Who Are The Good Guys?

In the war against spam, its getting harder to figure out who
  the good guys are. Last weekend, we had an incident where a server
  called pure.fiber.net was relaying thousands of spam messages off
  one of our mail servers. While we have filters in place to block
  the obvious spammers (cyberpromo and others), we don't learn about
  new ones until they cross the line (or we get them from Paul's
  site at http://www.vix.com/spam -- thanks Paul!).

  Unfortunately, fiber.net is a 9 to 5, Monday thru Friday operation
  with no weekend or evening NOC. This made things difficult for us
  at 2 am on a Saturday night trying to get their attention. Because
  fiber.net was not known as a spammer, we did not want to unilaterally
  block them off until we could talk to them when they opened on Monday
  morning, so we wrote some bash scripts and ran them against our mail
  queue every three minutes to kill messages with specific attributes
  relating to the spam.

  On Monday, we talked with their technical contact and he said that
  someone on their server must have been misbehaving, but that they
  would look into it. Today I reviewed my logs and not only did it not
  stop, but they started ANOTHER spam off our mail servers. When one
  of our engineers called them this afternoon, they said they were
  innocent because someone was using them as a relay -- nice try, but
  if they were a relay, we should not have seen any messages other
  than those destined for addresses on our network. Instead, we got
  the entire spam feed. They even went so far as to insert forged
  Received headers into the messages to try and throw us off.

  The spammers played us as chumps. Fine -- now I have filters in
  my backbone routers for 204.250.13/24 and 204.250.192/19, and mail
  filters for *.fiber.net just in case they manage to get another IP
  block. Grrrrr. The bottom line is that you cant tell the good guys
  from the bad guys anymore. There are ISPs that support spammers and
  then lie about it when they get caught. Even though I detest the
  fact that AGIS supports cyberpromo, at least they have the guts to
  tell it the way it is.

  As an aside, today we got a message in our marketing box asking
  "Do you support spammers?" -- unbelievable. The poster was looking
  for an ISP that would allow him to post 500 to 1000 spam messages
  each day. I sent him a form letter telling him "no" and outlining
  why spam is a Bad Idea(tm). It is obvious the spammers are getting
  much more aggresive and may even be compiling lists of spammer
  friendly ISPs. Its not just getting worse -- its getting weird.

  Dave Stoddard
  US Net Incorporated


Indeed things are getting strange, look at this letter I got in my mailbox
this morning...

Were I you, I would forward such a threat to some appropriate authorities.

Geoff White writes:

And who might that be :}

Whoever will listen to you and has the authority to look into it :slight_smile:

That's going to vary depending on where you are and who you know.

For ourselves, we stay on friendly terms with the local Secret Service

Geoff White writes:

Maybe in this case you were being sharked, but before we got everything
clamped down on our servers we saw a number of spammers who were
'multi-hopping' their UCE and including faking headers and sending false
HELO data.

The excerpt below from my archives shows them bouncing mail off our
server, to iea.com, and then to AOL. The real originator was at rmii.com,
but they attempted to put in some semi-fake headers before that.

I guess the moral of the story is "trust no one, and filter, filter,
filter..." Sad, but true.


Consider talking to their upstream providers. It can quickly draw their
focused attention.

Singapore Press Holdings (POST7-DOM)

Netblock ocntrolled by:

Asia Pacific Network Information Center (APNIC2)
   Tokyo Central Post Office Box 351

   Netname: APNIC-CIDR-BLK
   Netblock: -
   Maintainer: AP

      Conrad, David Randolph (DC396) davidc@APNIC.NET
      +81-3-5500-0480 (FAX) +81-3-5500-0481

Or place a _concerned_ call to the FBI. Black helicopters aren't so bad
when they fly on your behalf.