Wednesday, April 25, 2007
spammer-friendly mzima networks
This morning's "Quality Meds at Clearance Price" spam came from a trojaned consumer box on "broadband" in Malaysia. It had a bogus EHLO/HELO name. Either of those would have gotten it blocked, except it was addressed to Postmaster. You're not supposed to block spam to that RFC2142 address. (I'm getting tired of that rule.) Spammer must be pretty confident he's complaint-proof.
The spammer just gives his domain name, a throwaway at Register.com. They tell me these are usually paid for with stolen credit cards. He spells the domain name with spaces around the dot, to avoid triggering Spamassassin's "URL seen in spam" rule. The contact info in the registration is clearly bogus: 666 devils rd, lucifer, miami, +1.3056669990. Yeah, sure, lots of real people at that 666 exchange. By the time Register.com (Verisign still owns them?) takes it down, he'll have moved on.
The spammer's web server is hosted at Mzima Networks. A large colocation provider with data centers in the US, Honk Kong, Tokyo, and four cities in western Europe. A colocation provider rents you rack space in his data center for your server, which you connect to his network. Usually he reallocates you some IP addresses. If you're big enough you bring your own. Mzima has 21 entries on the Spamhaus block list. Mostly bunches of sixteen IP addresses. Most belonging to well known. chronic, "career" spammers. This one turns out to be "iMedia Networks." The 512 IP addresses are reallocated from Mzima to an " SBC Telecom Consulting, Inc." It's been there nine months.
I called Mzima. They told me that their customers can spam all they want, as long as they do it on someone else's network, and I should complain to the cable company in Malaysia. As long as the spam came from a bot-net, it's none of Mzima's business. Of course, well run networks won't accept email from an IP address assigned to a criminal like iMedia Networks anyway. He just sells his pills through them.
Mzima claims to be "connecting to multiple Tier-1 carriers and numerous private peers." But whenever I trace route to their spammer havens the route goes through Internet backbone carrier Level3. Of course Level3 doesn't give a damn about the criminal selling his fake pills through their network. They know the government isn't going to bother them, and Mzima pays them well.
Spammers exist because of the knowing, willful negligence of companies like Mzima Networks and Level3 Communications.
What you can do: Ask your ISP to "null route" the pill spammer's IP address range, 72.37.186/23. They're not expecting that. They're expecting you to complain about the bot-net pill spam, but they think you're too stupid to figure out that the spammer's web hosting matters more. Tell them you'd prefer that they not carry the pill spammer's traffic. Not just his email, which comes from everywhere, but his Web server and his bot-net controller too. Nobody's going to miss any legitimate traffic from there, because there isn't any. This happens, occasionally, to the very worst of the worst spammers. It renders their IP addresses fairly worthless, and they have to buy a new allocation from Mzima. Which leaves Mzima stuck with 512 IP addresses that nobody wants.
Of course, if we get the kind of "net neutrality" Moveon.org has been pushing for, such shunning becomes illegal. Under today's "free trade" agreements, the boycotts that forced the end of Apartheid in South Africa would be illegal. Think about it. Do you really want a "free trade" Internet? You can bet Level3 and Mzima do. And the spammers would just love it.
The spammer just gives his domain name, a throwaway at Register.com. They tell me these are usually paid for with stolen credit cards. He spells the domain name with spaces around the dot, to avoid triggering Spamassassin's "URL seen in spam" rule. The contact info in the registration is clearly bogus: 666 devils rd, lucifer, miami, +1.3056669990. Yeah, sure, lots of real people at that 666 exchange. By the time Register.com (Verisign still owns them?) takes it down, he'll have moved on.
The spammer's web server is hosted at Mzima Networks. A large colocation provider with data centers in the US, Honk Kong, Tokyo, and four cities in western Europe. A colocation provider rents you rack space in his data center for your server, which you connect to his network. Usually he reallocates you some IP addresses. If you're big enough you bring your own. Mzima has 21 entries on the Spamhaus block list. Mostly bunches of sixteen IP addresses. Most belonging to well known. chronic, "career" spammers. This one turns out to be "iMedia Networks." The 512 IP addresses are reallocated from Mzima to an " SBC Telecom Consulting, Inc." It's been there nine months.
I called Mzima. They told me that their customers can spam all they want, as long as they do it on someone else's network, and I should complain to the cable company in Malaysia. As long as the spam came from a bot-net, it's none of Mzima's business. Of course, well run networks won't accept email from an IP address assigned to a criminal like iMedia Networks anyway. He just sells his pills through them.
Mzima claims to be "connecting to multiple Tier-1 carriers and numerous private peers." But whenever I trace route to their spammer havens the route goes through Internet backbone carrier Level3. Of course Level3 doesn't give a damn about the criminal selling his fake pills through their network. They know the government isn't going to bother them, and Mzima pays them well.
Spammers exist because of the knowing, willful negligence of companies like Mzima Networks and Level3 Communications.
What you can do: Ask your ISP to "null route" the pill spammer's IP address range, 72.37.186/23. They're not expecting that. They're expecting you to complain about the bot-net pill spam, but they think you're too stupid to figure out that the spammer's web hosting matters more. Tell them you'd prefer that they not carry the pill spammer's traffic. Not just his email, which comes from everywhere, but his Web server and his bot-net controller too. Nobody's going to miss any legitimate traffic from there, because there isn't any. This happens, occasionally, to the very worst of the worst spammers. It renders their IP addresses fairly worthless, and they have to buy a new allocation from Mzima. Which leaves Mzima stuck with 512 IP addresses that nobody wants.
