Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Malware and Botnet Operators Going ISP

ScuttleMonkey posted more than 4 years ago | from the spam-is-big-business dept.

Security 131

Trailrunner7 writes to mention that malware and botnet operators appear to be escalating to the next level by setting up their own virtual data centers. This elevates the criminals to the ISP level, making it much harder to stop them. "The criminals will buy servers and place them in a large data center and then submit an application for a large block of IP space. In some cases, the applicants are asked for nothing more than a letter explaining why they need the IP space, security researchers say. No further investigation is done, and once the criminals have the IP space, they've taken a layer of potential problems out of the equation. 'It's gotten completely out of hand. The bad guys are going to some local registries in Europe and getting massive amounts of IP space and then they just go to a hosting provider and set up their own data centers,' said Alex Lanstein, senior security researcher at FireEye, an anti-malware and anti-botnet vendor. 'It takes one more level out of it: You own your own IP space and you're your own ISP at that point.'"

cancel ×

131 comments

Sorry! There are no comments related to the filter you selected.

Filtering easier? (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30517404)

If they own the IP block (or it's assigned exclusively to them) then wouldn't that make it a lot easier to block them? Why complain? Just find out their range and shitlist it.

Re:Filtering easier? (5, Interesting)

JWSmythe (446288) | more than 4 years ago | (#30517808)

    The article (and story here) are a bit deceiving.

    The LIR is usually the ISP. So, they're filling out the IP justification form to ask for a block of IP's, just like anyone with their own rack or cabinet would. Big deal. I once had over a dozen /24's, but it was for legitimate purposes, and I properly (and honestly) justified them.

    I watched spammers do that in the past. They'd get multiple T1's (at their location) or ethernet handoffs (in datacenters). They'd be able to do a spam run for about 3 days on a block of IP's. When they got the complaint, they'd simply switch to another line. Say they have 7 of these circuits. It would take 21 days before they rotated back around to the original provider. If one should (oh my gosh) cut them off for the illegal activity, they'd simply bring in new circuits under new names.

    By combining providers in a single rack, that saved them the money of needing more servers. They'd frequently have a few cabinets, in a few different datacenters. So, 4 racks, 7 circuits each, would give them 28 unique identities. At 3 days before the line is burnt, that would give 84 days before they'd rotate back around to the original line.

    They would let a line sit idle for 84 days. That would just be stupid. They'd run multiple campaigns at the same time, so they'd rotate through them. It was an art, playing providers and the spam traps. They'd send a nice apology to the provider when they got the notice to stop, saying some machine was compromised, and the complaints would stop after just a couple days, and no one would care.

    Of course, some legitimate traffic would be hosted on these lines also, just to make things look good. In a 40u rack, they may have 30u's populated with spam servers, and a couple u's with web servers and what looked like paying customers on them.

    It's just like a black market operation run by the mob. Sure, you can buy merchandise in the store front. You'd never see the mobsters counting out suitcases full of cash, or shelves full of stolen merchandise bound for other places. No one questions what you're doing, because your store front *looks* legitimate.

    All they're indicating is that the spammer crowd has realized that there is no money in spam any more, and they've migrated to malware.

    All in all, it's not hard to get a cabinet, nor a circuit or three, in a datacenter. You don't even need a legitimate company. You just need to *appear* that you have a legitimate company. $100 and a few minutes of your time will incorporate a company to use. Corporate address? A PO box somewhere. Company phone? A "magicjack" or throw away cell phone. The only things that would tie anything to anything would be who's signing the contracts, which can be anyone. For minimum wage, you can have an employee of your illicit corp sign off on papers as "CEO".

    At one job, I wasn't listed as an "officer" in the company, so I couldn't sign anything. I got annoyed with trying to deal with the provider, so the next time I called to do something, I was "Vice President of Information Technology", and suddenly I was allowed to make changes. It was with the CEO's blessing, so I wasn't doing anything wrong. It was just to get through the providers annoying "protective" measures. The CEO never even got a phone call asking if I was allowed to make the changes. He just saw it reflected on the next bill.

Re:Filtering easier? (1)

QuantumRiff (120817) | more than 4 years ago | (#30517942)

I think this is for the command and control servers, not for the spam spewers.. So the blocking would have to be done at the router level, not spam filter level.. And quite frankly, blocking all mail from X is alot less dangerous of a precedent than black hole routing X. Really sucks if you knock those guys out of business, and someone else gets that IP space someday!

Are IP ranges free all of a sudden??!! (1)

kcoriginal (1705388) | more than 4 years ago | (#30519492)

Boo to the writer... or to the Europeans... which is it? So, like 2 years ago, when I launched my own consultancy, I also wanted to offer hosting. Like every other geek out there. I just remember that there was no way to get my own block from IANA/ICANN (whoever the he!! it was)... unless I had some insane amount like $2500 US. Anyone can confirm that? Did the price thing change? I just remember feeling cheated that an average Joe couldn't fill out the right paperwork and file a reasonable fee to get his small business started. He!!, for $2500, I could get a full business financed... when did it become illegal to be a lil ole small business guy? This is why all the shops just resorted to raping people... they can't win for losing.. so, if you can't beat 'em, join 'em... is that it? Is it easy to get a block from Europe? Perhaps I should cook up some elaborate scheme to VPN my European class B to my /28 here in TX... hmmm.... kc

Re:Are IP ranges free all of a sudden??!! (1)

Onetime77 (567812) | more than 4 years ago | (#30520300)

once you jump through the hoops the first time it works out to about $1-2 USD/IP address. This is based on a request of a /22 which is still considered a "micro-allocation."

Re:Filtering easier? (3, Interesting)

RobertM1968 (951074) | more than 4 years ago | (#30519704)

In addition to that, as many people seem to erroneously use the term, this makes them an OSP, and not an ISP.

That aside, virtually every ISP and OSP has an ISP they "report to" - thus this should in no way make shutting one of these company's/criminal's/site's internet access down any more difficult than in the past. Basically, unless you are a backbone owner, you're paying for a connection to the Internet via someone else and having lines installed by someone else.

In addition, I'd suspect it makes it easier to get them disconnected as they cannot claim (in the US) safe harbor if they are knowingly and/or through actions of their own; placing such botnets online on "their" network. The provisions of the law here are to protect those ISPs and OSPs who get snared in the actions of end-users (not their own malicious actions), only if and when they take appropriate actions to deal with it (those actions dependent on the infraction type... for instance, for copyright infringement, following the rules in the DMCA). In this case, they are causing two strikes to be against them from the get-go...

I'd surmise, that unless a botnet operator buys a big chunk of the Internet "backbone" that the Internet cannot survive without, that regardless of the number of IPs they own, following standard procedures against their ISP will result in the same ends as before. And I would further surmise that even if they did buy a big fat pipe, this would also make it easier to block them at peering points (which in some cases, if done drastically, would help convince their upstream provider to disconnect them even faster than the paperwork and complaints filed).

