[Dshield] Re: Australian spammers/hackers
peter at intelligentorgs.com
Thu Mar 7 14:38:42 GMT 2002
Please don't take this personally, but we have serious problems
with hackers from Australia. Let me try to give you a flavour
of some of the problems we get:
There are many spammers operating out of Australia, and we're sick of
them. Add to that the complete arrogance of Telstra in dealing with any
complaint up until 3 months ago, and we're faced with unresponsive
ISPs from Down Under.
I don't know who kicked whom, or what happened to Telstra then,
but I actually got a reply from them on one hacker complaint!! (I had
this mounted and stuffed and put in the trophy cupboard as it was
definitely a First ;-)
I get port-attacks every day on around 200 ports from an outfit called
webwombat.com.au, who seem to be gateway'd via New Zealand.
Complaints to them and to their upstream are ignored completely.
They are supposed to be an Australian Search Engine, so why:
1) are they port-scanning servers in the UK on suspicious ports?
2) are they trying to hack into other legitimate servers?
3) are they trying to hack into us more than 2000 times/day?
Many of the .com.au domains are spammer infestations.
And AUNIC doesn't work! It passes the buck back to APNIC.
Which passes the buck to AUNIC...
What is wrong with this picture?
If you don't want your country to be mail-blocked, then it is up
to the responsible admins Down Under to get proactive and
force the authorities to prosecute the spammers and hackers
who infest the place. For example, getting some of your best
jorunalists to write some good pieces about the harm being done
to Oz Inc by these bottom-dwellers may get some attention?
My ruleset is really simple:
IP-number: two strikes and you're out.
Class-C: four strikes and you're out
Class-B: twelve strikes and you're out
over time, this has led to much of the Australian IP-address-space
getting blocked. Not out of pique, but out of bitter experience.
Sorry, but these bottom-dwellers are hurting your country's reputation
capital and, coupled with the entire APNIC,AUNIC,KRNIC, xyzNIC
disaster area/spoofed contact addresses, it just means that
until things are proven to get better then they are blocked. It's as
simple as that.
Worse still are the domains set up by spammers for spammers,
where any complaints go straight to the spammer concerned - thereby
confirming they got a hit on a valid email and making their lists
that much more valuable. The whole of APNIC etc is full of those
eg bora.com, anything off seed.net.tw, twnic, matt.com.au, etc etc.
It's a scandal.
As a side note, the spammers know that we're blocking, and have
therefore evolved their strategies to spam via open-relays in South
America it seems. Which are gradually winking out as they get
The whole situation is a complete nightmare these days, and
takes enormous efforts just to "keep up".
To the point where I've now dedicated a day of my time to developing
a mostly automatic Whining system which parses the log-files and generates
the complaint emails to the ISPs and, where they are known to put all
complaints into the bitbucket, to their upstream providers too. My
theory is that an automatic system will generate more emails than
I can be bothered to do myself, and the upstreams *may* just start
to think they have a problem..
I keep trying to get in to meet with the country Ambassadors concerned,
to point out to them the damage that has been caused to their
country's reputation, but the marketing droids don't allow it. But
I have not given up, and will ask the UK politicos to provoke such
a meeting, and for several admins to attend to demonstrate the
size of the problem to these people.
Finally, I'm talking to the cops here to see if they would like to
take an interest in the data about all this. Their initial reaction was
to show some interest, by the way. Discussions ongoing.
Peter Feltham, CEO of Intelligent Organisations.
Tel: +44 208 357 7355 Fax: +44 7050 697 405
Private Fax: +44 7050 694 038
A member of Rheingold Associates
Join the Brainstorms Anthrax Research team by visiting:
More information about the list