Re: massive snowshoe operations may be a cause for concern (was: Re:UCEProtect Level 3)

[Suresh Ramasubramanian <ops.lists () gmail com>]

You wont find me holding up uceprotect or apews as fine examples of
properly or even competently run lists, I'd point you to spamhaus for
that.

But, in this day and age, and with the volumes of spam around, I'd
counsel you NOT to wait for or expect manual complaints to your abuse
desk, almost nobody does that these days.

Feel free to signup for AOL etc feedback loops and you'd probably get
a much higher volume of complaints - enough that you'd have to
dedicate an email address to it, and use the scriptability of the ARF
format these feedback loops are sent in, so you can get / generate
stats.

Periodic rDNS scans of your network, and either making rDNS requests
manual, or at least running periodic rDNS scans of your network to
spot that kind of customer would make sense too.  You must admit that
the kind of rDNS Steve Champeon posted in in that very long list
upthread sticks out like a sore thumb.

--srs

On Sat, May 9, 2009 at 4:20 AM, John van Oppen <john () vanoppen com> wrote:
> My favorite part of uceprotect was that there was basically no way to get them to send us actual reports or even IPs
> (without us paying for them). We canned this customer a month or two ago for abuse but gave them time to migrate
> out of our IP space (they were announcing it with their ASN to their other provider even after we cut transit) and
> swore up and down they were using it for virtual hosting (as did their ARIN justification forms). I just requested
> directly to their other provider that announcements be filtered and removed the SWIP. That /20 had only ever
> had about 15 reports for it to our abuse desk and we are actually responsive hence the kicking of the customer