But that's just my guess... from I dunno... years in the business, including working for UUNet before they got entangled in the MCI-Worldcom debacle (you know, back in the day when besides running the 2nd largest (behind IBM) and then largest part of the backbone, they were actually the real provider for the majority of MSN's and AOL's networking and end user connections. So... as I said, it's just a guess... the Internet landscape has changed a lot from those days of antiquity... but I suspect my guess is pretty close to the true reality of the situation, thus meaning this article on threatpost is massively (and incorrectly) overstating the significance of this.

Then again, I haven't RTFA, so I am only going by a summary - even though my experience on /. has shown that's a bad idea... (but it is more fun having conversations about things that way). ;-)

Re:Filtering easier? (1)

fredklein (532096) | more than 4 years ago | (#30520028)

Or just use Email Certification.

Long story short, everyone who wants to send Certified mail has to be 'certified' by their ISP. (UN-certified mail would still be possible, if you wish.) Getting certified is nothing more than providing enough information to positively identify you, and costs a nominal fee.

In return, you create a public/private key pair, and give the public one to the certifier. The private key goes into your email server, which adds some headers to each outgoing email. One of these is encrypted with the private key. When someone with a certification-compliant email program receives a certified email, the program reads the headers, connects to the certifer's certification server, and downloads the public key. It then uses the public key to decrypt the encrypted header. If successful, it proves that email came from the specified server, and no one else.

If you get spam, your email client has a big 'report certified spam' button. Click it, and an email is auto-launched to the certifier of the sender. The certifier contacts the sender and demands an explanation. If sender was hacked, they fix the security hole and tell certifier they did so. If spam was not spam, or a misunderstanding, they explain.

If, OTOH, the sender does not reply, then the certifier revokes their certification, and from that moment on, all their (the 'sender's) emails are UN-certified.

What if a Certifier themselves is 'evil'? Well, it's certainly possible to have blacklists like they do now, but, instead of blacklisting IP addressed, which get re-assigned and cause trouble for their new owners, it would be evil Certifiers that get listed and blocked.

Eventually, it'll reach a point where any spam that is sent out will get the sender 'de-certified' almost immediately. That means everyone else probably never ends up seeing the spam at all (depending on how their clients handle un-certified emails. Most people will probably auto-trash them.)

However, white lists are still possible. If you like getting emails from a certain un-certified sources, just white-list them, and you'll continue to get them. You can also use challenge-response or keyword set-ups for people sending you un-certified email.

TL;DR:
By proving who send the email (or, more precisely, which server did), Email Certification can hold the server owner responsible. If they send spam, they get de-certified, which means in all likely hood, they lose the ability to email anyone at all. Spammers who can't get certified can't send emails anyone will see.

Re:Filtering easier? (1)

Captain Segfault (686912) | more than 4 years ago | (#30520444)

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(X) Bandwidth costs that are unaffected by client filtering
(X) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(X) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(X) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Easier to block? (4, Insightful)

phil reed (626) | more than 4 years ago | (#30517418)

Maybe I'm not being smart today, but doesn't that actually make it easier to block the bad guys, once their address space is identified?

Re:Easier to block? (1)

Aequitarum Custos (1614513) | more than 4 years ago | (#30517434)

But who enforces the blocking and how?

Re:Easier to block? (0)

Anonymous Coward | more than 4 years ago | (#30517478)

the tier-1 providers

Re:Easier to block? (0)

Anonymous Coward | more than 4 years ago | (#30517544)

Anyone who runs a firewall. I run firewalls for my org. I keep definitions of malicious isp's and block all traffic from/to them. If enough people do this anyone dumb enough to lease RBN and such a block of IP's will basically be throwing them away.

Re:Easier to block? (0)

Anonymous Coward | more than 4 years ago | (#30518212)

something like iptable -A -t FORWARD -p all -s x.x.x.x/22 -j DROP

Re:Easier to block? (4, Interesting)

CannonballHead (842625) | more than 4 years ago | (#30517440)

Out of curiosity... does that make that IP space sort of permanently black-listed? e.g., if the "bad guys" go out of business and "good guys" buy the IP space... how do the new owners clear the IP space of its bad name?

Seems like a shame to start throwing IP space away because there's no way to make it clean again.

Re:Easier to block? (5, Informative)

Zerth (26112) | more than 4 years ago | (#30517562)

That's why your lists should have a time component.

If you do something naughty, you're blacklisted for an amount of time, then greylisted for the next step up. If you do something naughty while greylisted, you get blacklisted for the remainder and greylisted the next step up again.

Mine goes 15 minutes/1 day/2 weeks/3 months/1 year. I've yet to blacklist anyone for a year.

Re:Easier to block? (4, Interesting)

gknoy (899301) | more than 4 years ago | (#30518324)

Do you have any helpful links to guides that would explain how to do that? I'm sure I am not the only network-care neophyte who would like to have a safe and spam-free system at home, so I'm sure it would get you modded informative.

Re:Easier to block? (0)

Anonymous Coward | more than 4 years ago | (#30518398)

He got modded informative anyway.

Re:Easier to block? (1)

Zerth (26112) | more than 4 years ago | (#30519826)

Not anything step by step. If your anti-spam software or mailhost supports scripting(or is OSS) and pulls from a manipulable data source(sql, text, dns), you just need to set up a rule for each case that both drops the connection and inserts the IP & timestamp back into those lists.

Then have a script in cron that deletes anything older than the max time for each list

Spamassassin probably has a plugin for this already, but I can't be bothered to get with the future:)

One easy thing you could do is to replace your first MX record with a bogus host and your last MX record with something like tarbaby.junkemailfilter.com

Many spammers give up if the first is dead or jump straight to the last.

Re:Easier to block? (5, Informative)

nacturation (646836) | more than 4 years ago | (#30520240)

Run spamd on OpenBSD or other OS that supports it. Works beautifully.

http://www.openbsd.org/cgi-bin/man.cgi?query=spamd&sektion=8 [openbsd.org]
http://www.openbsd.org/cgi-bin/man.cgi?query=spamd-setup&sektion=8 [openbsd.org]
http://www.openbsd.org/cgi-bin/man.cgi?query=spamd.conf&sektion=5 [openbsd.org]
http://www.linux.com/archive/feature/61103 [linux.com]

By default, email gets greylisted. In other words, the first two tries are rejected with a temporary failure message, the third try gets through. Real mail servers will retry, spammers often won't. Mail that gets through is whitelisted for that combination of sender, recipient, and IP for a month or so. You can also up-front blacklist IPs by whatever criteria you want -- published blacklists, country IP ranges, and so on. You can specify specific email addresses as spam traps, so you setup fromlamespammer@example.com on your mail server and put that as a hidden mailto link on your home page, and anyone who emails that obviously harvested it and their IP gets blacklisted.

Combine that with Bob Beck's greyscanner (google for it) which looks for individual IPs trying to send from multiple domains and blacklists them for a period of about a month. I've found it eliminates about 99% of all spam. You should still do things like proactively whitelist clients and mail servers which send from a pool of servers (otherwise it'll get delayed quite a bit). And the occasional spam that gets through should get its IP address blacklisted.

It has the additional benefit that if you run a busy mail server, running this in front significantly reduces the load on the mail server. So you end up with less spam, less wasted storage space, and a snappier mail server.

