For the last two days, between approximately 7pm to 2am Eastern time, a
spammer hijacked a piece of our address space, presumably by announcing
some size of aggregate containing the IP address 204.106.93.155. During the time that the spammer had connectivity using this bogus
announcement, they originated many spam messages for a porn website.
Possibly, they also provided connectivity for the porn website during that
time. And they probably also announced various other netblocks which you
may be able to deduce by studying the emails posted to nanas here
<http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&threadm=1032174896.54.4116%40verence.demon.co.uk&rnum=1&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26selm%3D1032174896.54.4116%40verence.demon.co.uk>
If anyone has some idle time this evening, and you happen to successfully
traceroute to 204.106.93.155 then I would appreciate seeing a copy of that
traceroute as well as a BGP dump with all of the routes announced by the
AS containing this netblock.
At the current time we are not announcing the netblock containing this
address but even if we were, the address is currently unassigned, i.e. a
portscan would show it not in use, and therefore the hijacker could still
successfully announce a longer prefix than us to use our address space.
If you are not filtering your inbound BGP sessions, then this spammer
could be your customer. Or maybe this spammer is abusing the hospitality
of your local Internet exchange.
I was originally alerted to this spam by a half dozen messages from
spamcop and I've asked the spamcop folks to collect a traceroute as soon
as they identify the spam so that we have a better chance of tracking down
the rogue ISP/XP (or sloppy ISP/XP) that is letting these spammer announce
bogus routes.