.213.228.76: ad-a11.pointdnshere.com 218.213.228.92: ns193.pointdnshere.com <BAD> Ummm.. we can't say the same operator is using all of these can we? inetnum: 218.213.0.0 - 218.213.255.255 netname: HKNET-HK descr: HKNet Company Limited descr: 15/F, Tower 2, Ever Gain Plaza, descr: 88 Container Port Road, Kwai Chung, N.T. country: HK And if we guessed, and said the same behavior was across the board, we would be hurting the poor guy on that class C in the top of the range.. (Oh, yeah.. I know.. I threw that last example to show that this isn't just a North American problem) On November 26, 2009, Rich Kulawiec wrote:
On Wed, Nov 25, 2009 at 09:25:27AM -0800, Michael Peddemors wrote:
I here people saying that they don't publish whois information because they don't want the email's made public. Okay, at least the registered company name, or individual who presented the ID should be there.
Without delving too far into this: there is no point whatsoever in attempting to conceal or obfuscate email addresses --not any more. It is an obsolete, "cargo cult" practice that many are still engaged in without grasping that it was quite thoroughly defeated by spammers and their associates years ago.
That said, I concur in full with your opinions in re whois data and the need to assign it properly. I've long since stopped trying to deal with missing information and have adopted the rule that if the neighborhood looks sufficiently bad, I just block a /24 worth. That may sound arbitrary, but in practice it works extremely well.
---Rsk
-- -- "Catch the Magic of Linux..." ------------------------------------------------------------------------ Michael Peddemors - President/CEO - LinuxMagic Products, Services, Support and Development Visit us at http://www.linuxmagic.com ------------------------------------------------------------------------ A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd. ------------------------------------------------------------------------ 604-589-0037 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
participants (4)
-
John Peach
-
Michael Peddemors
-
Rich Kulawiec
-
Suresh Ramasubramanian