[CLUE-Tech] Brute force attack from host 208.188.115.21

Nate Duehr nate at natetech.com
Mon Aug 9 01:51:02 MDT 2004 

Charles Oriez wrote:

> However, if the ISP terminated spammers within a few minutes of getting the 
> complaint, there wouldnt be much blocking because there wouldn't be much 
> spam. Inflow for instance is hosting at least one spammer with a connection 
> date of July 2003. uu.net has about 200 separate areas identified as spam 
> sources, some dating back to 2002

Hi Charles,

Let me start off by saying that I used to work for Inflow - a long time 
ago - as a corporate level Sr. Network Engineer.  My responsibilities 
centered around the system administration of their billing and DNS 
servers, amongst other things.

I was laid off along with approximately 2/3 of the staff in November of 
2000 and was without work for a year following.  I have no vested 
interest in helping them in any way, but I felt some additional insight 
into what happens at ANY large ISP when abuse complaints come in, might 
be in order.

I can't really speak for them now (nor, like most U.S. corporations 
these days, could I really speak for them while I worked for them... 
heh.), but I can say these things.

First off, abuse reports at the time I was there definitely were read 
and acted upon.  The abuse at inflow.net address was a real address with 
real human beings behind it.  My understanding is that it still is today.

Disconnections *were* done when I was there, but required the consensus 
of the on-site General manager, Operations manager, and at least one of 
the senior management at Corporate, and probably the company attorney. 
But I personally saw at least two major "pull the plug" events happen. 
There was zero possibility of that type of action happening overnight, 
and DEFINITELY not from a single complaint.  There were required 
warnings involved, etc.

I can vouch for a small group of engineers that are still there and who 
do understand that "spam is bad".  I can also say that at least at one 
time, there were set policies to deal with abuse.  We were never "spam 
friendly" when I was there, but we were definitely contractually and 
procedurally bound to be very careful in documenting a case when it came 
to AUP violations.  There are plenty of nut-jobs out there who'll send 
in abuse reports about their COMPETITORS hoping to get their upstream 
ISP to turn them off.  (Anti-spam spam?)

Send in the reports and/or call 'em on the phone... they're in the book, 
and they're real people.  Provide LOTS of detail.

You sound very angry in your messages and I have no idea how far you've 
taken this with them, but I can assure you there are people there who 
care.  Not everyone, mind you -- they have their share of clueless PHB's 
and engineers too, just like any large organization of people.

At the very least you could probably ask them for the exact netblock of 
the spammer so you could block only that range and leave the other 
innocent bystanders without bullet holes in them.  They used to properly 
SWIP all the address ranges, so it really should be a piece of cake, 
unless they've stopped doing that.

Of course asking for someone's netblock always sends up security red 
flags... so your professionalism and attitude toward the person 
answering the abuse e-mail probably counts, just like in any other 
endeavour.

--
Nate Duehr, nate at natetech.com

More information about the clue-tech mailing list