Re:Easier to block? (0)

Anonymous Coward | more than 4 years ago | (#30518498)

Out of curiosity... does that make that IP space sort of permanently black-listed? e.g., if the "bad guys" go out of business and "good guys" buy the IP space... how do the new owners clear the IP space of its bad name?

Seems like a shame to start throwing IP space away because there's no way to make it clean again.

At times, yes.

See this [merit.edu] for a recent incident involving the Atrivo/RBN incident.

Re:Easier to block? (3, Insightful)

mysidia (191772) | more than 4 years ago | (#30518808)

No.. it's worse than that. IP addresses aren't bought or sold.

Once they are no longer using the IPs, once they cancel the connection, the IP delegation goes away.

If the IPs came from the ISP, that ISP has to re-use such IPs: they count against the ISP's ability to justify need for more IP addresses.

If the IPs came from a RIR, once the justification goes away, the IP addresses are supposed to be returned, or they get revoked when the recipient of the IPs stops paying their annual maintenance fees.

In any case, the IPs eventually go back to the free pool, and get allocated to someone else.

The registries aren't going to try and "clean" blacklists, neither will ISPs. The recipient of IPs inherits the problem, to deal with any connectivity issues caused by blacklisting.

For IPs received from an ISP though... you should be able to convince your ISP to get you new IPs and allow you to move, if you're willing to take the time and energy to renumber, and (for some ISPs), there may be fees involved in you making the change requests, for the time it takes the ISP to make changes.

In many ways, poorly-maintained blacklists are just as harmful to the internet and end-to-end universal connectivity, as the spammers and malware peddlers are.

Re:Easier to block? (1)

Reaperducer (871695) | more than 4 years ago | (#30519288)

Happened to me. launched a site on Pair networks a few years back and had problems with my outgoing mail. Turned out the guy who had the IP address before me was blacklisted. Pair just pushed me over to a new address. No problem.

Simple - ipV8 (1)

Dogbertius (1333565) | more than 4 years ago | (#30520532)

Don't worry, once we we've needlessly partitioned away every last block of ipv6 addresses, we can repeat the exercise again with ipv8 :)

Re:Easier to block? (0)

Anonymous Coward | more than 4 years ago | (#30517444)

short_answer = "yes"
long_answer = "hell yes"

Re:Easier to block? (2, Interesting)

Conchobair (1648793) | more than 4 years ago | (#30517496)

I would think, that the crimals would use a forged source IP address [wikipedia.org] as not to reveal thier true IP.

Re:Easier to block? (3, Informative)

denis-The-menace (471988) | more than 4 years ago | (#30517712)

Wouldn't they need to peer with someone?
If so, then that peer should become the new target for shutdown requests.

Am I right?

Re:Easier to block? (0)

Anonymous Coward | more than 4 years ago | (#30518074)

Wouldn't they need to peer with someone?
If so, then that peer should become the new target for cruise missiles.

Fixed that for you. Even the sleazebag telcos in Eastern Europe might think twice at that point...

Re:Easier to block? (1)

Antique Geekmeister (740220) | more than 4 years ago | (#30518104)

Yes, but most mid-level and top-level network providers refuse to do anything about their misbehaving clients, citing concerns such as "common carrier status" and "we have no policy for that" and "contact the registering entity" and "contact abuse@spamserver.com". This has been going on for years in various ways, especially for the 'legal' bulk advertisers as opposed to fraudulent spammers, and 'legal' spam for pyramid schemes, spam that is in complete compliance with the the USA's 'CAN-SPAM' laws but is nevertheless unwanted, excessive, and damaging to recipients.

While their peer or upstream providers will be targets for shutdown requests, they've been historically extremely reluctant to act. Look into the history of agis.net and Cyberpromo to see how a spamming domain can remain active for months and even years, continuing to gather civil and criminal lawsuits, while their upstream provider refuses to act. A list of domains who eventually disconnected Cyberpromo is at http://www.rahul.net/falk/Cp/ [rahul.net] , and the amazing thing is the length of time that each of them permitted the activity to go on. The final trigger that stopped their last haven, agis.net, from serving Cyberpromo was the series of DOS attacks that hindered agis.net from serving any of their more legitimate customers.

Re:Easier to block? (2, Interesting)

mysidia (191772) | more than 4 years ago | (#30519130)

Well, you could send complaints to the provider they peer with.

Normally that means the provider you send the messages to forwards them to the administrator of the network the spam complained about originates from.

Blacklisting is still your best bet, if you want to stop spam.

Spamhaus has a list called DROP [spamhaus.org] , the Don't Route or Peer list, for listing hijacked blocks and professional spammers.

Trend Micro has InterCloud, ICSS/BASE.. which can provide tl. a BGP feed of providers/IP addresses to blacklist/null-route (botnet command and control points and infected hosts).

Re:Easier to block? (1)

rtb61 (674572) | more than 4 years ago | (#30519504)

It doesn't really matter, the big game 'is' to be an ISP and pretend one of your customers is the culprit, so the pseudo customer gets pursued, while you simply pretend another shady customer has opened up an account. There were quite a few smaller ISPs who had a real reputation for being enablers of digital crimes, so this tactic is really nothing new.

The whole idea is to hide and make your presence felt, big noisy operations are just targets. Besides the biggest culprits will be intelligence services in corrupt countries creating their own business side line on the 'companies' already shady servers.

Re:Easier to block? (4, Informative)

Demonantis (1340557) | more than 4 years ago | (#30517526)

In TFA it mentions that it starts to become spaghetti. As ISP get smart and start blocking that address block the criminal moves on to other things. The lease expires on the block and it is issued to a legit company and then problems happen because the blacklists are not updated by the ISPs. IPv4 also is a very limited size so you can't just rotate around the blocks you issue every 100 or so years (conservatively) and avoid this issue.

Re:Easier to block? (2, Funny)

mysidia (191772) | more than 4 years ago | (#30519156)

If there were... nobody would bother cleaning old blacklist entries, since the IPs only get recycled every 100 years or so.... no reason to bother.

Then 100 years later, an IP that was spamming 100 years ago gets re-used... and can't connect to anyone......

Re:Easier to block? (3, Funny)

Hognoxious (631665) | more than 4 years ago | (#30519248)

Then 100 years later, an IP that was spamming 100 years ago gets re-used... and can't connect to anyone......

No worries, everyone will be using IPv8 by then.

Re:Easier to block? (0)

Anonymous Coward | more than 4 years ago | (#30519966)

Then 100 years later, an IP that was spamming 100 years ago gets re-used... and can't connect to anyone......

If you're an ISP, the only thing you really own is the right to send traffic from within your IP ranges.

If I'm going to develop a subdivision, I'll buy my land from the Mayor whose town preserved its greenfields for farmlands and parks, not from the Mayor that allowed a chemical plant to flush a million gallons of organometallics down the toilet, through the septic tank, and into the leach field.

Knowingly host spammers and botnet operators? Your IP ranges become so fucking radioactive that nobody'll accept packets from them, and when it comes time to sell your business, nobody's going to want to buy it.

This war won't end until ISPs realize that hosting spammers detracts from the value of the business.

