Attn MCI/UUNet - Massive abuse from your network

(apologies to NANOG for only quasi-operational content of this message - I only post this here due to the fact that I am sure it is a problem on many of your networks)

Attention UUNet,

Regarding your continued unabated spam support, when do you plan to address the *189* issues outlined in the Spamhaus SBL (http://www.spamhaus.org/sbl/listings.lasso -> ISPs in the United States -> MCI.com )? Here's part of your AUP:

Email:
Sending unsolicited mail messages, including, without limitation, commercial advertising and informational announcements, is explicitly prohibited. A user shall not use another site's mail server to relay mail without the express permission of the site.

What does your ethics department say about your blatant disregard for the internet in general and your complete and willful ignorance of your stated policies and procedures? Does UUNet *ever* plan on enforcing this AUP?

I can't help but notice that several of these spammers are career hard-line operations- including Eddy Marin, G-Force Marketing, and Atriks to name a few. Are these customers operating under some form of undisclosed "Special Customer Agreement" ( http://global.mci.com/publications/service_guide/s_c_a/)? If so, how much do they pay for their pink contract?

At this point I am just curious what the answers to these questions are. I have not (yet) widely blocklisted uunet, but if things don't change I fear such a measure may be the only way to stop the abuse spewing from your networks. Seeing such a large (and once-respected) network go as completely black-hat rogue as UUNet has is a sad thing.

Any reply at all would be most welcome.

~Ben

(apologies to NANOG for only quasi-operational content of this message - I
only post this here due to the fact that I am sure it is a problem on many
of your networks)

curious, why did you not send this to the abuse@ alias? Did you include
any logs or other relevant data about the problems you are reporting?

curious, why did you not send this to the abuse@ alias?

I wanted it to get read.

Did you include
any logs or other relevant data about the problems you are reporting?

These problems are systemic and internet-wide. I can likely drudge up a great many examples if someone from UUNet can assure me they will be read and acted on.

~Ben

curious, why did you not send this to the abuse@ alias?

I wanted it to get read.

you have just certified yourself as an idiot

<plonk!>

the ethics office doesn't need to see your complaints, they don't really
deal with these anyway.

>curious, why did you not send this to the abuse@ alias?

I wanted it to get read.

messages to abuse@ do infact get read...

> Did you include
>any logs or other relevant data about the problems you are reporting?

These problems are systemic and internet-wide. I can likely drudge up a
great many examples if someone from UUNet can assure me they will be read
and acted on.

the best way to get abuse complaints handled is to infact send them to the
abuse@ alias (or whereever arin/ripe/apnic records point if that is
somewhere other than abuse@) complaints in public forums generally just
make you look kooky.

please back to network operations discussions, thanks.

Randy Bush wrote:

curious, why did you not send this to the abuse@ alias?
     

I wanted it to get read.
   
you have just certified yourself as an idiot

<plonk!>

One down, only ~6 billion to go. I sure hope we don�t have to list them one by one.

Pete

I am beginning to think there need to be two types of abuse reports.

One from individuals to their providers -- of the ilk: "This guy is spamming me!!". You have to accept these from your customers because they could be about you or someone else that you have the responsibility of forwarding on. This is the controversial part of the proposal: You do not need to accept these from non-customers.

This is the improvement part:

Another of the ilk from abuse desks (and certain individuals who have high enough clue factor) that is in an automatically parseable format. Maybe like a radb type format. It would be fairly trivial to handle the parsing. In the event of an attack [on your abuse desk], you can say no more than 1000 per day/hr from the same source --- this keeps your abuse desk from getting flooded. Known talkers can be exempted from rate limits. You have to accept a properly formatted one of these from everyone unless they are flooding you.

Obvious here is that if someone isn't going to respond to an abuse item, it doesn't matter what form you send it -- If you are Spamhaus or some other organization and you are going to blackhole them in their lack of response, you of course can still do this. The idea here is that guys who are responsive don't need to read 800 complaints about the same matter that they are already handling and responsible complainers

The idea is that this type of approach, if adopted, will stream line abuse desks and allow them to have predictable manpower hours needed to resolve x number of complaints because you will not have to deal with one abuse item more than the one or twice needed. You will also not need personnel to categorize incoming messages as [spam to your abuse desk, spam complaints to your abuse desk that are valid, spam complaints to your abuse desk about someone else].

Flames in private mail please. What am I missing on this busy Monday afternoon?

Thanks,

DJ

I think you're speaking of INCH.

http://www.ietf.org/html.charters/inch-charter.html

  the ability to hand reports back and forth btw providers
like this is something that could be really cool..

  - Jared

the ethics office doesn't need to see your complaints, they don't really
deal with these anyway.

