Unallocated doesn't mean non-routed. All a spammer needs is a
willing/non-filtering provider doing BGP with them, and they can announce
any space they like, send out some spam, and then pull the announcement.
Next morning, when you see the spam and try to figure out who to send
complaints to, you're either going to complain to the wrong people or find
that whois is of no help.
On Tue, 27 Oct 2009, Church, Charles wrote:
This is puzzling me. If it's from non-announced space, at some point some
router should report no route to it. How is the TCP handshake performed to
allow a sync to turn into spam?
Chuck
Chuck Church
Network Planning Engineer, CCIE #8776
Harris Information Technology Services
DOD Programs
1210 N. Parker Rd. | Greenville, SC 29609
Office: 864-335-9473 | Cell: 864-266-3978
--------------------------
Sent using BlackBerry
----- Original Message -----
From: Jon Lewis <jle...@lewis.org>
To: Leslie <les...@craigslist.org>
Cc: NANOG <nanog@nanog.org>
Sent: Tue Oct 27 21:08:12 2009
Subject: Re: dealing with bogon spam ?
On Tue, 27 Oct 2009, Leslie wrote:
I failed to mention we're seeing this from an unallocated /20 whose parent /8
is allocated to ARIN (and is partially in use)
What /20 would that be? If you're sure it's unallocated, and see nothing
but spam from it, block it at your border.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________