Of course, if we get the kind of "net neutrality" Moveon.org has been pushing for, such shunning becomes illegal. Under today's "free trade" agreements, the boycotts that forced the end of Apartheid in South Africa would be illegal. Think about it. Do you really want a "free trade" Internet? You can bet Level3 and Mzima do. And the spammers would just love it.
Monday, April 16, 2007
home servers blocked because of "generic" reverse DNS
My server refused Michael's email. He's running a server at home on a phone company DSL line with a static IP address. "What's this about? Can I not send you mail because I have SBC DSL?"
Not exactly. It's because he's sending directly from a residential SBC DSL line with a "generic" name in reverse DNS.
Legitimate email senders just about always have a pointer record in the in-addr.arpa domain. The name in it suggests it's actually supposed to be sending mail. Picking a couple at random out of this morning's email:
Take a look at amybiehl's network neighbors.
$ whi -v 66.159.220 132 141
132.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-132.dslextreme.com.
133.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-133.dslextreme.com.
134.220.159.66.in-addr.arpa domain name pointer alexsoo.net.
135.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-135.dslextreme.com.
136.220.159.66.in-addr.arpa domain name pointer amybiehl.greens.org.
137.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-137.dslextreme.com.
138.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-138.dslextreme.com.
139.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-139.dslextreme.com.
140.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-140.dslextreme.com.
It's pretty easy to see which are the servers and which are just generic residential lines. Michael's email was refused because his server's pointer resource record name adsl-68-124-123-45.dsl.pltn13.pacbell.net matched the regular expression
Your MTA probably has a routing table where you can relay out to certain domains and send directly by default. I can show you how to do it in Qmail and Postfix. I've noticed about a dozen domains that block amybiehl, and I route to those through my server off of Speakeasy
(Edit, July '08: I've moved from Speakeasy's T-1 to colocation at Got.net.)
You'll find this kind of preemptive blocking will only get more common. I'm kind of surprised you haven't hit it already. Some pretty large networks have been using this technique for years. DSL Extreme charged me $20 to install a custom PTR name. Sonic and Speakeasy did it for free.
The "see greens.org/delist" in my server's rejection message was supposed to lead you to my whitelist request form. Someone submits that form about once a month. (Not counting the crackers who shove junk into it every day. They're looking for leaky forms they can exploit to send spam.)
Not exactly. It's because he's sending directly from a residential SBC DSL line with a "generic" name in reverse DNS.
$ host -t ptr 68.124.123.45 #(not his real address) 45.123.124.68.in-addr.arpa domain name pointer adsl-68-124-123-45.dsl.pltn13.pacbell.net. |
Legitimate email senders just about always have a pointer record in the in-addr.arpa domain. The name in it suggests it's actually supposed to be sending mail. Picking a couple at random out of this morning's email:
$ host 204.13.164.18 18.164.13.204.in-addr.arpa domain name pointer mx1.riseup.net. $ host 66.159.220.136 136.220.159.66.in-addr.arpa domain name pointer amybiehl.greens.org. |
Take a look at amybiehl's network neighbors.
$ whi -v 66.159.220 132 141
132.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-132.dslextreme.com.
133.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-133.dslextreme.com.
134.220.159.66.in-addr.arpa domain name pointer alexsoo.net.
135.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-135.dslextreme.com.
136.220.159.66.in-addr.arpa domain name pointer amybiehl.greens.org.
137.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-137.dslextreme.com.
138.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-138.dslextreme.com.
139.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-139.dslextreme.com.
140.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-140.dslextreme.com.
It's pretty easy to see which are the servers and which are just generic residential lines. Michael's email was refused because his server's pointer resource record name adsl-68-124-123-45.dsl.pltn13.pacbell.net matched the regular expression
/^(adsl|ppp)-.*.(dsl|dialup)\..*\.pacbell\.net$/which stops an amazing amount of spam without any content analysis. SBC/Ameritech/Snet/AT&T/Pacbell generics are in the top twenty spam sources world wide. They claim to be "rolling out" port 25 blocking, but there are glaciers that move faster. I'll whitelist your PTR name, but I doubt many admins would bother. If you're gonna run a server in the middle of a block that's 99.99% Microsoft-DSL-residential spam zombies you're eventually gonna have to ask SBC for a non-generic name in rDNS. Or send through the SMTP relays SBC provides.
Your MTA probably has a routing table where you can relay out to certain domains and send directly by default. I can show you how to do it in Qmail and Postfix. I've noticed about a dozen domains that block amybiehl, and I route to those through my server off of Speakeasy
(Edit, July '08: I've moved from Speakeasy's T-1 to colocation at Got.net.)
You'll find this kind of preemptive blocking will only get more common. I'm kind of surprised you haven't hit it already. Some pretty large networks have been using this technique for years. DSL Extreme charged me $20 to install a custom PTR name. Sonic and Speakeasy did it for free.
The "see greens.org/delist" in my server's rejection message was supposed to lead you to my whitelist request form. Someone submits that form about once a month. (Not counting the crackers who shove junk into it every day. They're looking for leaky forms they can exploit to send spam.)