Thursday, March 06, 2008

The Tag Lyger Campaign

I’ve begun a quest of sorts. And I need help in making this endaevor more of a reality. Please join me in the “Tag Lyger’s page with filthy del.icio.us tags” campaign. So far, I’m the only participant, participation is easy though.

Login or Register for a del.icio.us account, then Post a post to Lyger’s page:

http://attrition.org/~lyger

and tag it with something foul. I’ve been focusing on glassdildos and dirty sanchez, which you can join along with, or make up your own!

See the lyger del.icio.us page for all the tags so far.

It’s fun, it helps a good cause, and it reduces my overall stress level, which in turn reduces my bloodpressure, which in turn keeps me alive just a LITTLE BIT LONGER to deal with Jericho’s gnikcuf tickets.

Monday, March 03, 2008

Clever Spammers

I’ve run into a significant problem today with some SPAM.

Messages began pouring into my employer somewhere around two weeks ago, flooding user accounts with crap. I mean flooding, like, can’t delete quick enough, or “no time for love Dr. Jones” flooding. Initially I ignored the report, as we haven’t had a significant spam problem in a long time. Spamassassin coupled with RBL’s and other paid and free resources has done an incredible job over the past 10 years, so I naturally assumed I had a user issue here. But today when people inside my department, who are less likely to fall prey to an accident, started getting slammed like Tabitha Stevens in San Fernando Jones and the Temple of Poon.

I finally started paying attention, and I’m glad I did. Hundreds of thousands of messages per day were pooring into the mail servers, destined for real users and all but a small percentage were being passed by the filters. I dug a bit deeper and found:


64.191.105
64.191.106
64.191.123
64.191.124
64.191.51
66.197.134
66.197.147
66.197.180
66.197.224
66.197.229
66.197.249
66.197.253 

Fascinating I thought. Similar class C’s, but two different class B’s. A whois shows more details:

64.191.105


Network Operations Center Inc. HOSTNOC-3BLK (NET-64-191-0-0-1)
                               64.191.0.0 - 64.191.127.255
Julestynes Services JULESTYNES (NET-64-191-105-0-1)
                               64.191.105.0 - 64.191.105.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
64.191.106

Network Operations Center Inc. HOSTNOC-3BLK (NET-64-191-0-0-1)
                               64.191.0.0 - 64.191.127.255
hillside web partners HILLSIDEWEB (NET-64-191-106-0-1)
                               64.191.106.0 - 64.191.106.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
64.191.123

Network Operations Center Inc. HOSTNOC-3BLK (NET-64-191-0-0-1)
                               64.191.0.0 - 64.191.127.255
Blue Yellow Web Partners BLUEYELLOWWEB (NET-64-191-123-0-1)
                               64.191.123.0 - 64.191.123.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
64.191.124

Network Operations Center Inc. HOSTNOC-3BLK (NET-64-191-0-0-1)
                               64.191.0.0 - 64.191.127.255
qartfz enterprise QARTFZ (NET-64-191-124-0-1)
                               64.191.124.0 - 64.191.124.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
64.191.51

Network Operations Center Inc. HOSTNOC-3BLK (NET-64-191-0-0-1)
                               64.191.0.0 - 64.191.127.255
Forest bay net services FORESTBAYNETSVC (NET-64-191-51-0-1)
                               64.191.51.0 - 64.191.51.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
66.197.134

Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
                               66.197.128.0 - 66.197.255.255
three g web partners THREEGWEB (NET-66-197-134-0-1)
                               66.197.134.0 - 66.197.134.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
66.197.147

Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
                               66.197.128.0 - 66.197.255.255
Sparkspart Industries SPARKSPART (NET-66-197-147-0-1)
                               66.197.147.0 - 66.197.147.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
66.197.180

Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
                               66.197.128.0 - 66.197.255.255
Ktgbs Operations KTGBS (NET-66-197-180-0-1)
                               66.197.180.0 - 66.197.180.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
66.197.224

Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
                               66.197.128.0 - 66.197.255.255
Saturn Net Services STRNNET (NET-66-197-224-0-1)
                               66.197.224.0 - 66.197.224.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
66.197.229

Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
                               66.197.128.0 - 66.197.255.255
Beedolak Networks BEEDOLAK (NET-66-197-229-0-1)
                               66.197.229.0 - 66.197.229.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
66.197.249

Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
                               66.197.128.0 - 66.197.255.255
JSBLX Services JSBLXSERVICES (NET-66-197-249-0-1)
                               66.197.249.0 - 66.197.249.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
66.197.253

Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
                               66.197.128.0 - 66.197.255.255
DDLSA information systems DDLSA (NET-66-197-253-0-1)
                               66.197.253.0 - 66.197.253.255

# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

So clearly I become keenly interested in “Network Operations Center Inc.” and I kick off an abuse mail:

 
It would appear that multiple dummy organizations leasing IP space from your  
HOSTNOC-2BLK and  HOSTNOC-3BLK and potentially others are SPAMing our 
organization, rendering some people's accounts practically inaccessible.  

All the samples attached originate from class C's you have sold/leased or 
otherwise delegated.  Were I a gambler, I'd likely bet that this is no 
coincidence.  Please address the matter.

Interestingly, every single mailhost had an SPF record setup, and all were passing spam checks. I banned both /17 networks from getting to our mailserver, and after a couple hours:

 
Mar  3 14:40:01 redacted postfix/smtpd[28234]: NOQUEUE: reject: RCPT from 
  mx-173.tiepart.com[66.197.180.173]: 554 <mx-173.tiepart.com[66.197.180.173]>: 
  Client host rejected: GO AWAY; from=<e@tiepart.com> to=<REDACT@REDACTED.NET> 
  proto=ESMTP helo=<mx-173.tiepart.com>
Mar  3 14:40:01 redacted postfix/smtpd[28144]: NOQUEUE: reject: RCPT from 
  mailserv150.pissmall.com[64.191.123.150]: 554 <mailserv150.pissmall.com[64.191.123.150]>: 
  Client host rejected: GO AWAY; from=<a@pissmall.com> to=<REDACT@REDACTED.NET> 
  proto=ESMTP helo=<mailserv150.pissmall.com>

MMMMMM. PISSMALL.COM. About 200,000 of those. Meanwhile, “Network Operations Center Inc.” turns out to be burst.net, an apparently legit company according to their response:


Hello.

Thank you for your report.

We have contacted our direct client regarding your report and expect a prompt response, 
including action against the abuser.

If you have any questions, please let us know.

Most sophisticated spamming operation I’ve seen. SPF records, real registered domains, links to those real domains, real email accounts, all hosted here in the US, scattered across multiple class B networks, but seemingly all hosted at a single company.