Re:Easier to block? (1)

mjwalshe (1680392) | more than 4 years ago | (#30517630)

and also if they have had to build a dc buy srvers rent space this all leaves a paper trail to them

Re:Easier to block? (3, Informative)

mysidia (191772) | more than 4 years ago | (#30518004)

There is a strong movement on the public internet registries such as ARIN, RIR, etc, supporting privacy of IP address allocation data. In the future, it is very likely that registry policy may shift in favor of these supporters of internet privacy.

The result will be you cannot do so much as a WHOIS lookup to find out who these spammers might be if the privacy advocates/spammer have their way, only with a court order...

Good luck getting that when the spammer lives in a different country, where spam isn't illegal.

No, because once every /24 in those f****ers block gets on enough blacklists, they get a few more hosts to justify a bigger block, fill out a form to RETURN the IP addresses they got. Their old IPs will be assigned to someone else, and after the exchange their old IPs for a fresh new block of IPs they have even more /24s than before, and none of them blocked.

Now only the new guy (that happens to be so unlucky as to get their old IPs) is blocked.

Of course the f'ers will pretend to be legitimate extremely well, and make it as hard as possible for people to see reason to ban their whole block.. (E.g. The "shell" ISP will create "fake" separation from spammers who "received space" from their block)

They may do all kinds of weird s**** to make it look like it's not just one spammer.

Alternatively, they just apply for more space, using more shell companies, lather, rinse, and repeat. Until IPv4 is exhausted [inetcore.com] , that is.

If they have no problem lying once... it's not the least bit difficult to create 30 more fake companies (or even, make them real companies -- if the spam effort is profitable enough).

This is all assuming they are getting the IPs from the RIRs in the first place, which I doubt is the most common.. that could be too easy to track, since these allocations generally get published very visibly.

LIR ips are just fine for them, and much easier to get.

Also, the RIRs are basically powerless to stop this. Contrary to the article, it's not necessarily about "LIRs being lax".

Once a block of IP addresses is assigned, it is not as if the LIR or RIR can revoke it and force its use to cease.

Revoking IP addresses doesn't magically make them unreachable on the internet -- once the spammer convinced their ISP to announce the address space, they don't need (any longer) to prove they got the IPs legitimately, until/unless they get more ISPs.

The article's terminology is wrong. An LIR is just another name for an ISP. Verizon is an LIR, Level3 is an LIR, Cogent is an LIR, AT&T, Sprint, etc, are all LIRs, any ISP that receives ISP allocations of addresses which are issued to them for the sole purpose of sub-delegating for use with their services, is called an LIR.

Maybe the article means the spammers are getting IP delegations from an ISP LIR, that would make sense. It is very easy to believe, they could do this en masse with very little effort, in fact.

If you buy internet services from an ISP like Verizon, and claim to have X hosts, they will have a very hard time rejecting a request from their customer for those IPs.

For a simple /24 or two, most won't ask for much documentation, as long as the price is right, it's not customer-friendly to try that.

The tough questions don't start getting asked, until a request for a larger number of IPs is made, which is sensible. Level of justification and documentation commensurate with the expected usage.

The LIR/ISP will SWIP the listing or list the claimed owner on their RWHOIS Servers, but it won't appear as public knowledge in the RSS feeds [arin.net] , that such and such /24 has been allocated.

ISP RWHOIS servers are commonly broken and poorly maintained -- the spammer's new subdelegation may not even become public knowledge.

Re:Easier to block? (4, Interesting)

xous (1009057) | more than 4 years ago | (#30518672)

No, it doesn't.

We had a "customer" that had 15+ dedicated servers with us. This customer received tons of SPAM complaints. Each time they had a different excuse.

After I disabled the servers and refused to turn them back on without examining them. The "employee" said he wasn't supposed to give me the root passwords but after I said that they would stay down until I got them he reluctantly gave them to me. Upon cursory examination the systems seems clean as a whistle until I realized there were no services actually running. No mail, etc.

Where was the email coming from?

I then found that the customer had GRE tunnels configured. This allowed servers in other data-centers to generate and send the spam through our network without having anything of actual value hosted with us.

The "employee" that was our customer was so convincing that I could have believed that at least he thought his company was legitimate. He even tried to tell me that it was because they couldn't get IP addresses from their current provider they bought dedicated servers from us ($1500/mo) for IP space.

Obviously the customer was terminated as soon as I found the tunnels.

Re:Easier to block? (3, Informative)

mysidia (191772) | more than 4 years ago | (#30519318)

Well, you probably broke quite a few laws by using coersion to gain access to a customer's servers. But I for one would overlook it, given the benefits to the world at large (still it could be risky).

Fortunately, given the use of GRE tunnels, the spammer probably broke more laws, and would probably be a bit hesitant to sue.

The scenario is atypical. From the sounds of it, most spammers are not buying the cabinet space from the same company that is providing the internet access.

Of course it's a breach of contract and likely a violation of SLA for a cabinet provider to power down anyone's equipment or start cutting wires, because they think they might be spamming.

The spammer might sue claiming loss of valuable data (due to an unclean shutdown of their server).

Industry standard terms are power can be disconnected at request of customer (for a fee of course), emergency, planned maintenance, and violation of wiring standards (e.g. many major colocation facilities will have many rules on how equipment can be plugged in). But I don't think there are many Enterprise rack residents that accept "We may disconnect you if we feel your servers are doing something suspicious"

Of course network connections are a bit different.

Well, if you buy TRANSPORT from point A to point B, such as a connection from your rack to an ISP, in a major datacenter, you can expect by contract the transport provider cannot examine any data crossing the wire. In fact, they cannot cut the cable, just because they suspect you might be sending spam over it.

Your OC-3 or Ethernet transport from "Point A" to "Point B" is not an internet service. It's extremely unlikely for an Enterprise to negotiate a contract that allows their transport provider to disconnect them.

Following industry standard terms, a transport provider cannot kill the link, even if you are spamming, in fact, even if an internet attack happens to be crossing the link, a transport provider has no right to kill your connection or detect the nature of the traffic that is being transported.

To do so would be breach of contract/SLA on their part, and subject them to unnecessary liabilities (they lose their common carrier status for links that they 'watch').

In most cases, the one and only party that can legally cut off such a professional spammer at the source is the upstream ISPs, transit providers, or peering exchange of the misbehaving party.

Naturally, this is assuming the ISP isn't the same company that provides the rack space. In other situations matters might be different.

And in a major datacenter, there might be a lot of different ISPs to choose from...

I guess, my point is just... the standard arrangements for such facilities can actually serve to protect spammers.

Just like they protect Enterprises (who wouldn't inhabit them otherwise -- if someone could just arbitrarily decide to power off their servers, because they didn't like a file on their website).

Re:Easier to block? (1)

chapstercni (238462) | more than 4 years ago | (#30519418)

Wouldn't it only be breach of contract if it violated the terms of the contract? Not sure how YOU know what those contracts state.

Re:Easier to block? (1)

mysidia (191772) | more than 4 years ago | (#30519732)

In most cases it would be. Most spammers and non-spammers, don't make an agreement with provisions for their landlord to turn off the lights.

