Open relays and open proxies

#Date: Fri, 25 Apr 2003 10:39:11 -0500
#From: Jack Bates <jbates@brightok.net>
#Subject: Re: Open relays and open proxies
#In-reply-to: <1459D594-7731-11D7-BA1C-00039312C852@isc.org>
#Message-id: <3EA9569F.6010400@brightok.net>

[snip]

#Yet how many spams are sent out advertising pr0n and the websites never
#cancelled? How many get rich schemes? The last I checked,
#no-more-viruses.com was still at it and wasting my time by sending their
#filth to every role account I have.

And of course, no-more-viruses.com is a perfect example of a domain whose
web site obtains transit from that fabulous far eastern "bulletproof ASN",
AS9929. For context, AS9929 also has provided transit for hosts from a few
other domains you may recognize, such as:

-- antiagingway.com
-- bannedcd.org
-- bargin-inetwork.com
-- bestemailoffers.com
-- domainsforeveryone.com
-- easyvling.com
-- eclipseway.com
-- edrugsale.com
-- edrugshop.net
-- emailoffer.us
-- fastcasinobuilder.com
-- genvia4u.com
-- grantgiveawayprogram.com
-- interactivepoker.net
-- kokiya.com
-- kososo.com
-- lovingtouches.org
-- lowratemortgages.info
-- lzzemu.com
-- mnjmtech.us
-- my-vling.com
-- n0hastlem0rtgage.com
-- pharmsafe.net
-- prescription4you.com
-- real-sales.net
-- removethisemail.com
-- reserveadot.com
-- romna.com
-- rxmedsovernight.com
-- snbm-online.com
-- sys-630.com
-- twofy.com
-- vlingbuy.com
-- xeemo.com
-- yomsa.com
-- yourplace.com.br
-- yourvling.com
-- zizikey.com
-- 9top9.com

Based on what I'm seeing from route-views.oregon-ix.net, AS9929 appears to
be (primarily) a customer of AS1239 and AS3561.

If you are unhappy with AS9929's support role for spammers, you *could*
try contacting AS9929 directly (but I wouldn't bother wasting my breath).

I believe that to make progress on the let's-go-after-their-web-hosting
approach, you'll need to convince AS9929's upstreams, Sprint and Cable and
Wireless, to pull the plug (which they probably won't do) or at least
convince them to enforce an acceptable use policy on their customers (which
they can only do if they're willing to pull the plug for non-compliance,
which I don't believe they're willing to do in this case).

But hey, I'd love to be proven wrong.

Regards,

Joe

And of course, no-more-viruses.com is a perfect example of a domain
whose web site obtains transit from that fabulous far eastern
"bulletproof ASN", AS9929. For context, AS9929 also has provided
transit for hosts from a few other domains you may recognize

{SNIP!}

I believe that to make progress on the let's-go-after-their-web-hosting
approach, you'll need to convince AS9929's upstreams, Sprint and Cable
and Wireless, to pull the plug (which they probably won't do) or at least
convince them to enforce an acceptable use policy on their customers
(which they can only do if they're willing to pull the plug for
non-compliance, which I don't believe they're willing to do in this case).

According to the CIDR report there are rather more than two upstreams.
Apart from Sprint and Cable and Wireless, they include ...

    AS1 GNTY-1 Genuity
    AS2516 KDDI KDDI CORPORATION
    AS3549 GBLX Global Crossing
    AS3356 LEVEL3 Level 3 Communications, LLC
    AS701 ALTERNET-AS UUNET Technologies, Inc.

But hey, I'd love to be proven wrong.

I'd love to be able to do that. But I can get to halfway, as I believe
those comments are no longer valid where Sprint is concerned. They may
have been based on Sprint's historic notoriety, but Sprint has seen major
changes in th last year.

When I was recently investigating the hijacked /16s, for each case that
we identified that was being announced over Sprint, those announcements
were filtered by Sprint within *ten minutes* of my initial phone call.

That does _not_ sound anything like an abuse-tolerant network to me.

As far as Cable and Wireless are concerned, it would be difficult for
them to complain of abuse tolerance by a downstream while their own
hosting company, Exodus, is considered unresponsive on abuse matters.

If they did it would no doubt be a case of "Pot, Kettle, Black Hat"!