I am quite sure that the ethics department does not deal with spam complaints. My complaint is that your stated policy is clearly not being followed. MCI is currently the Number 1 spam source on many lists- certainly, your overall size skews that figure somewhat, but the listings I see (on the SBL anyway, I do not have the many hours needed to read all the documentation SPEWS has to offer) have reports that are at least 6 months old and are still alive...

As an example, I see a posting that says emailtools.com was alive on 206.67.63.41 in 2000. They aren't there any more... But now:

[me@host]$ telnet mail.emailtools.com 25
Trying 65.210.168.34...
Connected to mail.emailtools.com.
Escape character is '^]'.
220 mail.emailtools.com ESMTP Merak 5.1.5; Mon, 21 Jun 2004 18:55:20 -0400
quit
221 2.0.0 mail.emailtools.com closing connection
Connection closed by foreign host.
[me@host]$ whois `dnsip mail.emailtools.com`
UUNET Technologies, Inc. UUNET65 (NET-65-192-0-0-1)
                                   65.192.0.0 - 65.223.255.255
MTI SOFTWARE UU-65-210-168-32-D9 (NET-65-210-168-32-1)
                                   65.210.168.32 - 65.210.168.39

I can furnish as many examples as needed of cases where UUNet has demonstrably ignored complaints. Alternately, you could go ask any major anti-spam community(NANAE for example) or entity (SpamCop, etc) how they feel your abuse@ response has been. If this sounds like a pain, I will gladly collect such stories and send them to whoever there can effect changes in these policies.

> >curious, why did you not send this to the abuse@ alias?
>
> I wanted it to get read.

messages to abuse@ do infact get read...

Allow me to rephrase- I wanted it to be read and hoped someone would act on complaints. I have no doubt MCI is serious about stopping DDOS and other abusive traffic of that ilk- when it comes to proxy hijacking and spamming, though, abuse@ turns a blind eye. What other conclusion can I draw from the 200ish SBL entries under MCI's name? Why else would emailtools.com(for example) still be around despite their wholesale raping of misconfigured proxies?

All I want is a couple of straight-up answers. Why do complaints to uunet go unanswered and the abusers remain connected if, in fact, the complaints are read? Why has MCI gone from 111 SBL listings as of January 1 to 190 as of today? To whom does the anti-spam community turn when it becomes obvious a tier-1 provider is ignoring complaints?

If I am a kook and an idiot for wanting a cleaner internet, well then I guess I am a kook and an idiot.

~Ben

For my own amusing experience with this spam enabler, see

<http://www.camblab.com/nugget/spam_03.pdf>

You will find the answer to your questions

Jeffrey Race

Messages are read and ignored. I went through the complete process all the way up
to the staff attorney in charge of this matter. The firm ran then (see article cited in
previous post) on the Environmental Polluter business model (externalize the costs,
internalize the revenue) and clearly still does. It is a policy decision of senior management.
This is why they are always high up in the list of internet scum enablers.

Ben, that is your answer. Wish I had better news for you. It will go on this way until
the management persons responsible for this continuing fraud upon us are led away
in handcuffs just as were those members of this firm who were responsible for the
(similar) financial frauds.

Chris, if a massively insecure network by management choice is not an operational
issue for the victims, what is?

Jeffrey Race

Not so long ago I took a long look at the SBL for MCI and I came to
the conclusion that the data is mostly out of date and therefore
inaccurate. The folks at the SBL posting in NANAE said this may be the
case, but its up to the MCI folks to clean up the SBL database.

MCI does not want to "legitimize" blacklists by helping clean up their own records.

Any company or network that afraid of accountability obviously must have its reasons. I am sure they have seen the many many times some provider has said "We removed Spammer A" and the antispam community has responded with "Great, how about spammers B through Z?". That's a question they don't and won't answer beyond the token "Email to abuse@ does get read". Maybe it does- I am not MCI, so I don't know. Regardless of whether the mail does get read, the spammers remain connected. Why? One can only come to the conclusion that it is either due to technical ineptitude or protection of their revenue stream. Likewise, they have no doubt noticed that providers that lie about canning spammers are quickly outed, and their blocklist listings(and no doubt private firewall rules, which are much harder to escape) tend to expand greatly. So, MCI has (correctly) identified that their options as A) clean up their network B) try to lie or C) do nothing. Given that A involves loss of revenue and a (short term) increase in labor and B will cause them even more problems, C is their obvious recourse.

>As an example, I see a posting that says emailtools.com was alive on
>206.67.63.41 in 2000. They aren't there any more... But now:

Emailtools.com aren't spammers, but they sell spamware. That subtle
difference is enough to keep them on the MCI network.