The contract specifies services to be provided, and turning off those services is a failure to perform under the agreement, in the most common scenario.

Even if the terms don't explicitly prohibit the landlord to do so, it may still be unlawful for them to turn off the power without meeting certain advance notification requirements.

Whether the actual crime is breach of contract, unlawful eviction, or tortious interference, is immaterial.

Re:Easier to block? (3, Interesting)

xous (1009057) | more than 4 years ago | (#30520748)

Hi,

The SPAM was originating from our network which is an TOS violation which allows us to suspend services. I had already disabled the switch ports and the customer was trying to get it back online.

I had no obligation to waste my time trying looking into the problem to see how the spam was being sent. The customer could have easily went somewhere else instead of accepting the condition for turning the equipment back on.

I think what this "company" was doing had all their spam services in a data-center and only used their connection with them connecting to GRE tunnels.

Then they found smaller dedicated hosting companies that offered cheap servers ($100/mo) and tunneled all their traffic to their hosts at other networks.

It's not a bad tactic as it can sometimes take smaller companies a while to investigate complaints.

Re:Easier to block? (1)

chapstercni (238462) | more than 4 years ago | (#30519426)

Nice troubleshooting. Glad you terminated them.

Re:Easier to block? (1)

hack slash (1064002) | more than 4 years ago | (#30519716)

IPv4 I would think so, my HOSTS file is 600kB from http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] (I don't soley rely on it as I also use AdBlock+ with FF), but if everything went IPv6 overnight the blocklists could get into some seriously ludicrus filesizes.

I thought... (4, Interesting)

Darkness404 (1287218) | more than 4 years ago | (#30517428)

I thought the entire reason why botnets were so hard to stop is because they could be on a huge range of IP addresses. With this isn't it trivial to see that Evilnet ISP is a botnet and has the IP addresses xxx.xxx.x.xxx- xxx.xxx.x.yyy and just block those? I mean, yeah, if they had enough bandwidth they could still flood you with requests that slow down the servers because they all need to be blocked, but shouldn't it make blocking them easier?

Re:I thought... (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30518436)

...that the subject line was for the subject, not the first two words of the first paragraph. Maybe I'm old-fashioned...

DNA samples/Chips in fingertips? (4, Insightful)

e2d2 (115622) | more than 4 years ago | (#30517432)

No further investigation is done

And none should be. They're a potential customer buying IP addresses and hosting, not automatic weapons.

Pretty soon we're gonna be so "secure" it's gonna take an act of congress take a piss.

Re:DNA samples/Chips in fingertips? (3, Funny)

casings (257363) | more than 4 years ago | (#30517470)

Mark Foley would probably like that idea.

Re:DNA samples/Chips in fingertips? (3, Insightful)

Darkness404 (1287218) | more than 4 years ago | (#30517492)

Sure, but the thing is IPv4 IP addresses are limited. Because of this, even if they started a botnet today and a year from now were gone, those range of IP addresses still might be blocked by various places.

I agree with your general feelings that you shouldn't need investigating to get a block of IP addresses, but it reduces a scares commodity and is in the best interests of those giving out blocks of IP addresses to check out the companies a bit more.

Re:DNA samples/Chips in fingertips? (2, Insightful)

scott_karana (841914) | more than 4 years ago | (#30517628)

Most sane datacenters will be extremely proactive about dealing with abuse complaints about spam, to say nothing about botnets, since they're the ones providing the IPs to the customers.
Capitalism typically makes it hard on the baddies here: datacenters do NOT want to lose saleable IPs to long-lasting blocks.

Wake Me (1)

camperdave (969942) | more than 4 years ago | (#30517736)

Sure, but the thing is IPv4 IP addresses are limited.

Exactly. Wake me when they become an IPv6 ISP.

Re:DNA samples/Chips in fingertips? (1)

Shakrai (717556) | more than 4 years ago | (#30517582)

Pretty soon we're gonna be so "secure" it's gonna take an act of congress take a piss.

Boy, that's gonna really suck for the people whose political party of choice happens to be out of power at the time they need to go..... ;)

Re:DNA samples/Chips in fingertips? (2, Funny)

techno-vampire (666512) | more than 4 years ago | (#30518562)

Pretty soon we're gonna be so "secure" it's gonna take an act of congress take a piss.

If so, that's going to make it damned hard to be a phlebotomist. It's a good thing I only plan on leaving one.

Re:DNA samples/Chips in fingertips? (1)

RobertM1968 (951074) | more than 4 years ago | (#30519790)

No further investigation is done

And none should be. They're a potential customer buying IP addresses and hosting, not automatic weapons.

Pretty soon we're gonna be so "secure" it's gonna take an act of congress take a piss.

Yet, funnily enough, for me to get a measly 16 IPs (for 6 servers, 1 router, 3 dedicated workstations that are not permitted by law to have NAT, one more IP to a NAT router for other client stations and SOB/EOB) I have to justify each and every one of them, including possibly digging out the specific legal requirement for the 3 specialized workstations not being able to be NAT'd and identify the customer to further support why that law applies to them in support of us not being able to NAT those workstations.

Kinda odd if it is easier to obtain a big block than a measly 16 for our legitimate needs.

Friends don't let friends surf the web in IE (-1, Offtopic)

Enderandrew (866215) | more than 4 years ago | (#30517460)

It took years, but Firefox continues to gain where IE continues to fall behind.

I really honestly believe if all the FOSS advocates out there made an effort to switch a handful of family and friends to Linux, that they in turn would do the same.

I'm converting my family and friends because I'm tired of being asked to clean viruses and the like. With the web being as dangerous as it is, can we in good conscience allow our friends and family who don't know any better continue to fire up IE and infect their PCs?

Re:Friends don't let friends surf the web in IE (0, Offtopic)

Aeros (668253) | more than 4 years ago | (#30517588)

?!? what does this have to do with this article?

Re:Friends don't let friends surf the web in IE (1)

psithurism (1642461) | more than 4 years ago | (#30517722)

It demonstrates that botnets are posting crap on /., which helps goad the discussion towards what action we can take to stop them.

Re:Friends don't let friends surf the web in IE (0, Offtopic)

DomNF15 (1529309) | more than 4 years ago | (#30517608)

In the spirit of discussing FOSS, Linux (I believe, but could be wrong), is still missing support for a bunch of consumer devices, like iPods/iPhones, and digital cameras, etc. And there are a lot of niche apps that just don't work. Let's say I use Solidworks for CAD/CAM drawings, I don't think that will run natively on Linux. That is why a lot of people are not so keen to jump on that bandwagon. Mind you, I happen to run various Windows/Linux distros at home (and every box has Firefox as the default browser)...each has their role/strengths/weaknesses. If the problem is stupid users, then fix stupid users, don't just switch software and expect the problem to go away completely, chances are it will come back to bite you, eventually. I understand that requires more effort, but it's probably more effective in the long run. Or would you rather put a piece of tape over the blinking clock on your VCR?

Re:Friends don't let friends surf the web in IE (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30517936)

Firefox is just a dumbed down version of Mozilla.

Can you morons stop dumbing down Linux far enough for all your friends and family to use, or do I have to switch to FreeBSD or something?

