[CLUE-Tech] Brute force attack from host 208.188.115.21

Charles Oriez coriez at oriez.org
Mon Aug 9 07:59:56 MDT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 01:51 AM 8/9/2004 -0600, Nate Duehr wrote:

>Charles Oriez wrote:
>
>>However, if the ISP terminated spammers within a few minutes of getting 
>>the complaint, there wouldnt be much blocking because there wouldn't be 
>>much spam. Inflow for instance is hosting at least one spammer with a 
>>connection date of July 2003. uu.net has about 200 separate areas 
>>identified as spam sources, some dating back to 2002
>
>Hi Charles,
>
>Let me start off by saying that I used to work for Inflow - a long time 
>ago - as a corporate level Sr. Network Engineer.  My responsibilities 
>centered around the system administration of their billing and DNS 
>servers, amongst other things.
>
>I was laid off along with approximately 2/3 of the staff in November of 
>2000 and was without work for a year following.  I have no vested interest 
>in helping them in any way, but I felt some additional insight into what 
>happens at ANY large ISP when abuse complaints come in, might be in order.

massive layoffs is one of the reasons that abuse reports tend to stop being 
reported on


>I can't really speak for them now (nor, like most U.S. corporations these 
>days, could I really speak for them while I worked for them... heh.), but 
>I can say these things.
>
>First off, abuse reports at the time I was there definitely were read and 
>acted upon.  The abuse at inflow.net address was a real address with real 
>human beings behind it.  My understanding is that it still is today.
>
>Disconnections *were* done when I was there, but required the consensus of 
>the on-site General manager, Operations manager, and at least one of the 
>senior management at Corporate, and probably the company attorney. But I 
>personally saw at least two major "pull the plug" events happen. There was 
>zero possibility of that type of action happening overnight, and 
>DEFINITELY not from a single complaint.  There were required warnings 
>involved, etc.
>
>I can vouch for a small group of engineers that are still there and who do 
>understand that "spam is bad".  I can also say that at least at one time, 
>there were set policies to deal with abuse.  We were never "spam friendly" 
>when I was there, but we were definitely contractually and procedurally 
>bound to be very careful in documenting a case when it came to AUP 
>violations.  There are plenty of nut-jobs out there who'll send in abuse 
>reports about their COMPETITORS hoping to get their upstream ISP to turn 
>them off.  (Anti-spam spam?)
>
>Send in the reports and/or call 'em on the phone... they're in the book, 
>and they're real people.  Provide LOTS of detail.

They get the complete spam with complete expanded headers sent to 
abuse at inflow.com, every time a spam got through.  The only thing munged was 
the address it was sent to, to keep them from list washing.  I'm not sure 
what more info they could want.  In fact, most ISPs say that they want only 
the spam, without added commentary, to make it easier on their automated 
systems.  The spams sent to inflow clearly show that the sender is spamming 
a site in the inflow block, using stolen resources (usually open proxies) 
from elsewhere.

I'll try calling on the phone next time though. I won't use the book. I'll 
use the phone listed on their whois record, which is required to be valid. 
I'll report results.


>You sound very angry in your messages and I have no idea how far you've 
>taken this with them, but I can assure you there are people there who 
>care.  Not everyone, mind you -- they have their share of clueless PHB's 
>and engineers too, just like any large organization of people.

I didn't think I sounded all that angry.  Annoyed yes, but not angry.  I 
block spam friendly ISPs. I don't waste energy being angry at 
them.  Repeated mail to abuse at inflow.com didnt even result in 
autoacks.  Yeah, I'll reserve the right to be angry at spammers and the 
ISPs who knowingly harbor them for extended periods of time. As to inflow, 
since they are invisible to my systems I don't have to worry about being 
angry at them. I just ignore them. When Spamhaus says that they are clean, 
I'll accept mail from them again.



>At the very least you could probably ask them for the exact netblock of 
>the spammer so you could block only that range and leave the other 
>innocent bystanders without bullet holes in them.  They used to properly 
>SWIP all the address ranges, so it really should be a piece of cake, 
>unless they've stopped doing that.

there are several problems with that:

1) No guarantee that they wont move the spammers around to unblocked areas. 
the technical term is whack-a-mole, and we don't do that anymore.  Those of 
us who track spammers have seen specific examples when a spammer's space is 
listed, the spammer is moved to unblocked space and innocent third parties 
are moved to the blocked space.  Standard practice then became to add the 
new space without delisting the old space.

2) That permits them to continue to profit from their spammers while 
continuing to profit from non-spamming customers.  The ISP has to decide 
whether they want their profits from spammers, or profits from the ethical 
side of the Internet.

3) If they really are as responsive as you say, it wouldn't be 
necessary.  They'll act on the spam reports, and nobody needs to be blocked.

4) SPEWS tries that.  In the case of INFLOW, it has been proven to be a 
failure.  First they send in a s apm report.  Then they block the /32 of 
the spammer. No reaction, they block the /24. Then they start expanding. It 
is up to inflow to determine how large the block has to be before they 
act.  However, listing only the spammer's block has clearly been a failure 
in this particular case.

5) That's what got us in trouble at the start of this thread, which dealt 
with a discussion of listing comcast dynamic space while leaving their smtp 
servers unlisted.  That seemed to generate a fair amount of anger on some 
parts.

6) I actually tried that a few times. The tier 1 support people seem to 
lack the technical skills to provide that information.  Usually, when I am 
doing that, I ask for the blocks that are their dynamic space, the theory 
being that I only want to block trojaned home users.


>Of course asking for someone's netblock always sends up security red 
>flags... so your professionalism and attitude toward the person answering 
>the abuse e-mail probably counts, just like in any other endeavour.

Granted.  The next time an inflow person answers a spam report of mine, 
which will also be the first time, I'll remember that.


Easiest way to see the current status on inflow is to go not to SPEWS, but 
to Spamhaus.  Drill down to Inflow. The spammers in yellow are those who 
have been thrown off a minimum of 3 ISPs for spamming. Note the dates that 
Inflow started hosting them, especially the years.  http://spamhaus.org.uk



- --
coriez at oriez.org 39  34' 34.4"N / 105 00' 06.3"W
"...Life is not a journey to the grave with the intention of arriving 
safely in one pretty and well preserved piece, but to slide across the 
finish line broadside, thoroughly used up, worn out, leaking oil, and 
shouting GERONIMO!!!" -- Bill McKenna, date unknown 
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: created 6/26/04 expire 6/25/05 stored MIT & PGP.COM

iQA/AwUBQReDW7iLNnC0cMkdEQJ9TQCfWyDatoJOHplJeyupTxDIslu4TjIAnia/
uu3iB9tniaCpTigwWVnYqMWV
=c+8O
-----END PGP SIGNATURE-----

More information about the clue-tech mailing list