You are here: Home > Participate > Join a Discussion > Mailman Archives
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: [anti-spam-wg@localhost] Spam-RBL, anyone?

  • To: der Mouse < >
    Anthony Edwards < >
  • From: Anthony Edwards < >
  • Date: Wed, 7 Jan 2004 20:27:53 +0000
  • Organization: easynet Ltd

On Wed, Jan 07, 2004 at 02:37:30PM -0500, der Mouse wrote:
> > [...outfits...which assume] that the administrative contact for an IP
> > address range is necessarily the appropriate addressee for
> > [notifications of spammous behaviour].
> > At least for 137.43/16, this is not the case, something I've tried to
> > make abundantly clear in the data carried by both ARIN and RIPE-NCC
> > for this network.
> Um.  I must be msising something.  What, pray tell, do you think the
> administrative conjtact address _is_ for, if not administrative issues?
> Or do you not consider disciplining spammous users to be an
> adminsitrative matter?
That is a little puzzling (unless I am missing something, always a
possibility), since:

anthony@localhost:~> whois -h +

OrgName:    University College Dublin 
OrgID:      UCD-2
Address:    Computing Services
Address:    Belfield, Dublin 4
Country:    IE

NetRange: - 
NetName:    UCD
NetHandle:  NET-137-43-0-0-1
Parent:     NET-137-0-0-0-0
NetType:    Direct Assignment
NameServer: NS1.UCD.IE
NameServer: NS2.UCD.IE
NameServer: NS.HEA.IE
Comment:    This data is no longer maintained and will be
Comment:    withdrawn in the course of the ERX project.
Comment:    Current contact information is on the RIPE
Comment:    Whois.
Comment:    URL (must be unfolded):
Comment:    ?form_type=simple
Comment:    &full_query_string=
Comment:    &searchtext=una2-ripe
Comment:    &do_search=Search
RegDate:    1989-10-25
Updated:    2003-09-12

TechHandle: NOR2-ARIN
TechName:   O'Reilly, Niall 
TechPhone:  +353-1-716-2360
TechEmail:  Niall.oReilly@localhost 

OrgTechHandle: NOR2-ARIN
OrgTechName:   O'Reilly, Niall 
OrgTechPhone:  +353-1-716-2360
OrgTechEmail:  Niall.oReilly@localhost

# ARIN WHOIS database, last updated 2004-01-06 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

anthony@localhost:~> whois -h
% This is the RIPE Whois secondary server.
% The objects are in RPSL format.
% Please visit for more information.

inetnum: -
netname:      UCD-ETHER
descr:        Campus Ethernet
descr:        University College Dublin
descr:        Belfield
descr:        Dublin 4
descr:        Ireland
country:      IE
admin-c:      UNA2-RIPE
tech-c:       UNA2-RIPE
status:       ASSIGNED PI
notify:       sysman@localhost
mnt-by:       NO8-MNT
changed:      dfk@localhost 19911020
changed:      mnorris@localhost 19971031
changed:      ripe-dbm@localhost 19990706
changed:      Niall.oReilly@localhost 20010206
changed:      Niall.oReilly@localhost 20030909
changed:      Niall.oReilly@localhost 20030910
source:       RIPE

descr:        UCD-ETHER
origin:       AS1213
mnt-by:       HEANET-NOC
changed:      ripe-dbm@localhost 19941121
changed:      brian.boyle@localhost 20021121
source:       RIPE

role:         UCD Network Administration
address:      University College Dublin Computing Services
address:      Belfield
address:      Dublin 4
address:      Ireland
phone:        +353 1 716 2360
fax-no:       +353 1 283 7077
admin-c:      UNA2-RIPE
tech-c:       UNA2-RIPE
tech-c:       RL7975-RIPE
tech-c:       PB11909-RIPE
tech-c:       FS11
tech-c:       NO8
e-mail:       abuse@localhost
e-mail:       security@localhost
e-mail:       sysman@localhost
nic-hdl:      UNA2-RIPE
mnt-by:       NO8-MNT
notify:       sysman@localhost
remarks:      contact abuse@localhost re SPAM only
remarks:      contact security@localhost re other abuse
remarks:      contact sysman@localhost re general operations
changed:      Niall.oReilly@localhost 20030910
source:       RIPE

I would myself have interpreted the above data as indicating that the
correct address to complain to in respect of Unsolicited Bulk Email
abuse actually originating from is abuse@localhost.

However, it is possible that Niall may be experiencing the same issue in
respect of notifications from that we have repeatedly
experienced; that of almost all such notifications having been sent
entirely in error.  Examples:

1.  Email originating from well known, current insecure open proxies
    listed at other DNSBLs, however parsing forged
    "Received: from" header lines below the line where the insecure
    proxy appears (and hence, from which the Unsolicited Bulk Email
    actually originated); this is extremely common.

2.  Reports concerning bounce undeliverable messages generated by
    our own mail infrastructure, and MTAs hosted and operated by our
    customers.  Again, this is common.

3.  Reports concerning email which, by even the strictest definition,
    cannot possibly constitute Unsolicited Bulk Email abuse, which
    is immediately apparent when such email is read by humans.  One 
    example email reported by to us as apparent
    Unsolicited Bulk Email abuse was a reply, from one of our   
    hosting provider customers to one of their customers, requesting
    that said customer's customer's domain be transferred elsewhere,
    and our customer providing details to their customer of how this
    process should be undertaken (explanatory details re: the
    Nominet IPS tag process, etc).

The majority of notifications sent to us by do not in
fact relate to abuse originating from, or involving, the easynet
network in any way.  In fact, I would go so far to suggest that the
greenest newbie spam fighter, having spent a couple of hours or so
parsing a primer on how to read headers, would generate on average
a higher percentage of correctly targetted complaints.

Anthony Edwards              *     anthony.edwards@localhost
Abuse Team Manager           *     Easynet UK Abuse Team
Easynet Ltd                  *     DDI: 0161 227 0707    *     Fax: 0845 333 4503

  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>