[Dshield] Re: Australian spammers/hackers

Malcolm Joosse malcolm at hotlinesupport.com
Thu Mar 7 21:47:49 GMT 2002


Peter,
I can understand your frustration with countries, but I did not know
that OZ was responsible for alot of hacking and Spamming.  You might
want to see if the "attacks" from wombat.com.au are not just the search
engine exploring broken links or checking out old cache, it might just
be a poorly written search engine.  I get about 1000 port 80 scans to
invalid addresses and have given up, I know my firewall will do its job,
so I just treat all the port 80 stuff as background noise from the
internet.
I can also understand what you are saying about Hel$tra (aka Telstra).
They give us ISPs downunder grief all day every day.  
The problem is not with australia but big arrogant ISPs/ Telcos world
wide.  We see this everywhere, the small ISP replys to complaints and
usually advise of the results but the big ones just thumb their noses at
you.

Do not think that we "down under" are a spam or hacker haven, we have
heavy laws for computer crimes and will soon have laws against spam.  We
see A LOT of SPAM from the likes of SWBELL,XO, ATT and Alter.net, but we
cannot ban them because they are big and would cause us alot of
complaints from users who cannot access their networks.

We have tried to shead some light on the way ISPs handle security and I
have been to many security forums, but it is always the big guys that
never want to be pro active.
They believe that it is up to the user to protect their systems, but
when it is brought up that a hacker can do as they please they deny they
have any on their network.
We as an ISP run tripwire type services on all servers and run full
firewalls on all networks.  We also scan for viruses and block spam, but
we are only one of a few ISPs in Oz or the rest of the world that do
this type of thing.
It is not a local problem but a world wide internet problem.
I do not really care if you block the whole of oceania, but your/my
clients might, but I have not control over the way you run your
business.

Regards

Malcolm Joosse
Hotline Support P/L
www.hotlinesupport.com




-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf Of
Peter Feltham
Sent: Friday, March 08, 2002 1:39 AM
To: list at dshield.org
Subject: [Dshield] Re: Australian spammers/hackers


Tim,

Please don't take this personally, but we have serious problems
with hackers from Australia. Let me try to give you a flavour
of some of the problems we get:


There are many spammers operating out of Australia, and we're sick of
them. Add to that the complete arrogance of Telstra in dealing with any
complaint up until 3 months ago, and we're faced with unresponsive
ISPs from Down Under.

I don't know who kicked whom, or what happened to Telstra then,
but I actually got a reply from them on one hacker complaint!! (I had
this mounted and stuffed and put in the trophy cupboard as it was
definitely a First ;-)

I get port-attacks every day on around 200 ports from an outfit called
webwombat.com.au, who seem to be gateway'd via New Zealand.
Complaints to them and to their upstream are ignored completely.
They are supposed to be an Australian Search Engine, so why:
1) are they port-scanning servers in the UK on suspicious ports?
2) are they trying to hack into other legitimate servers?
3) are they trying to hack into us more than 2000 times/day?

Many of the .com.au domains are spammer infestations.

And AUNIC doesn't work! It passes the buck back to APNIC.
Which passes the buck to AUNIC...

What is wrong with this picture?


If you don't want your country to be mail-blocked, then it is up
to the responsible admins Down Under to get proactive and
force the authorities to prosecute the spammers and hackers
who infest the place. For example, getting some of your best
jorunalists to write some good pieces about the harm being done
to Oz Inc by these bottom-dwellers may get some attention?


My ruleset is really simple:
IP-number: two strikes and you're out.
Class-C: four strikes and you're out
Class-B: twelve strikes and you're out

over time, this has led to much of the Australian IP-address-space
getting blocked. Not out of pique, but out of bitter experience.

Sorry, but these bottom-dwellers are hurting your country's reputation
capital and, coupled with the entire APNIC,AUNIC,KRNIC, xyzNIC
disaster area/spoofed contact addresses, it just means that
until things are proven to get better then they are blocked. It's as
simple as that.

Worse still are the domains set up by spammers for spammers,
where any complaints go straight to the spammer concerned - thereby
confirming they got a hit on a valid email and making their lists
that much more valuable. The whole of APNIC etc is full of those
eg bora.com, anything off seed.net.tw, twnic, matt.com.au, etc etc.
It's a scandal.


As a side note, the spammers know that we're blocking, and have
therefore evolved their strategies to spam via open-relays in South
America it seems. Which are gradually winking out as they get
abused.

The whole situation is a complete nightmare these days, and
takes enormous efforts just to "keep up".

To the point where I've now dedicated a day of my time to developing
a mostly automatic Whining system which parses the log-files and
generates
the complaint emails to the ISPs and, where they are known to put all
complaints into the bitbucket, to their upstream providers too. My
theory is that an automatic system will generate more emails than
I can be bothered to do myself, and the upstreams *may* just start
to think they have a problem..

I keep trying to get in to meet with the country Ambassadors concerned,
to point out to them the damage that has been caused to their
country's reputation, but the marketing droids don't allow it. But
I have not given up, and will ask the UK politicos to provoke such
a meeting, and for several admins to attend to demonstrate the
size of the problem to these people.

Finally, I'm talking to the cops here to see if they would like to
take an interest in the data about all this. Their initial reaction was
to show some interest, by the way. Discussions ongoing.

bestest
^O^ink




-- 
Peter Feltham, CEO of Intelligent Organisations.
         http://www.intelligentorgs.com

Tel: +44 208 357 7355           Fax: +44 7050 697 405
                         Private  Fax: +44 7050 694 038
-- 
A member of Rheingold Associates
    http://www.rheingold.com/associates/index.html
Join the Brainstorms Anthrax Research team by visiting:
http://members.ud.com/services/teams/team.htm?id=21FAE341-5071-4B7B-A703
-5C65022032FB
-- 

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list