Security Incidents mailing list archives

Re: Japanese "IPv6" group allocating for IPv4 spamming?

From: "Robert Hajime Lanning" <secfocus () lanning cc>
Date: Fri, 6 Jun 2003 12:13:55 -0700 (PDT)

It could be an IPv6/IPv4 gateway.  If the spammer requested an IPv6
network and used it, all traffic destined for an IPv4 address would
seem to come from the gateway address.

<quote who="Jay D. Dyson">

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi folks,

      I've long since blackholed most of Asia due to their rampant
spamming and incompetent (or worse, indifferent) admins.  This latest
incident only cements my stance.

      I received the following spam just a few minutes ago.  Mind you,
I've seen countless spam messages in my day, but the originating IP is
what caught my eye:


- -----BEGIN FORWARDED MESSAGE-----

Return-Path: <info_master () yume otegami com>
Received: (qmail 2233 invoked from network); 5 Jun 2003 21:13:01 -0000
Received: from f136.ac130.freebit.ne.jp (HELO yume234.com)
(43.244.130.136)
  by h-66-134-87-75.lsanca54.covad.net with SMTP; 5 Jun 2003 21:13:01
-0000
From: ug0605 <info_master () yume otegami com>
To: [redacted]
Reply-To: info_master () yume otegami com
Subject: [gibberish deleted]
Date: Fri, 06 Jun 2003 06:11:24 +0900
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="de9908d2-2375-4e23-87c8-09a261c806b2"

[body of spam deleted]

- -----END FORWARDED MESSAGE-----


      When I saw the first Received line, I polled APNIC's databases for
the cognizant party.  The system responded that this Japanese netblock is
not allocated to APNIC.  So then I tried ARIN.  And that's when things got
interesting.

      ARIN stated that it too did not have that IP block allocated, but
it did confirm that it belonged to "Japan Inet" and referred me to the
"IPv6PC Whois Database" (whois.v6nic.net).  Okay, fine...but why is a
group that apparently touts itself as working exclusively with IPv6 doling
out IPv4 address space for spammers?

      Maybe I'm way off base here (wouldn't be the first time), but
something really stinks in Tokyo.  Until such time that I can get an
answer on this, 43.0.0.0/8 is in the blackhole.

- -Jay

  (    (                                                         _______
  ))   ))   .-"There's always time for a good cup of coffee."-.

====<--.

C|~~|C|~~| (>------ Jay D. Dyson - jdyson () treachery net ------<) |    =
|-'
 `--' `--'  `-If guns cause crime, then spoons cause obesity.-'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQE+37njNlg1oZSC9mkRAi6QAJ0cPERAww8lvVFtm6NUyRwc97CQhwCfbfx+
b/pwVrvzllBRYe/DH6WRS0I=
=XPg3
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
----------------------------------------------------------------------------



----------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Japanese "IPv6" group allocating for IPv4 spamming? Jay D. Dyson (Jun 06)
- Re: Japanese "IPv6" group allocating for IPv4 spamming? Robert Hajime Lanning (Jun 09)
- Re: Japanese "IPv6" group allocating for IPv4 spamming? Dale Fay (Jun 09)