This may be true, but Atriks is still there, and they are one of the most technically malicious spammers in the game today. Spam support is spam support, whether you are hosting the website, DNS, proxy mining operation, or a drop-box. Any provider that is OK with hosting software that does this:

"Email Marketing 98 is our high-end email marketing tool. It is one of the best extractors on the market while remaining price competitive. At the push of a button, Email Marketing 98 will retrieve Email addresses of all the posters on an Internet news group or a series of groups. Then it will send your Email message to any or all of those addresses."

may as well be sending the spam themselves, IMO.

If you want rid
of sites like this that are based in Florida, then you best get
Florida to change their laws.

Wouldn't *that* be lovely.

>the ethics office doesn't need to see your complaints, they don't really
>deal with these anyway.

I am quite sure that the ethics department does not deal with spam
complaints. My complaint is that your stated policy is clearly not being
followed. MCI is currently the Number 1 spam source on many lists-
certainly, your overall size skews that figure somewhat, but the listings I
see (on the SBL anyway, I do not have the many hours needed to read all the
documentation SPEWS has to offer) have reports that are at least 6 months
old and are still alive...

The sbl lists quite a few /32 entries, while this is nice for blocking
spam if you choose to use their RBL service I'm not sure it's a good
measure of 'spamhaus size'. I'm not sure I know of a way to take this
measurement, but given size and number if IPs that terminate inside AS701
there certainly are scope issues.

All that said, I'm certainly not saying "spam is good", I also believe
that over the last 4.5 years uunet's abuse group has done quite a few good
things with respect to the main spammers.

As an example, I see a posting that says emailtools.com was alive on
206.67.63.41 in 2000. They aren't there any more... But now:

[me@host]$ telnet mail.emailtools.com 25
Trying 65.210.168.34...
Connected to mail.emailtools.com.
Escape character is '^]'.

Sure, customer of a customer we got emailtools.com kicked from their
original 'home' now they've moved off (probably several times since 2000)
to another customer. This happens to every ISP, each time they appear we
start the process to disconnect them. I'm checking on the current status
of their current home to see why we have either: 1) not gotten complaints
about them, 2) have not made progress kicking them again.

>
> > >curious, why did you not send this to the abuse@ alias?
> >
> > I wanted it to get read.
>
>messages to abuse@ do infact get read...

Allow me to rephrase- I wanted it to be read and hoped someone would act on
complaints. I have no doubt MCI is serious about stopping DDOS and other
abusive traffic of that ilk- when it comes to proxy hijacking and spamming,
though, abuse@ turns a blind eye. What other conclusion can I draw from the

This is not true, the action might not happen in the time you'd like, but
there are actions being taken. I'd be the first to admit that the
timelinees are lengthy but part of that is the large company process,
getting all the proper people to realize that this abuse is bad and the
offendors need to be dealt with.

200ish SBL entries under MCI's name? Why else would emailtools.com(for
example) still be around despite their wholesale raping of misconfigured
proxies?

emailtools will be around in one form or another, all the owner must do is
purchase 9$ virtual-hosting from some other poor ISP out there who needs
the money... they may not even know who emailtools is, if that ISP is a
uunet/mci customer then we'll have to deal with them as well, just like
their current home. you must realize you can't just snap your fingers and
make these things go away.

All I want is a couple of straight-up answers. Why do complaints to uunet
go unanswered and the abusers remain connected if, in fact, the complaints

I believe you do get an answer, if not the auto-acks are off still from a
previous mail flood ;( Please let me know if you are NOT getting ticket
numbers back. They might be connected still if there were:
1) not enough info in the complaints to take action on them
2) not enough complaints to terminate the account, but working with the
downstream to get the problem resolved
3) action is awaiting proper approvals.

There might be a few more steps things could be in, but in general all
complaints that have proper/actionable info are dealt with.

are read? Why has MCI gone from 111 SBL listings as of January 1 to 190 as

I think the answer is shifting winds in spammer homelands, I'll look
through the list and see if we know about the problem children in the list
and what we are doing about them.

If I am a kook and an idiot for wanting a cleaner internet, well then I
guess I am a kook and an idiot.

not for that, just for taking this up in the wrong place... but people
call me kooky too, so maybe I'm just skewed.

I answered ben already (a few minutes ago) but I'll answer you as well. I
said I'd look into the listings and see what's known or being done about
them.

This is too flagrant to let pass without comment.

This "endless loop" situation does NOT happen to every ISP, only to those who
have not emplaced procedures to prevent serial signups of serial abusers. This is
trivially easy to do and your firm's failure to do so and to enforce this rule on your
contracting parties definitively proves your management's decision to profit from
spam rather than to stop spam.

Jeffrey Race

not specifically in response to jeffrey, but may i suggest we &>
/dev/{nanae,null} ?

paul

Dr. Jeffrey Race wrote:

This "endless loop" situation does NOT happen to every ISP, only to those who
have not emplaced procedures to prevent serial signups of serial abusers. This is trivially easy to do and your firm's failure to do so and to enforce this rule on your
contracting parties definitively proves your management's decision to profit from
spam rather than to stop spam.

I don't think "trivially easy" is the right word in this case. If this were someone doing hit and run dialup directly on UUnet I might agree. But here he's talking about a customer of a customer. How do you retroactively modify your contract to tell all your existing clients "don't do business with company X" or we'll terminate you (actually, such a contract term would probably run afoul of antitrust regs esp. for an entity as large as AS701).

In general, policing the customer of a customer is not an easy thing. We were once sued by the French organization for the preservation of the name "Champagne". One of our clients was apparently hosting a domain for one of their clients named "champ-pagne.com" which was selling bottled water for dogs(!). But by the time we were served with the papers, the DNS had been moved away from our client. We had to go to court just to find out just why they were suing us to begin with since the paperwork didn't explicitly mention our client by name or IP.

>Sure, customer of a customer we got emailtools.com kicked from their
>original 'home' now they've moved off (probably several times since 2000)
>to another customer. This happens to every ISP, each time they appear we
>start the process to disconnect them.

This is too flagrant to let pass without comment.

This "endless loop" situation does NOT happen to every ISP, only to those who
have not emplaced procedures to prevent serial signups of serial
abusers. This is

Sorry, you mistook my statement, or I mis-spoke it such that you would
misunderstand it So, the point I was trying to make I'll try again with
an example: (situtation not made up, parties made up)

1) spammer#12 signs up as a webhosting customer of Exodus who is a
customer of As701
2) 701 gets complaints, notifies good customer Exodus who terms the
spammer's website/box/blah
3) spammer#12 signs up with next 50$/month hosting site Abovenet off 1239
4) 1239 gets complaints notifies the good customer abovenet who terms the
customer.
.
.
.
12) spammer#12 signs up with webhosting group rackspace who is a 701
customer
13) return to step 2

This process happens repeatedly, spammers know they can get about a month
of time (or more, depending on upstreams and hosting providers in
question) of life, either way it's just 50 bucks.... At all times, they
are not customers of 1239, 701, whomever... they are a customer of a
customer. So, 701 or 1239 never know who the downstream is, in the
particular case of emailtools.com this is the case... Or, that's what
seems to have happened since they were a customer of some NYC based
customer 4 years ago, and are now a customer of some TPA based customer
now.

trivially easy to do and your firm's failure to do so and to enforce
this rule on your
contracting parties definitively proves your management's decision to
profit from
spam rather than to stop spam.

I'd also point out someting that any provider will tell you: "Spammers
never pay their bills." This is, in fact (for you nanae watchers), the
reason that most of them get canceled by us FASTER... Sadly, non-payment
is often a quicker and easier method to term a customer than 'abuse', less
checks since there is no 'percieved revenue'

-Chris

Chris why do you give me such easy ones?

This situation has been known for years and it is I repeat trivially easy to solve.

1-There are relatively small numbers of serious spammers and of ISPs.
2-In your contract you require all your customers to know the true identities of
    their customers (if juridical entities, their officers and directors) and to impose
    this requirement on every subcontract. ISP violators will be terminated immediately.
3-The end-user contract must state that spamming is forbidden; there are
   penalties for infraction, notionally $500 for the first offense, $5,000 for
  the next, $50,000 for the third, AT WHATEVER CARRIER IN THE SYSTEMWIDE
  DATABASE. The end-user
  must provide a validated credit card. Customer agrees that violation will
  result in immediate termination with prejudice which will be logged in a system-wide
  shared database.
4-No applicant can be accepted without first checking this database and ROKSO.

Violation of such a contract is not just a civil matter resulting in penalties (charged
against the credit card which affects the applicant's credit history). It is also the
criminal offense of "fraud in the inducement" because the perp signed the
agreement with the prior intention to violate it.

Therefore when your downstream terminates a perp, they enter him (by real name)
in the system-wide database, collect the penalty, and file a police report and have
him criminally prosecuted. If they refuse, you terminate the downstream.

Poof! MCI spam problem goes away in 30 days.

I went through all this with your counsel Neil Patel. Your company refused to
do anything, because it wanted to continue to profit from spam. The adventure
continues.

Chris--nothing personal. It's just business. These are the facts. Lots of
companies have procedures like this in place which is why they don't have
spam problems.

Jeffrey Race

. How do you
retroactively modify your contract to tell all your existing clients
"don't do business with company X" or we'll terminate you

It is ALREADY in the contracts and TOS. Just has to be enforced.

(actually, >such a contract term would probably run afoul of antitrust regs esp. for
an entity as large as AS701).

Not at all. You can terminate for actions prejudicial to the safety and security
of the system. Has nothing to do with anti-trust.

In general, policing the customer of a customer is not an easy thing.

Well it is an OBLIGATION so easy or hard (and lots of things in life are hard)
it has to be done.