In the war against spam, its getting harder to figure out who
the good guys are. Last weekend, we had an incident where a server
called pure.fiber.net was relaying thousands of spam messages off
one of our mail servers. While we have filters in place to block
the obvious spammers (cyberpromo and others), we don't learn about
new ones until they cross the line (or we get them from Paul's
site at http://www.vix.com/spam -- thanks Paul!).
Unfortunately, fiber.net is a 9 to 5, Monday thru Friday operation
with no weekend or evening NOC. This made things difficult for us
at 2 am on a Saturday night trying to get their attention. Because
fiber.net was not known as a spammer, we did not want to unilaterally
block them off until we could talk to them when they opened on Monday
morning, so we wrote some bash scripts and ran them against our mail
queue every three minutes to kill messages with specific attributes
relating to the spam.
On Monday, we talked with their technical contact and he said that
someone on their server must have been misbehaving, but that they
would look into it. Today I reviewed my logs and not only did it not
stop, but they started ANOTHER spam off our mail servers. When one
of our engineers called them this afternoon, they said they were
innocent because someone was using them as a relay -- nice try, but
if they were a relay, we should not have seen any messages other
than those destined for addresses on our network. Instead, we got
the entire spam feed. They even went so far as to insert forged
Received headers into the messages to try and throw us off.
The spammers played us as chumps. Fine -- now I have filters in
my backbone routers for 204.250.13/24 and 204.250.192/19, and mail
filters for *.fiber.net just in case they manage to get another IP
block. Grrrrr. The bottom line is that you cant tell the good guys
from the bad guys anymore. There are ISPs that support spammers and
then lie about it when they get caught. Even though I detest the
fact that AGIS supports cyberpromo, at least they have the guts to
tell it the way it is.
As an aside, today we got a message in our marketing box asking
"Do you support spammers?" -- unbelievable. The poster was looking
for an ISP that would allow him to post 500 to 1000 spam messages
each day. I sent him a form letter telling him "no" and outlining
why spam is a Bad Idea(tm). It is obvious the spammers are getting
much more aggresive and may even be compiling lists of spammer
friendly ISPs. Its not just getting worse -- its getting weird.
Dave Stoddard
US Net Incorporated
301-572-5926
dgs@us.net
