Using BGP data to find Spammers
bgpmon.netThe data does however show a few cases where actively routed address space was announced by the Spam networks, making this a hijack.
So on top of everything, you can get blacklisted for mail that didn't even come from your network?
If by "network" you mean your IP assets then unfortunately the answer is yes.
The bit I had hoped to see at the end of this article: "and here's how we stopped these bogus routes at their upstream links, to prevent this problem from recurring".
Disappointing to see so much analysis and no solution.
This has been a problem people thought had been happening for a while. It's only with this detailed analysis that the light is being cast on it.
Now we can work on solutions. And we will.
No,
This has been looked at pretty extensively before. Confusingly enough, a lot of the research was done by the creators of BGPmon (http://bgpmon.netsec.colostate.edu/ - same name, concept, and primary functionality with no connection between the two as far as I can tell).
The solution is easy enough, secured peering to prevent hijacking, and a centralized certification process to prevent rogue AS's. We've known this stuff for a good decade now, but the exploitation has never been serious enough to overcome push-backs on the costs (both in terms of hardware and reachability issues) from ISPs.
Because Pakistan BGP-hijacking YouTube wasn't enough of a reason?
That was a censorship attempt that was fat finger'd to cause a leak. We all knew what happened there.
That's still the kind of thing we wan to prevent. Seems like a good argument for adding some kind of range enforcement to BGP routers, similar to HTTPS certificate pinning.
Awesome analysis of a rarely documented problem.
By shining the light on this, solutions will be much easier to deploy.
This was fascinating to me. It feels like a major failing that I could register routes for address space I don't control. Kudos to the authors for explaining things in a way that a novice networking guy like myself could understand.
Interesting that people sophisticated enough in internet routing protocols to squat on unused IP space can get paid more working for spammers than legitimate companies.
BGP is actually a pretty simple routing algorithm once you get your head around it. Certainly no harder than OSPF. I got my head around it originally back in the late 1990s and haven't touched it since and still can remember big parts of how it works.
Spam pays a lot. I mean, like, a lot. So it doesn't surprise me that some people can basically choose their own hours, work on something challenging and get paid well for doing it, all for a crime that Russia will never extradite them for, is going to be happier doing that than sitting in an office 9-5 and every other week on 24x7 on-call babysitting some Cisco firewalls.
Why? Crime always paid more to compensate the added risk.
I understand why criminals would need to be paid more, I'm just surprised that spamming is lucrative enough to hire skilled engineers.
It'd be interesting to figure out where their money is coming from. A guess (completely speculative) is that these aren't pure spamming operations, but rather sending spam as one piece of a spam/botnet/phishing mess.