Re: I got a live one! - Spam source

[Jon Lewis <jlewis () lewis org>]

On Tue, 24 Nov 2009, Russell Myba wrote:

> Looks like of our customers has decided to turn their /24 into a nice little
> space spewing machine.  Doesn't seem like just one compromised host.
>
> Reverse DNS for most of the /24 are suspicious domains.  Each domain used in
> the message-id forwards to a single .net which lists their mailing address
> as a PO box an single link to an unsubscribe field.
>
> I've contacted at least three known contacts for the customer about the
> abuse without a single response.

I've found that in cases like this, the best way to get in contact with 
the customer is to interrupt their service.  Suddenly, they'll go 
from being too busy to take/return your call to calling you.

> It would seem there are many layers to this entity:
>
> The domains are registered to one business
> Our billing information for the customer has one name, they colo with
> another person (whom the cross connect reaches)
> Our customer has an IT solutions person working for them (Strange since our
> customer and their colo provider are "IT solutions" people themselves.
> Abuse handle phone #s are supposedly incorrect (I called it)

I'm confused.  Who are you billing and for what services?

> Besides the obvious of me at the minimum filtering port tcp/25 is their an
> organization that tracks businesses like these who seem like they are
> building a web of insulation in which to move?
>
> I think this case might interest them.

Spamhaus is the first one that comes to mind.  From what I understand of 
your description, this doesn't sound all that different from typical 
spammer behavior.  Multiple layers of indirection seems to be the latest 
thing for spammers.

----------------------------------------------------------------------
 Jon Lewis                   |  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________