Re: massive snowshoe operations may be a cause for concern (was: Re:UCEProtect Level 3)

[Suresh Ramasubramanian]

You wont find me holding up uceprotect or apews as fine examples of
properly or even competently run lists, I'd point you to spamhaus for
that.

But, in this day and age, and with the volumes of spam around, I'd
counsel you NOT to wait for or expect manual complaints to your abuse
desk, almost nobody does that these days.

Feel free to signup for AOL etc feedback loops and you'd probably get
a much higher volume of complaints - enough that you'd have to
dedicate an email address to it, and use the scriptability of the ARF
format these feedback loops are sent in, so you can get / generate
stats.

Periodic rDNS scans of your network, and either making rDNS requests
manual, or at least running periodic rDNS scans of your network to
spot that kind of customer would make sense too.  You must admit that
the kind of rDNS Steve Champeon posted in in that very long list
upthread sticks out like a sore thumb.

--srs

On Sat, May 9, 2009 at 4:20 AM, John van Oppen j...@vanoppen.com wrote:
 My favorite part of uceprotect was that there was basically no way to get 
 them to send us actual reports or even IPs
 (without us paying for them). We canned this customer a month or two ago for 
 abuse but gave them time to migrate
 out of our IP space (they were announcing it with their ASN to their other 
 provider even after we cut transit) and
 swore up and down they were using it for virtual hosting (as did their ARIN 
 justification forms). I just requested
 directly to their other provider that announcements be filtered and removed 
 the SWIP. That /20 had only ever
 had about 15 reports for it to our abuse desk and we are actually responsive 
 hence the kicking of the customer

RE: massive snowshoe operations may be a cause for concern (was: Re:UCEProtect Level 3)

[John van Oppen]

I agree, spamhaus has always been great.  

We were on a few feedback loops and senderbase.org did not show much for that 
subnet...   anyway solved now.Got the ex-customer's other ISP to block the 
announcement since we killed it a while ago, also removed the SWIP.  ;)

John van Oppen
Spectrum Networks LLC
Direct: 206.973.8302
Main: 206.973.8300
Website: http://spectrumnetworks.us


-Original Message-
From: Suresh Ramasubramanian [mailto:ops.li...@gmail.com] 
Sent: Friday, May 08, 2009 4:35 PM
To: John van Oppen
Cc: Steven Champeon; Skywing; Raleigh Apple; nanog@nanog.org
Subject: Re: massive snowshoe operations may be a cause for concern (was: 
Re:UCEProtect Level 3)

You wont find me holding up uceprotect or apews as fine examples of
properly or even competently run lists, I'd point you to spamhaus for
that.

But, in this day and age, and with the volumes of spam around, I'd
counsel you NOT to wait for or expect manual complaints to your abuse
desk, almost nobody does that these days.

Feel free to signup for AOL etc feedback loops and you'd probably get
a much higher volume of complaints - enough that you'd have to
dedicate an email address to it, and use the scriptability of the ARF
format these feedback loops are sent in, so you can get / generate
stats.

Periodic rDNS scans of your network, and either making rDNS requests
manual, or at least running periodic rDNS scans of your network to
spot that kind of customer would make sense too.  You must admit that
the kind of rDNS Steve Champeon posted in in that very long list
upthread sticks out like a sore thumb.

--srs

On Sat, May 9, 2009 at 4:20 AM, John van Oppen j...@vanoppen.com wrote:
 My favorite part of uceprotect was that there was basically no way to get 
 them to send us actual reports or even IPs
 (without us paying for them). We canned this customer a month or two ago for 
 abuse but gave them time to migrate
 out of our IP space (they were announcing it with their ASN to their other 
 provider even after we cut transit) and
 swore up and down they were using it for virtual hosting (as did their ARIN 
 justification forms). I just requested
 directly to their other provider that announcements be filtered and removed 
 the SWIP. That /20 had only ever
 had about 15 reports for it to our abuse desk and we are actually responsive 
 hence the kicking of the customer