Re: [anti-spam-wg@localhost] Spam-RBL, anyone?
- Date: Wed, 7 Jan 2004 20:27:53 +0000
- Organization: easynet Ltd
On Wed, Jan 07, 2004 at 02:37:30PM -0500, der Mouse wrote:
> > [...outfits...which assume] that the administrative contact for an IP
> > address range is necessarily the appropriate addressee for
> > [notifications of spammous behaviour].
>
> > At least for 137.43/16, this is not the case, something I've tried to
> > make abundantly clear in the data carried by both ARIN and RIPE-NCC
> > for this network.
>
> Um. I must be msising something. What, pray tell, do you think the
> administrative conjtact address _is_ for, if not administrative issues?
> Or do you not consider disciplining spammous users to be an
> adminsitrative matter?
That is a little puzzling (unless I am missing something, always a
possibility), since:
anthony@localhost:~> whois -h whois.arin.net +137.43.0.0
OrgName: University College Dublin
OrgID: UCD-2
Address: Computing Services
Address: Belfield, Dublin 4
City:
StateProv:
PostalCode:
Country: IE
NetRange: 137.43.0.0 - 137.43.255.255
CIDR: 137.43.0.0/16
NetName: UCD
NetHandle: NET-137-43-0-0-1
Parent: NET-137-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.UCD.IE
NameServer: NS2.UCD.IE
NameServer: NS.HEA.IE
Comment: This data is no longer maintained and will be
Comment: withdrawn in the course of the ERX project.
Comment: Current contact information is on the RIPE
Comment: Whois.
Comment: URL (must be unfolded):
Comment: http://www.ripe.net/perl/whois
Comment: ?form_type=simple
Comment: &full_query_string=
Comment: &searchtext=una2-ripe
Comment: &do_search=Search
RegDate: 1989-10-25
Updated: 2003-09-12
TechHandle: NOR2-ARIN
TechName: O'Reilly, Niall
TechPhone: +353-1-716-2360
TechEmail: Niall.oReilly@localhost
OrgTechHandle: NOR2-ARIN
OrgTechName: O'Reilly, Niall
OrgTechPhone: +353-1-716-2360
OrgTechEmail: Niall.oReilly@localhost
# ARIN WHOIS database, last updated 2004-01-06 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
anthony@localhost:~> whois -h whois.ripe.net 137.43.0.0
% This is the RIPE Whois secondary server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
inetnum: 137.43.0.0 - 137.43.255.255
netname: UCD-ETHER
descr: Campus Ethernet
descr: University College Dublin
descr: Belfield
descr: Dublin 4
descr: Ireland
country: IE
admin-c: UNA2-RIPE
tech-c: UNA2-RIPE
status: ASSIGNED PI
notify: sysman@localhost
mnt-by: NO8-MNT
changed: dfk@localhost 19911020
changed: mnorris@localhost 19971031
changed: ripe-dbm@localhost 19990706
changed: Niall.oReilly@localhost 20010206
changed: Niall.oReilly@localhost 20030909
changed: Niall.oReilly@localhost 20030910
source: RIPE
route: 137.43.0.0/16
descr: UCD-ETHER
origin: AS1213
mnt-by: HEANET-NOC
changed: ripe-dbm@localhost 19941121
changed: brian.boyle@localhost 20021121
source: RIPE
role: UCD Network Administration
address: University College Dublin Computing Services
address: Belfield
address: Dublin 4
address: Ireland
phone: +353 1 716 2360
fax-no: +353 1 283 7077
admin-c: UNA2-RIPE
tech-c: UNA2-RIPE
tech-c: RL7975-RIPE
tech-c: PB11909-RIPE
tech-c: FS11
tech-c: NO8
e-mail: abuse@localhost
e-mail: security@localhost
e-mail: sysman@localhost
nic-hdl: UNA2-RIPE
mnt-by: NO8-MNT
notify: sysman@localhost
remarks: contact abuse@localhost re SPAM only
remarks: contact security@localhost re other abuse
remarks: contact sysman@localhost re general operations
changed: Niall.oReilly@localhost 20030910
source: RIPE
I would myself have interpreted the above data as indicating that the
correct address to complain to in respect of Unsolicited Bulk Email
abuse actually originating from 137.43.0.0/16 is abuse@localhost.
However, it is possible that Niall may be experiencing the same issue in
respect of notifications from spam-rbl.com that we have repeatedly
experienced; that of almost all such notifications having been sent
entirely in error. Examples:
1. Email originating from well known, current insecure open proxies
listed at other DNSBLs, however spam-rbl.com parsing forged
"Received: from" header lines below the line where the insecure
proxy appears (and hence, from which the Unsolicited Bulk Email
actually originated); this is extremely common.
2. Reports concerning bounce undeliverable messages generated by
our own mail infrastructure, and MTAs hosted and operated by our
customers. Again, this is common.
3. Reports concerning email which, by even the strictest definition,
cannot possibly constitute Unsolicited Bulk Email abuse, which
is immediately apparent when such email is read by humans. One
example email reported by spam-rbl.com to us as apparent
Unsolicited Bulk Email abuse was a reply, from one of our
hosting provider customers to one of their customers, requesting
that said customer's customer's domain be transferred elsewhere,
and our customer providing details to their customer of how this
process should be undertaken (explanatory details re: the
Nominet IPS tag process, etc).
The majority of notifications sent to us by spam-rbl.com do not in
fact relate to abuse originating from, or involving, the easynet
network in any way. In fact, I would go so far to suggest that the
greenest newbie spam fighter, having spent a couple of hours or so
parsing a primer on how to read headers, would generate on average
a higher percentage of correctly targetted complaints.
--
Anthony Edwards * anthony.edwards@localhost
Abuse Team Manager * Easynet UK Abuse Team
Easynet Ltd * DDI: 0161 227 0707
http://www.uk.easynet.net * Fax: 0845 333 4503