Our mail server at dslreports sustained a pretty impressive dictionary attack last night. Over 100K messages from an ISP in Spain. These guys are not amatuers, so of course, first step is checking of blacklists & such, after all, we filter against them - it helps to stop quantities of the spam. The ISP is indeed blacklisted on several IP blocks.. but not the one that attacked us. Which is interesting considering a google search produces an impressive list of spam reports directed at them. Obviously they got a new IP block and are already putting it to use to host a professional spam operation (well, at least one).
Spammers are taking over the web, clogging networks with worthless traffic, flooding servers and inboxes. Why are organizations like RIPE assigning new IP blocks to ISPs that are already heavily blacklisted for hosting spam operations? Wouldn't it be in their best interest to keep these guys confined to their existing assignment? Sometimes I wonder about these organizations.
RIPE (Réseaux IP Européens) is a collaborative forum open to all parties interested in wide area IP networks. The objective of RIPE is to ensure the administrative and technical coordination necessary to enable the operation of the Internet within the RIPE region.
We're facing an IP shortage, but apparently it's not an issue for spammers to get new IPs assigned. These 'collaborative organizations' are not exactly working for the benefit of the Internet.. maybe I'm just naive in thinking that is what their goal should be.
I'm not holding my breath waiting to hear back from the various abuse departments I reported this to.
TrackBack URL for this entry: http://www.unix-girl.com/mt/mt-tb.cgi/1243
You know, that's an interesting point.
In other words: should the quality of an ISP's enforcement of its Acceptable Use Policy, be a condition of their contract with their RIR?
It strikes me this *must* have come up on NANOG at some stage ;)
#oh! I should point out, many of those spam reports you link to, are forgeries. viz this mail -- http://groups.google.com/groups?q=rima-tde.net&hl=en&lr=&ie=UTF-8&safe=off&selm=200405131553.i4DFr4726547%40panix5.panix.com&rnum=2 :
Received: from em.emery@rima-tde.net ([248.82.28.220]) by jne10-u68.emery_doolittle@rima-tde.net with Microsoft SMTPSVC(5.0.5005.8388);
Wed, 12 May 2004 23:53:09 +0300
legit 'Received' lines do not use @ signs in the "by" hostname.
Yes, some are probably forgeries, but there's quite a few legit one. I spot-checked many..
#I'm still convinced that the way to stop this mess is for a group of people like us to start up a collaborative piece of software that attacks the servers of not the spammers, but their intended sales targets. If enough people did it (and we already know how effective trojan "spammers" are), people would have to begin to rethink the whole advertising/marketing via spam route.
It is fair to say that it'd be a slow process to begin with, but in the end, it would be effective. These idiots want traffic, let's give them some traffic.
Just a thought, but surely not one that's so hard to execute... I also bet there'd be thousands of people willing to opt-in to such a scheme for the greater good of the internet.
#I just read my own post, and I guess I rambled a bit here on some person's blog I've never read before, who probably already knows half of what I wrote. There might be some useful information here attention span permitting :P
Telephonica is the largest phone company in Spain and Portugal. They offer the same services Verizon, Pacbell, etc. do here in the US.
Heck, your link to RIPE that shows that they have 4 contiguous class B's is a pretty clear indicator that Telephonica has better things to do attack mail servers. Your attacker happens to be connected to their backbone in some manner, but that's as far as Telephonica's involvement probably goes. Many large providers have semi-public whois lookup that people can use. Usually you can call a tech support number and get the url just by asking...but the whole foreign country thing complicates that.
I really have no clue how Telephonica responds to reports of spam from an IP. Any action taken here in the US by the majority (there are a few spam friendly providers) of tier-1 and tier-2 backbone providers really depends on who the person is that files the complaint. If you are a customer, they will take action of some kind usually. The more money you pay...the more likely you are to get them to stop routing the offending IP.
If you are not a paying customer, they will most likely ignore complaints until whoever the admin who has to read the complaints gets sick of it and contacts the admin responsible for the block of ip's where the spam is coming. basically telling them to chill.
There may be a public backbone provider that has a strictly adhered to spam policy, but I've never heard of them.
What I am saying is, if you aren't a customer of Telephonica, and contacted them directly, I can almost guarantee nothing material is going to happen to the spammers as a result of the complaint.
Personally I'd make an attempt to find out more about the IP addresse of the attacker so at least I could block some addresses without having to blacklist the entire southwest of Europe :)
#> Telephonica is the largest phone company in Spain and Portugal.
Sorry, Telefonica does not operate in Portugal. The largest Portuguese operator is Portugal Telecom, followed by far, by ONI Telecom.
#