Do you seriously think that all Linux needs is better marketing?

Hyperbole (5, Insightful)

uassholes (1179143) | more than 4 years ago | (#30517472)

Having a block of IP addresses does not make one an ISP.

Re:Hyperbole (3, Funny)

Shakrai (717556) | more than 4 years ago | (#30517778)

But they are providing internet service to the critically underserved market of phishers, extortionists and viagra salesman. I bet they even obey network neutrality and don't inject fake RST packets into your connections too. Clearly they qualify as an ISP ;)

Re:Hyperbole (0)

Anonymous Coward | more than 4 years ago | (#30518490)

You're the computer guy?

Yep. Police Information Systems. PIS.

Piss?

We don't call it that.

Re:Hyperbole (1)

RobertM1968 (951074) | more than 4 years ago | (#30519814)

Technically, "back in the day" the term Internet Service Provider referred to a provider of online access for companies or individuals (ie: you could connect to the net via dial-up, ISDN, T1, T3, DSL, etc) and the term OSP referred to a company that provided online services (for themselves and/or others) other than connectivity (companies with web properties, web hosting companies, newsgroup hosting companies, email providers, etc).

Seems "ISP" is the new blanket term for everything. Various US law addresses both terms though.

Re:Hyperbole (1)

Eil (82413) | more than 4 years ago | (#30519560)

Well, the terminology is debatable. They're talking about the malware and botnet operators getting more organized and reselling their services as malware-friendly ISPs.

I work for a web hosting company, but the vast majority of our customers are resellers who simply rent a dedicated box with cPanel, toss up a web page, and presto, they're a web hosting company too.

Isn't this cool? (5, Interesting)

DNS-and-BIND (461968) | more than 4 years ago | (#30517474)

Remember back in the 90s when everyone was jizzing in their pants about Bruce Sterling and Neal Stephenson's writing, dreaming of actually implementing the ideas therein? Data havens, crypto-anarchism, impregnable anonymity, hackers making a decent living by a life of crime, and so forth?

Well, now the future is here. Kind of sucks, doesn't it? Careful what you wish for, you just might get it.

Re:Isn't this cool? (2, Funny)

lymond01 (314120) | more than 4 years ago | (#30517670)

Umm, my future had me flying through a huge chamber freezing other people's limbs with my gun and scoring points with my helmet.

We really should have gone with my future...

Re:Isn't this cool? (0)

Anonymous Coward | more than 4 years ago | (#30517826)

I would shoot my own legs and use them as a shield, personally.

Re:Isn't this cool? (1)

Tsujiku (902045) | more than 4 years ago | (#30518034)

Don't forget using high tech fishing line to change direction in mid-air.

Re:Isn't this cool? (2, Informative)

Deltaspectre (796409) | more than 4 years ago | (#30518054)

Then I would gracefully fall down towards the enemy gate. (I was actually looking around yesterday and it seems there may be a battle room videogame on the way : http://en.wikipedia.org/wiki/Ender's_Game_(video_game) [wikipedia.org] )

Re:Isn't this cool? (1)

Jeremy Erwin (2054) | more than 4 years ago | (#30518854)

Personally, I thought that Stephenson's skullgun was pretty damn cool.

Re:Isn't this cool? (1)

MathiasRav (1210872) | more than 4 years ago | (#30517800)

Remember back in the 90s when everyone was jizzing in their pants about Bruce Sterling and Neal Stephenson's writing, dreaming of actually implementing the ideas therein? Data havens, crypto-anarchism, impregnable anonymity, hackers making a decent living by a life of crime, and so forth?

Somewhere, on a secret global malware authors' intranet, on a site running Slashcode, scammers are praising 2010 as the year of unregulated DoS'ing on the Internet.

Re:Isn't this cool? (5, Interesting)

JohnyDog (129809) | more than 4 years ago | (#30518284)

Remember back in the 90s when everyone was jizzing in their pants about Bruce Sterling and Neal Stephenson's writing, dreaming of actually implementing the ideas therein? Data havens, crypto-anarchism, impregnable anonymity, hackers making a decent living by a life of crime, and so forth?
Well, now the future is here. Kind of sucks, doesn't it? Careful what you wish for, you just might get it.

In those cyberpunk visions the world, political and judicals systems are tightly controlled by corrupt mega-corporations and the net is anything but open. The very act of accessing the network or tampering with it may land you in prison, criticizing the rulers means you're dead and so on. Every piece of hardware is registered, so if you want to get any hacking done you have to turn in to black market (for stuff) and criminals (to get money for stuff), out of pure necessity. (it's the classical tale of occupied country's resistance movement working together with organized crime, right?)

Compare that to the reality we got: cheap ubiquitous internet, cheap ubiquitous hardware to access it, the net is *by default* free and open, and all attempts to any large-scale censoring has failed miserably. Anonymity is just one unsecured wifi hotspot away on every corner (so you don't need to pay a hacker to get you online), and any attempts at uncovering corruption and truth are met with public support. So the traditional heroes of cyberpunk stories can operate publicly or semi-publicly (think wikileaks), the worst that can happen to them is someone pulling the DMCA on the copied/leaked documents, which rarely results even in fines, much less prison time. The hackers are working on cool engineering projects instead of breaking into companies networks, and the criminals are, well, criminals - since they are no longer needed for the goals of the freedom fighters, all they do is disrupt the free information exchange (ddosing sites for greed, decreasing signal-to-noise ratio by spamming the hell out of everyone etc.), and so are frowned upon even by the neo-anarchists.

Re:Isn't this cool? (2, Informative)

pantherace (165052) | more than 4 years ago | (#30518826)

Compare that to the reality we got: cheap ubiquitous internet, cheap ubiquitous hardware to access it, the net is *by default* free and open, and all attempts to any large-scale censoring has failed miserably.

Sadly, I think your statement is incorrect. I'd agree that we've got cheap internet and hardware. China's firewall, as well as Iran's filtering seem to both be large-scale censoring, which has not failed miserably. In most of the rest of the world, while not censored, it may well be monitored. Also consider the recent articles about people providing fake DMCA notices, which may or may not be widespread, and the attempt to get those extended to every country.

What - No William Gibson? (2, Informative)

meerling (1487879) | more than 4 years ago | (#30518592)

Come on, W.G. is one of the founders of the whole cyperpunk genre.
You can't honestly tell me that you've read Sterling and Stephenson and haven't read Gibson.

Is the address space for something else? (4, Insightful)

damn_registrars (1103043) | more than 4 years ago | (#30517570)

Sure, we know a lot of the botnet activities that we care about - distributed spamming, distributed hacking, etc... But I suspect that isn't what they want the dedicated IP space for. People already pointed out that if the lion's share of your spam or hacking attempts came from a single IP block, it would be trivial to block it.

Hence I suspect the operators want the IP space for other uses. Consider your average spam - we'll say it asks you to buy viagra through joescheapdrugs.com [joescheapdrugs.com] . Now joescheapdrugs.com needs to be purchased, which requires a registrar. It also needs to be resolved via a DNS server somewhere (which isn't always done by the registrar or ISP). If joescheapdrugs.com were an average spamvertised site, it would likely be hosted in one continent, registered through a registrar in another, and resolved by a DNS in yet another.

