Wednesday, April 25, 2007

 

spammer-friendly mzima networks

This morning's "Quality Meds at Clearance Price" spam came from a trojaned consumer box on "broadband" in Malaysia. It had a bogus EHLO/HELO name. Either of those would have gotten it blocked, except it was addressed to Postmaster. You're not supposed to block spam to that RFC2142 address. (I'm getting tired of that rule.) Spammer must be pretty confident he's complaint-proof.

The spammer just gives his domain name, a throwaway at Register.com. They tell me these are usually paid for with stolen credit cards. He spells the domain name with spaces around the dot, to avoid triggering Spamassassin's "URL seen in spam" rule. The contact info in the registration is clearly bogus: 666 devils rd, lucifer, miami, +1.3056669990. Yeah, sure, lots of real people at that 666 exchange. By the time Register.com (Verisign still owns them?) takes it down, he'll have moved on.

The spammer's web server is hosted at Mzima Networks. A large colocation provider with data centers in the US, Honk Kong, Tokyo, and four cities in western Europe. A colocation provider rents you rack space in his data center for your server, which you connect to his network. Usually he reallocates you some IP addresses. If you're big enough you bring your own. Mzima has 21 entries on the Spamhaus block list. Mostly bunches of sixteen IP addresses. Most belonging to well known. chronic, "career" spammers. This one turns out to be "iMedia Networks." The 512 IP addresses are reallocated from Mzima to an " SBC Telecom Consulting, Inc." It's been there nine months.

I called Mzima. They told me that their customers can spam all they want, as long as they do it on someone else's network, and I should complain to the cable company in Malaysia. As long as the spam came from a bot-net, it's none of Mzima's business. Of course, well run networks won't accept email from an IP address assigned to a criminal like iMedia Networks anyway. He just sells his pills through them.

Mzima claims to be "connecting to multiple Tier-1 carriers and numerous private peers." But whenever I trace route to their spammer havens the route goes through Internet backbone carrier Level3. Of course Level3 doesn't give a damn about the criminal selling his fake pills through their network. They know the government isn't going to bother them, and Mzima pays them well.

Spammers exist because of the knowing, willful negligence of companies like Mzima Networks and Level3 Communications.

What you can do: Ask your ISP to "null route" the pill spammer's IP address range, 72.37.186/23. They're not expecting that. They're expecting you to complain about the bot-net pill spam, but they think you're too stupid to figure out that the spammer's web hosting matters more. Tell them you'd prefer that they not carry the pill spammer's traffic. Not just his email, which comes from everywhere, but his Web server and his bot-net controller too. Nobody's going to miss any legitimate traffic from there, because there isn't any. This happens, occasionally, to the very worst of the worst spammers. It renders their IP addresses fairly worthless, and they have to buy a new allocation from Mzima. Which leaves Mzima stuck with 512 IP addresses that nobody wants.

Of course, if we get the kind of "net neutrality" Moveon.org has been pushing for, such shunning becomes illegal. Under today's "free trade" agreements, the boycotts that forced the end of Apartheid in South Africa would be illegal. Think about it. Do you really want a "free trade" Internet? You can bet Level3 and Mzima do. And the spammers would just love it.

Comments:
Good day,

As you may have heard, as of January 18, 2010, PacketExchange, the next generation network service provider with coverage in Europe, U.S. and Asia has announced its acquisition of Mzima Networks. This merger means that your website will need to be updated with the following information, if applicable.

1.) Please change any and all Mzima Networks logos to the PacketExchange logo (attached) - or available at

2.) Please change any and all references of the Mzima Networks name to PacketExchange.

3.) Please change any and all Mzima.net URLs to http://www.packetexchange.com.

Please confirm when the actions on your end are complete. I greatly appreciate your response to this, and am here for any questions.

Thank you!
 
Post a Comment



<< Home

This page is powered by Blogger. Isn't yours?