Re: I got a live one! - Spam source

[Eric Brunner-Williams <brunner () nic-naa net>]

Russell,

My personal inclination would be to look for what legit entities are 
provisioning them with critical resources and what margins they appear 
to be paying.

For DNS resources, the domains, to identify registry preference, 
probably a simple volume correlation, and the registrars, which may 
corollate better to other primary characteristics than simple volume, to 
RRset data, which may have interesting corollates to other, provisioned, 
critical resources. I'm not the "registrar police", I'm simply 
interested in ICANN having a policy towards registrars that looks beyond 
failure to respond to email, failure to pay $0.25/domain/year, and 
failure to escrow registrant data, which seem to be the only basis for 
breach of contract proceedings against, or non-renewals of its registrars.

Whack-a-mole has been discussed lots of times, and as Gadi confirms at 
the end of his note, he's still mostly in the Whack-a-camp, though he 
does mention gathering information.

When they stop providing you (and "you" could include parties who are 
paying you to look over your shoulder at this petri dish and its 
cultured agar) with data of value then their existence is of no value.

Eric

Gadi Evron wrote:
> Russell Myba wrote:
> > Looks like of our customers has decided to turn their /24 into a nice 
> > little
> > space spewing machine.  Doesn't seem like just one compromised host.
> >
> > Reverse DNS for most of the /24 are suspicious domains.  Each domain 
> > used in
> > the message-id forwards to a single .net which lists their mailing 
> > address
> > as a PO box an single link to an unsubscribe field.
> >
> > I've contacted at least three known contacts for the customer about the
> > abuse without a single response.
> >
> > It would seem there are many layers to this entity:
> >
> > The domains are registered to one business
> > Our billing information for the customer has one name, they colo with
> > another person (whom the cross connect reaches)
> > Our customer has an IT solutions person working for them (Strange 
> > since our
> > customer and their colo provider are "IT solutions" people themselves.
> > Abuse handle phone #s are supposedly incorrect (I called it)
> >
> > Besides the obvious of me at the minimum filtering port tcp/25 is 
> > their an
> > organization that tracks businesses like these who seem like they are
> > building a web of insulation in which to move?
> >
> > I think this case might interest them.
>
> From principle, I want to jump up and down and say "zap `em!". 
> However, I also make several assumption which need to be clearned, 
> pragmatically.
>
> I assume you have authority over the decision of what to do with them, 
> and I also assume that your contract with them does not bind you in 
> some fashion, can get you in trouble with the business side of the 
> business, or can introduce *liability* issues. And naturally, that if 
> you are not the decision maker, that you are synched with whomever it is.
>
> These assumptions aside, kicking them might not be the best solution. 
> "Starving them" out by blocking port 25, as an example you gave, or 
> following some of the other suggestions in this thread, may be workable.
>
> Which brings me three very important questions:
> 1. How much intelligence can you collect if you let them stay?
> 2. Have you considered legal action against them?
> 3. Did you consult with legal about possible law enforcement involvement?
>
> As to the intricate web of who they are and where their resources lie, 
> these are usually cases where the more you dig, the more you find -- 
> ad infinitum.
>
> Me? I'd just kick them after verifying they are not victims themselves.
>
> I hope this helps,
>
>     Gadi.