The IP space would be useful because the DNS could be done in that range, and once the spammers establish an accredited registrar they could sell themselves domains from there too. We all know that .com, .org, .net domains not only are not restricted to sales to people/companies/organizations in the US, they aren't even restricted to being sold by companies in the US. So by owning IP space, they can actually keep more of their own money for their operations, thus increasing their profit margins. They can offer hosting, DNS, and registration services for anyone who wants to sell anything, and then sell them spamming services as well.

It becomes one-stop-shopping for vendors trying to make a fast buck (or those who don't know better).

Re:Is the address space for something else? (1)

Ifni (545998) | more than 4 years ago | (#30517818)

Still doesn't complicate matters much - some software will have to be updated, but if the option were added to refuse to resolve websites that use a particular registrar, or to ignore results from specific DNS servers, then they can be shut out of the average user's Internet experience. Granted, this would have to be done at the DNS provider level (your ISP, or OpenDNS, etc) so the individual user wouldn't have as much control (unless they host their own recursive DNS), but it presents a pretty minor speed bump over all.

Re:Is the address space for something else? (1)

Corporate Troll (537873) | more than 4 years ago | (#30517900)

We all know that .com, .org, .net domains not only are not restricted to sales to people/companies/organizations in the US, they aren't even restricted to being sold by companies in the US.

I know I might be nitpicky here, but why do you feel that .com, .org, .net (and .biz, .name, .info and a plethora others) should only be restricted to the US? So Medecin Sans Frontières has no right to a .org in your world because it's French? Heck SAP couldn't get a .com because it's German! I'm just wondering. The ones you cited are international. You might have a point regarding .us domains. I know that in my country you only get a .lu when you live there and/or have a company there. Might have changed by now...

Re:Is the address space for something else? (1)

rdavidson3 (844790) | more than 4 years ago | (#30518294)

I live in Canada, and we have the .ca domain. But I've worked for several Canadian companies that have the .com suffix.

Re:Is the address space for something else? (1)

Corporate Troll (537873) | more than 4 years ago | (#30518448)

I think that was my point :-) I have a vanity .com, .net and .org.... Hosted from my ADSL line.

Re:Is the address space for something else? (1)

damn_registrars (1103043) | more than 4 years ago | (#30519654)

We all know that .com, .org, .net domains not only are not restricted to sales to people/companies/organizations in the US, they aren't even restricted to being sold by companies in the US.

I know I might be nitpicky here, but why do you feel that .com, .org, .net (and .biz, .name, .info and a plethora others) should only be restricted to the US?

I didn't actually say that, and admittedly when typing my post I was concerned about the possibility someone might read it that way.

The point I was trying to make has more to do with registration of domains. It is trivial for overseas spammers to give the impression of being an American company, and registrar credentials are generally crappy at best.

Deal with them all the time... (1, Informative)

Anonymous Coward | more than 4 years ago | (#30517662)

I manage the network for a medium sized data center, and I see bogus requests for large blocks of IP addresses all the time. We require a justification letter, that acts more as a clue gathering form to help us weed out the illegitimate requests. All it takes is a few minutes of research to determine if the request is legitimate or not; in fact, it is usually immediately obvious that it's a fake. It's sad that other data centers do not do the same.

Uh, No (2, Informative)

sexconker (1179573) | more than 4 years ago | (#30517734)

Pipes and buildings and computers need to live somewhere. Find them and shut them down physically.

How do you find them? Follow the money.

They moved stuff into the cloud?
Clouds need to live somewhere. Find them and threaten to shut the cloud down physically. The cloud will then be willing to talk to you, and will shut down the people doing bad things.

How do you find them? Again, follow the money.

It's NEVER hard to shut someone down.
What's hard is organizing the people with legal authority and getting them to give a shit.

Nerds like to think that the internet is some awesome force, and that information wants to be free, etc.

The internet is a fucking physical network maintained by real people. Abstract all you want. Personify all you want. But when you get the suits lined up against you, you're going down.

If you want to test it, just do the something that will get the most suits lined up against you.

USA? Child porn.
Germany? Swastikas and Hitler.
Middle East? A drawing of Mohamed.

The bottom line is that no one gives a shit that grandma's PC is thoroughly owned, or that your inbox is 99% spam, or whatever else.

You thought I wasn't serious, didn't you? (0)

Anonymous Coward | more than 4 years ago | (#30519728)

It's MY copypasta.
I wrote it.
I'll copypasta it wherever I see "sexconker" used.

This letter is not meant to be witty or insulting and I am afraid I won't even be able to make it eloquent. But I, for one, will do the best I can to celebrate knowledge and truth for the sake of knowledge and truth. I would like to start by discussing sexconker's demands, mainly because they scare me. The thing I'm the most frightened about is that sexconker would swear on a stack of Bibles that "the truth", "the whole truth", and "nothing but the truth" are three different things. What's my problem, then? Allow me to present it in the form of a question: Why can't we all just get along? The best answer comes from sexconker himself. That is, if you pay attention to his unrealistic long-term goals you'll definitely notice that I am shocked and angered by sexconker's devious improprieties. Such shameful conduct should never be repeated.

There are many roads leading to the defeat of sexconker's plans to control what we do and how we do it. I assert that all of these roads must eventually pass through the same set of gates: the ability to lay the groundwork for an upcoming attempt to tend to the casualties of sexconker's war on sanity. So maybe sexconker's diatribes are intended to get us all on board the Comstockism train. Big deal. What's more important is that sexconker's apparatchiks have learned their scripts well and the rhetoric comes gushing forth with little provocation. For years I've been warning people that sexconker plans to revile everything in the most obscene terms and drag it into the filth of the basest possible outlook. However, that's not my entire message; it's only a part of it. I also want you to know that sexconker claims to have data supporting his assertion that he is able to abrogate the natural order of effects flowing from causes. Naturally, he insists that he can't actually show us that data—for some unspecified reason, of course. My guess is that he's hiding something. Maybe he's hiding the fact that he writes a lot of long statements that mean practically nothing. What's sneaky is that sexconker constructs those statements in such a way that it never occurs to his readers to analyze them. Analysis would almost certainly indicate that sexconker is sincerely up to something. I don't know exactly what, but if we don't lead the way to the future, not to the past, then sexconker will weave his untoward traits, uninformed monographs, and semi-intelligible ideologies into a rich tapestry that is sure to sap people's moral stamina. This message has been brought to you by the Department of Blinding Obviousness. What might not be so obvious, however, is that sexconker is not interested in what is true and what is false or in what is good and what is evil. In fact, those distinctions have no meaning to him whatsoever. The only thing that has any meaning to sexconker is Lysenkoism. Why? You see, sexconker believes that university professors must conform their theses and conclusions to his xenophobic prejudices if they want to publish papers and advance their careers. Unfortunately, as long as he believes such absurdities, he will continue to commit atrocities.

