nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: I got a live one! - Spam source

From: Steve Linford <linford () spamhaus org>
Date: Thu, 26 Nov 2009 09:53:42 +0000
On 25 Nov 2009, at 04:22, Russell Myba wrote:
Looks like of our customers has decided to turn their /24 into a nice little 
space spewing machine.  Doesn't seem like just one compromised host.
Reverse DNS for most of the /24 are suspicious domains. Each domain used in the message-id forwards to a single .net which lists their mailing address 
as a PO box an single link to an unsubscribe field.
Classic snowshoe spam setup, probably a professional snowshoe spam outfit known to Spamhaus as 'Tactara' and 'Webzero'.
Snowshoe spam operations operate by contacting ISP pretending to be 'IP space brokers', they buy lots of IP space and have it all SWIPed in small chunks, mostly /24s, to an endless array of anonymous Wyoming and Delaware shell companies at UPS mailboxes. They then fill the /24s with freshly-registered 'nonsense' domains, tunnel into the server to hide their real location, and start the spamming. Usually almost every IP in the /24 has a spam cannon on it and a web page with just an 'unsubscribe' field. 

They're the reason we created the CSS announced here:
http://www.spamhaus.org/news.lasso?article=646
(please don't follow up to this post here on NANOG, as NANOG is not an appropriate forum for spam discussions) 

  Steve Linford
  The Spamhaus Project
  http://www.spamhaus.org
Previous By Date Next
Previous By Thread Next

Current thread: