North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
where 419 scams come from (was: Re: New IANA IPv4 allocation to AfriNIC (41/8))
on Wed, Apr 13, 2005 at 02:38:44PM -0600, Steve Meuse wrote: > > On 4/13/05, John Palmer <firstname.lastname@example.org> wrote: > > > > Thank you for that information. I can leave 41/8 in my router bogon list > > and hopefully eliminate the Nigerian 419 problem somewhat. > > Personally, I believe we should give them the chance to fail before we > cut them off from the rest of the world. I don't think the majority of > 419 email comes from addresses actually sourced in Nigeria. I can't speak to the whole world's perceptions, but for 419/aff mail seen here, the vast majority comes from IPs assigned to the following ISO country codes: (africa|AR|BF|BG|BJ|BW|CI|DK|ES|GH|IL|KE|KR|LB|LV|ML|MR|NG|NL|RW|SN|TG|ZA|ZW) Where 'africa' means "IP space delegated to africa-online.com" (216.104.192/20). Also see quite a bit from BR, the occasional one or two from space in the US, satellite connections, and some from FR. I know this because I use the Received: and various X-Originating-IP format headers (usually originating via some compromised or unmonitored webmail software) to extract the injection IP and reject messages if the source matches the ISO codes above in a crossref of IP to ISO code or other keyword. I used to see quite a bit from Australia, but bigpond seems to have cleaned up its act significantly. Steve -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!