nanog mailing list archives

Re: dealing with bogon spam ?

From: Suresh Ramasubramanian <ops.lists () gmail com>
Date: Wed, 28 Oct 2009 12:56:41 +0530

Ah, colo4jax I see. Jacksonville, Florida.

68.234.16.0/20 shows up as unallocated but as these guys own the
previous /20 its probably a stale arin db and a brand new allocation

  Prefix               AS Path
Aggregation Suggestion
  68.234.0.0/20        4777 2497 25973 40430
  68.234.16.0/20       4608 1221 4637 3561 40430
  69.174.96.0/21       4777 2497 25973 40430
  173.205.80.0/20      4777 2497 25973 40430
  204.237.184.0/21     4777 2497 25973 40430
  204.237.192.0/22     4777 2497 25973 40430
  208.153.96.0/22      4777 2497 25973 40430
  208.169.228.0/22     4777 2497 25973 40430


On Wed, Oct 28, 2009 at 12:14 PM, Leslie <leslie () craigslist org> wrote:

Yes, unallocated (at least according to ARIN's whois db) but not unannounced
- obviously our network can get to the space or else I wouldn't be having a
spam problem with them!   I'm actually seeing this  /20 as advertised
through Savvis from AS40430

It seems to me like the best solution might be a semi-hacky solution of
asking arin (and other IRR's) if i can copy its DB and creating an internal
peer which null routes unallocated blocks (updated nightly?)

Has anyone seen an IRR's DB's not being updated for more than 30 days after
allocations?  I always assumed that they are quickly updated.

Thanks again,
Leslie

Jon Lewis wrote:


Unallocated doesn't mean non-routed.  All a spammer needs is a
willing/non-filtering provider doing BGP with them, and they can announce
any space they like, send out some spam, and then pull the announcement.
Next morning, when you see the spam and try to figure out who to send
complaints to, you're either going to complain to the wrong people or find
that whois is of no help.

On Tue, 27 Oct 2009, Church, Charles wrote:

This is puzzling me.  If it's from non-announced space, at some point
some router should report no route to it.  How is the TCP handshake
performed to allow a sync to turn into spam?

Chuck

Chuck Church
Network Planning Engineer, CCIE #8776
Harris Information Technology Services
DOD Programs
1210 N. Parker Rd. | Greenville, SC 29609
Office: 864-335-9473 | Cell: 864-266-3978
--------------------------
Sent using BlackBerry




-- 
Suresh Ramasubramanian (ops.lists () gmail com)

Current thread:

Re: dealing with bogon spam ?, (continued)
- - - Re: dealing with bogon spam ? Suresh Ramasubramanian (Oct 28)
    - Re: Re: dealing with bogon spam ? Michiel Klaver (Oct 29)
- Re: dealing with bogon spam ? Valdis . Kletnieks (Oct 28)
  - Re: dealing with bogon spam ? Jared Mauch (Oct 28)
- Re: dealing with bogon spam ? Chris Hills (Oct 28)
- Re: dealing with bogon spam ? Church, Charles (Oct 27)
  - Re: dealing with bogon spam ? Nathan Ward (Oct 27)
  - Re: dealing with bogon spam ? Jon Lewis (Oct 27)
    - Re: dealing with bogon spam ? Suresh Ramasubramanian (Oct 27)
    - Re: dealing with bogon spam ? Leslie (Oct 27)
    - Re: dealing with bogon spam ? Suresh Ramasubramanian (Oct 28)
    - Re: dealing with bogon spam ? John Kristoff (Oct 28)
    - Re: dealing with bogon spam ? Jeroen Massar (Oct 28)
    - Re: dealing with bogon spam ? Randy Bush (Oct 28)
    - Re: dealing with bogon spam ? Jeroen Massar (Oct 28)
    - Re: dealing with bogon spam ? Nathan Ward (Oct 28)
    - Re: dealing with bogon spam ? John Kristoff (Oct 28)
    - Re: dealing with bogon spam ? Leslie (Oct 28)
    - Re: dealing with bogon spam ? Jeroen Massar (Oct 28)
    - Re: dealing with bogon spam ? George Michaelson (Oct 29)
    - Re: dealing with bogon spam ? Jared Mauch (Oct 28)

(Thread continues...)