OT: Interesting email I received

Daniel_Lark · February 1, 2002, 8:35pm

Geez... Can they paint a bigger target on themselves?

Has anyone else gotten this?

-dan

Richard_P_Welty · February 1, 2002, 8:36pm

don't jump to conclusions; it might be a joe-job. wait-and-see is indicated.

richard

1112 · February 1, 2002, 8:43pm

Tracing the route to NATIONAL-ISP.ORG (65.114.61.35)
[...]
15 atl-edge-14.inet.qwest.net (205.171.21.182) [AS 209] 132 msec 100 msec 144 msec
16 208.47.124.58 [AS 209] 388 msec 852 msec 608 msec
17 NATIONAL-ISP.ORG (65.114.61.35) [AS 209] 524 msec 584 msec 268 msec

Well, qwest *is* bulk-friendly...

-Dan

Richard_P_Welty · February 1, 2002, 8:38pm

now, now, qwest is improving. their abuse staff is making a serious effort,
and cleaning up spam messes always takes time.

richard

Mike_meuon_Harrison · February 1, 2002, 8:47pm

> National ISP Co. is a business class bulk email friendly ISP.
Tracing the route to NATIONAL-ISP.ORG (65.114.61.35)
[...]
15 atl-edge-14.inet.qwest.net (205.171.21.182) [AS 209] 132 msec 100 msec 144 msec
16 208.47.124.58 [AS 209] 388 msec 852 msec 608 msec
17 NATIONAL-ISP.ORG (65.114.61.35) [AS 209] 524 msec 584 msec 268 msec

Well, qwest *is* bulk-friendly...

We've been tracking spam closely as the geeks in the back room are
homebrewing 'SpamShredder'.. and Andrew (the head anti-spam programmer)
told me today that just over 50% of what we are seeing is coming from
Qwest controlled IP's, mostly low end resell dial-ups.

Daniel_Lark · February 1, 2002, 8:56pm

Oh they're definitely off of qwest:

Registrant:
CnS Systems, Inc. (NATIONALISP11-DOM)
   4304 Hunter Oaks Dr.
   High Point, NC 27265
   US

Domain Name: NATIONAL-ISP.ORG

   Administrative Contact, Billing Contact:
      CnS Systems, Inc. (UOLABCFHYO) ecotton@cnssystems.com
      CnS Systems, Inc.
      4304 Hunter Oaks Dr.
      High Point, NC 27265
      US
      3368698508
   Technical Contact:
      VeriSign, Inc. (HOST-ORG) namehost@WORLDNIC.NET
      VeriSign, Inc.
      21355 Ridgetop Circle
      Dulles, VA 20166
      US
      1-888-642-9675 fax:

   Record last updated on 03-Jan-2002.
   Record expires on 20-Dec-2003.
   Record created on 20-Dec-2001.
   Database last updated on 1-Feb-2002 01:31:00 EST.

Domain servers in listed order:

DCA-ANS-01.INET.QWEST.NET 205.171.9.242
SVL-ANS-01.INET.QWEST.NET 205.171.14.195

Now will qwest "do the right thing" seeing as how blatant this is?

-dan

1112 · February 1, 2002, 9:29pm

Did you, uh.. *cough*... look at their web page?

-Dan

Richard_P_Welty · February 1, 2002, 9:29pm

no, but i'll take your word for it and withdraw my comment.

time to add some IP addresses to the list.

richard

Christopher_Schulte · February 1, 2002, 9:44pm

time to add some IP addresses to the list.

Qwest Communications (NETBLK-NET-QWEST-BLKS-4) NET-QWEST-BLKS-4
65.112.0.0 - 65.121.255.255
CNS SYSTEMS INC (NETBLK-Q1130-65-114-61-32) Q1130-65-114-61-32
65.114.61.32 - 65.114.61.47

They're obviously a high profile Qwest customer, with their very own huge /28.

Bye bye 65.114.61.32/28. We'll all miss talking to you. I feel sorry the soul that inherits the block, after this company has put it in access lists across our fine globe.

Daniel_Lark · February 1, 2002, 9:51pm

Looks like SPAMHAUS has 'em. RBL and MAPS have 'em too.

I just love it when all come together as a community ;-).

-dan

Chris_Woodfield2 · February 1, 2002, 9:56pm

Given the latency on the last two hops, I'll bet this is a DSL line, or someone's
taken it upon themselves to render whatever circuit they have useless...

-C

Niels_Bakker · February 1, 2002, 9:57pm

* goemon@anime.net (Dan Hollis) [Fri 01 Feb 2002, 22:29 CET]:

Geez... Can they paint a bigger target on themselves?

don't jump to conclusions; it might be a joe-job. wait-and-see is indicated.

Did you, uh.. *cough*... look at their web page?

Just tried to; HTTP connections time out, traceroute ends in * * *.

Luckily it's been archived for posterity and still available here:

Quoting some text from there:

National ISP Company is a business class BULK EMAIL INTERNET SERVICE
PROVIDER, (ISP). Your high volume email ads are sent directly from
our servers to your recipients.

[..]

Our ONLY business is providing Internet Access for your email sending.

If it's a joe job, it's a particularly well-executed one, also defacing
the website and eradicating all traces of another company that legitly
used that IP space...

Regards,

-- Niels.

Daniel_Lark · February 1, 2002, 10:04pm

Guess Qwest already yanked 'em. Yay!!!

-dan

traceroute to 65.114.61.35 (65.114.61.35), 30 hops max, 38 byte packets
1 host1.elmresources.com (208.253.213.1) 0.588 ms 0.558 ms 0.474 ms
2 958.Serial1-1.GW6.SCL1.ALTER.NET (157.130.213.173) 10.282 ms 9.652
ms 13.142 ms
3 168.at-5-0-0.XR4.SCL1.ALTER.NET (152.63.52.54) 9.691 ms 10.168 ms
9.997 ms
4 0.so-1-0-0.XL2.SCL1.ALTER.NET (152.63.55.97) 9.978 ms 10.341 ms
9.870 ms
5 0.so-6-0-0.XL2.SAC1.ALTER.NET (152.63.54.142) 15.447 ms 16.494 ms
15.253 ms
6 0.so-3-0-0.XR2.SAC1.ALTER.NET (152.63.54.2) 14.642 ms 15.195 ms
14.934 ms
7 184.ATM7-0.BR3.SAC1.ALTER.NET (152.63.50.197) 15.544 ms 14.990 ms
15.905 ms
8 sjo-brdr-04.inet.qwest.net (205.171.4.97) 28.136 ms 27.808 ms
27.985 ms
9 sjo-core-01.inet.qwest.net (205.171.22.118) 29.459 ms 28.163 ms
27.818 ms
10 sjo-core-02.inet.qwest.net (205.171.22.2) 28.376 ms 27.821 ms
28.014 ms
11 iah-core-01.inet.qwest.net (205.171.5.145) 68.262 ms 68.128 ms
68.277 ms
12 iah-core-02.inet.qwest.net (205.171.31.2) 68.851 ms 69.238 ms
69.663 ms
13 atl-core-02.inet.qwest.net (205.171.5.194) 101.938 ms 103.496 ms
101.837 ms
14 atl-edge-14.inet.qwest.net (205.171.21.182) 94.106 ms 93.772 ms
93.874 ms
15 * * *

Bob_K · February 1, 2002, 10:48pm

This isn't too evil, is it?

add deny tcp from any to 65.114.61.32/28 out xmit xl0 tcpflags !syn

Scott_Francis · February 1, 2002, 11:07pm

Wishful thinking, I'm afraid. =\