North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Who Are The Good Guys?
In the war against spam, its getting harder to figure out who the good guys are. Last weekend, we had an incident where a server called pure.fiber.net was relaying thousands of spam messages off one of our mail servers. While we have filters in place to block the obvious spammers (cyberpromo and others), we don't learn about new ones until they cross the line (or we get them from Paul's site at http://www.vix.com/spam -- thanks Paul!). Unfortunately, fiber.net is a 9 to 5, Monday thru Friday operation with no weekend or evening NOC. This made things difficult for us at 2 am on a Saturday night trying to get their attention. Because fiber.net was not known as a spammer, we did not want to unilaterally block them off until we could talk to them when they opened on Monday morning, so we wrote some bash scripts and ran them against our mail queue every three minutes to kill messages with specific attributes relating to the spam. On Monday, we talked with their technical contact and he said that someone on their server must have been misbehaving, but that they would look into it. Today I reviewed my logs and not only did it not stop, but they started ANOTHER spam off our mail servers. When one of our engineers called them this afternoon, they said they were innocent because someone was using them as a relay -- nice try, but if they were a relay, we should not have seen any messages other than those destined for addresses on our network. Instead, we got the entire spam feed. They even went so far as to insert forged Received headers into the messages to try and throw us off. The spammers played us as chumps. Fine -- now I have filters in my backbone routers for 204.250.13/24 and 204.250.192/19, and mail filters for *.fiber.net just in case they manage to get another IP block. Grrrrr. The bottom line is that you cant tell the good guys from the bad guys anymore. There are ISPs that support spammers and then lie about it when they get caught. Even though I detest the fact that AGIS supports cyberpromo, at least they have the guts to tell it the way it is. As an aside, today we got a message in our marketing box asking "Do you support spammers?" -- unbelievable. The poster was looking for an ISP that would allow him to post 500 to 1000 spam messages each day. I sent him a form letter telling him "no" and outlining why spam is a Bad Idea(tm). It is obvious the spammers are getting much more aggresive and may even be compiling lists of spammer friendly ISPs. Its not just getting worse -- its getting weird. Dave Stoddard US Net Incorporated 301-572-5926 firstname.lastname@example.org - - - - - - - - - - - - - - - - -