-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Nov 24, 2009 at 7:22 PM, Russell Myba <[email protected]> wrote:
> Looks like of our customers has decided to turn their /24 into a nice > little space spewing machine. Doesn't seem like just one compromised > host. > > Reverse DNS for most of the /24 are suspicious domains. Each domain used > in the message-id forwards to a single .net which lists their mailing > address as a PO box an single link to an unsubscribe field. > > I've contacted at least three known contacts for the customer about the > abuse without a single response. > > It would seem there are many layers to this entity: > > The domains are registered to one business > Our billing information for the customer has one name, they colo with > another person (whom the cross connect reaches) > Our customer has an IT solutions person working for them (Strange since > our customer and their colo provider are "IT solutions" people > themselves. > Abuse handle phone #s are supposedly incorrect (I called it) > > Besides the obvious of me at the minimum filtering port tcp/25 is their > an organization that tracks businesses like these who seem like they are > building a web of insulation in which to move? > > I think this case might interest them. > Can you name the /24? I can't say that this sound unfamiliar -- we are seeing an increase in "facilitated" criminal activity across the board... - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFLDKPkq1pz9mNUZTMRAg4pAKCZK6srbs1H2zp2FwKvB+T1xe3eKQCfSNFC Gv0xuZ7Lc0q94Yet+xUD3GY= =3sfS -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