Why does immoralism exist? What causes it? And why does the media consistently refuse to acknowledge that sectarianism is a domineering whore, cloaking herself as social virtue and brotherly love? To understand the answers to those questions, you first have to realize that my goal is to get sexconker to realize that if the word "chromatographic" occurs to the reader, he or she may recall that sexconker once tried to judge people based solely on hearsay. Of course, if he insists on remaining an ignorant, uninformed, and ill-informed voluptuary, that's his prerogative.

sexconker has, at times, called me "rummy" or "putrid". Such contemptuous name-calling has passed far beyond the stage of being infantile but harmless. It has the capacity to get people to vote against their own self-interests.

If sexconker is incapable of discerning the mad ramblings of daft geeks from the wisdom and nuance embedded in a sage's discourse then I seriously doubt that he'll be capable of determining that it's amazing how poorly some people use the brain they were born with. As an interesting experiment, try to point this out to sexconker. (You might want to don safety equipment first.) I think you'll find that it strikes me as amusing that he complains about people who do nothing but complain. Well, news flash! sexconker does nothing but complain. Every so often you'll see sexconker lament, flog himself, cry mea culpa for causing riots in the streets, and vow never again to be so feebleminded. Sadly, he always reverts to his old behavior immediately afterwards, making me think that he is secretly planning to peddle the snake oil of incomprehensible mercantalism. I realize that that may sound rather conspiratorial and far-fetched to most people, which is why you need to understand that sexconker's confreres often reverse the normal process of interpretation. That is, they value the unsaid over the said, the obscure over the clear. Before you read this letter, you might have thought that our unalienable rights are merely privileges that sexconker can dole out or retract. Now you know that he treats serious issues callously and somewhat flippantly.

Escalation (1, Funny)

Anonymous Coward | more than 4 years ago | (#30517742)

"Ha ha! Look at us! We've got fat pipes that we can use to DoS almost anyone and spew spam all over the internet! We so rule! Ha ha!"

(the internet wises up to this; these people get kicked off their ISPs or out of their universities, more people get fat pipes, spam gets blacklisted, damage is mitigated)

"Well, fine. We'll just use security flaws in swiss cheese-like browsers and operating systems, play on people's stupidity regarding computers, and turn everyone into our spam-dumping and DDoS-employing minions! You can't stop us now! Ha ha ha!"

(the internet wises up to this; more secure browsers and operating systems are deployed, better spam filtering is developed, more aggressive security measures pop up, some of which are ISP-level (for better or worse), more people are educated, damage is mitigated)

"Hrmph. No matter. Now we'll go one step higher and just get our own IP blocks and registrars, and then we'll get our own pipes! Then we'll never have ISPs shut us down again! We're so much more clever than you are! Ha ha ha!"

(the internet wises up to this; the IP blocks are soon figured out, all traffic to them is blocked from other ISPs, Google and other search engines refuse to spider anything from those blocks, damage is mitigated)

"Oh... oh yeah? Well, now we'll just go one step higher and use those pipes to make our OWN internet! We'll have everything! It'll all be ours! And YOU won't be able to get into it to stop us! HA HA HA HA!"

(the internet ignores this, that's somebody else's network now)

"...wait, hang on..."

Re:Escalation (3, Insightful)

el_tedward (1612093) | more than 4 years ago | (#30518194)

Hey, I don't really like this...

I'm studying cool l33t computer security stuff at college at the moment, and what you seem to be suggesting implies that some day computer security will mature, and there won't be as big of a reason to employee peoples like me.. Um, I don't like the way that sounds. You should stop talking..

mod parent down, plz

k thx

Re:Escalation (2, Informative)

Earthquake Retrofit (1372207) | more than 4 years ago | (#30519046)

I suspect there will always be con artists and suckers to feed them. Crack those books, el tedward, the networks will need you.

Steve

Old news (1)

jimpop (27817) | more than 4 years ago | (#30517746)

This is nothing new.

Re:Old news (1)

Antiocheian (859870) | more than 4 years ago | (#30517802)

Yes, typing stuff for other people to see... computers, networks, whatever.

Re:Old news (4, Insightful)

Zocalo (252965) | more than 4 years ago | (#30517804)

No it's not, several of the larger spam/malware gangs including the infamous Russian Business Network have been doing this for several years now. That's partly what prompted Spamhaus to create their solution to the problem: DROP [spamhaus.org] . All it takes is a for the majority of the Tier 1 carriers to adopt the DROP list and it's pretty much game over for this this technique.

Re:Old news (0)

Anonymous Coward | more than 4 years ago | (#30518586)

And then Spamhaus are the ones making money out of spam - albeit indirectly.

Actually I see it like this... (1)

cjjjer (530715) | more than 4 years ago | (#30517760)

Personally I would be running my own DNS servers / Anon proxies on those blocks of IPs so that bot traffic can be managed better.

Just my .02

....Yeah but are they Microsoft Certified? (1)

Bob_Who (926234) | more than 4 years ago | (#30517770)

...because if they were, then we'd really have to worry....about.....the unemployed.

ISP Level? (1, Informative)

Anonymous Coward | more than 4 years ago | (#30517788)

When they start requesting AS numbers, running their own infrastructure or even providing a service maybe then could this story have some merit.

This screws up other innocent good guys too (2, Interesting)

phonewebcam (446772) | more than 4 years ago | (#30517838)

We have 4 dedicated servers with about 20 IP's spread across them and started getting mail rejections.This turned out to be because the whole range if IP's the hosters had used got blacklisted by spamhaus for exactly the reason stated in the article - one other "customer" had spammed with his IP's so spamhaus just added the whole range to their RBL.

youtubers beware (4, Funny)

cl191 (831857) | more than 4 years ago | (#30517930)

"You own your own IP space and you're your own ISP at that point." I believe this sentence was designed to make youtube commenters' heads to explode......your you're you what?

Re:youtubers beware (3, Interesting)

juliannoble (1154079) | more than 4 years ago | (#30519172)

Yo you, you're your youtube you, yet your youtube's yesterday's you.

just don't route it! (1)

Gunstick (312804) | more than 4 years ago | (#30518520)

Delete the AS [wikipedia.org] from the routing tables and don't peer with them.

Subject (1)

Legion303 (97901) | more than 4 years ago | (#30518552)

Servers or not, it's a shitty datacenter that doesn't enforce its AUP with its customers.

Re:Subject (1)

dr2chase (653338) | more than 4 years ago | (#30518736)

Clearly we're doing this wrong. Maybe if we frame them for pirating MP3s, the ISPs will move a little quicker.

But when spam is illegal (1)

Snaller (147050) | more than 4 years ago | (#30518684)

...which it is in Eu - they are going to slapped down just as hard. And with huge amounts of hardware being confiscated they are not going to try that trick anytime soon.

Re:But when spam is illegal (0)

Anonymous Coward | more than 4 years ago | (#30520378)

What about malware? Telos AS49087 have a /24 in the Ecatel datacenter in Amsterdam and won't do anything about a bunch of domains [malwareurl.com] at 91.212.127.230 serving fake online AV scans and the SecurityTool [2-spyware.com] "removal tool" malware. When reported, they were more interested in discovering my identy than in investigating the report. Given the number of other addresses in the /24 with listings [malwareurl.com] , they don't look like a legitimate operation to me.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?