MFN/AboveNet blocking pac-rim.net/spamshield.org MX

Mailman List Mirror (Read Only)
1

Coming back from my vacation, I had to discover that some losers
(who, no doubt, had something to lose as far as their hijacked IP space
is concerned) have attempted to DoS the MX for pac-rim.net/spamshield.org
by sending a few 100,000 spams with randomized @pac-rim.net return
addresses around June 25/26th, and us seeing 10,000's of bounces
generated by misbehaving mail hosts that bounce to MAIL FROM: addresses
sometime after their mail back-end decides that the recipients don't
exist (nice AOL-style abuse amplifier, just un-AOL-like unthrottled).

At the same time, MFN/Above.net seems to have null0'd 208.241.101.2 (in
response to that? we have yet to see a SINGLE complaint/forwarded copy),
thus denying transit of all their non-multihomed downstreams (or those
that transit through them to the UUnet /10 aggregate this IP lives in)
to our MXs, as well as the SpamShield.org website and the private
SpamShield DNSBL zone origin host.

While we have to suffer constantly under attempts of unlawful trespass
originating from MFN/Above.net's customers, with never a peep of a follow-up
after the auto-reply coming back from abuse@above.net (and in quite a few
cases with such trespass continuing unabated) we've never bothered
to null0 more than a surrounding /22 around for such abuse for more than a
brief amount of time (1-3 days max). Whoever is wielding 'enable' power at
MFN/AboveNet may want to re-think what abuse actually is - and may
want to consult with his boss at this time wether it was appropriate to
block a DoS victims' MX without contacting same beforehand.

Meanwhile it seems that it took Above.net a LOT longer to null0 hijacked
IP space (like: a couple weeks) announced from customer AS 26891 than it
took them to null0 a /32 they seemed to perceive as a threat that isn't
paying them:

# routes (20030515):
# 199.120.163.0/24 from AS: 26891 (upstreams: 6461),
# 199.120.164.0/24 from AS: 26891 (upstreams: 6461),
# 199.166.200.0/22 from AS: 26891 (upstreams: 6461),
# 199.201.151.0/24 from AS: 26891 (upstreams: 6461),
# 199.201.152.0/24 from AS: 26891 (upstreams: 6461),
# 204.19.162.0/24 from AS: 26891 (upstreams: 6461 23352),
(all gone now)

Waiting for AboveNet/MFN's mail on this - and no, renumbering the host
to another IP number would be too annoying.

bye,Kai

2

Coming back from my vacation, I had to discover that some losers
  (who, no doubt, had something to lose as far as their hijacked IP space
  is concerned) have attempted to DoS the MX for pac-rim.net/spamshield.org
  by sending a few 100,000 spams with randomized @pac-rim.net return
  addresses around June 25/26th, and us seeing 10,000's of bounces
  generated by misbehaving mail hosts that bounce to MAIL FROM: addresses
  sometime after their mail back-end decides that the recipients don't
  exist (nice AOL-style abuse amplifier, just un-AOL-like unthrottled).

I got hit by this same joe-job MO last week:

http://mrtg.snark.net/spam/

Randomized return addresses @snark.net; relayed through all sorts of
open proxies and relays. I have a couple thousand bounces, if anyone's
interested in analyzing the headers further.

It looks like someone's playing games with the folks on NANOG that
actually care about mail abuse.

We're losing the battle, aren't we?

matto

--mghali@snark.net------------------------------------------<darwin><
   Flowers on the razor wire/I know you're here/We are few/And far
   between/I was thinking about her skin/Love is a many splintered
   thing/Don't be afraid now/Just walk on in. #include <disclaim.h>

3

We're losing the battle, aren't we?

no. a battle was held, but we didn't even show up. now the world is different.

4

Paul Vixie wrote:

no. a battle was held, but we didn't even show up. now the world is different.

And a war isn't over until one side surrenders or is eradicated.

-Jack