All of my spam comes from Level3.net what does this mean?

[katka]

I was getting tons of spam and I wanted to know where it was coming from. I did a trace and found the following:

02/12/03 21:19:49 Fast traceroute 210.22.157.110
Trace 210.22.157.110 ...
1 192.168.123.254 1ms 1ms 1ms TTL: 0 (No rDNS)
2 10.178.144.1 57ms 43ms 56ms TTL: 0 (No rDNS)
3 172.30.50.65 66ms 80ms 25ms TTL: 0 (No rDNS)
4 68.52.0.50 107ms 47ms 116ms TTL: 0 (No rDNS)
5 67.72.8.33 29ms 42ms 76ms TTL: 0 (so-1-1-0.gar1.atl1.Level3.net ok)
6 209.247.9.157 24ms 26ms 22ms TTL: 0 (so-4-0-0.mp1.Atlanta1.level3.net ok)
7 64.159.0.217 91ms 184ms 160ms TTL: 0 (so-2-0-0.mp2.SanFrancisco1.Level3.net ok)
8 64.159.3.166 86ms 104ms 138ms TTL: 0 (gigabitethernet9-0.hsipaccess1.SanFrancisco1.Level3.net ok)
9 166.90.48.94 287ms 271ms 316ms TTL: 0 (unknown.Level3.net fraudulent rDNS)
10 210.52.130.121 250ms 237ms 315ms TTL: 0 (No rDNS)
11 210.52.206.30 256ms 279ms 284ms TTL: 0 (No rDNS)
12 210.22.66.42 300ms 246ms 268ms TTL: 0 (3p0-GSR1-SH2-CHJ1.sh.cncnet.net ok)
13 210.22.67.142 291ms 282ms 335ms TTL: 0 (5ge1-GSR1-SH2-HK.sh.cncnet.net bogus rDNS: host not found [authoritative])
14 210.22.157.110 326ms 315ms 284ms TTL:238 (No rDNS)


All of them originate from level3.net:|

 

[ViRGE]

All it means is that so far, all of your spammers have had internet access through an account sold by Level 3, or resold by someone whos service uses Level 3. I'm assuming you're talking about the spammer's original IP address, otherwise this would be the open-relay, which means it's just a stupid user connected to a Level 3 connection.

 

[katka]

I won't post any more but here is another one:

02/12/03 21:47:11 Fast traceroute 203.197.47.110
Trace 203.197.47.110 ...
1 192.168.123.254 2ms 1ms 1ms TTL: 0 (No rDNS)
2 10.178.144.1 50ms 26ms 14ms TTL: 0 (No rDNS)
3 172.30.50.65 34ms 11ms 36ms TTL: 0 (No rDNS)
4 68.52.0.50 18ms 41ms 51ms TTL: 0 (No rDNS)
5 67.72.8.33 28ms 30ms 78ms TTL: 0 (so-1-1-0.gar1.atl1.Level3.net ok)
6 209.247.8.9 66ms 47ms 52ms TTL: 0 (so-4-1-0.mp1.Atlanta1.level3.net ok)
7 64.159.1.2 47ms 36ms 63ms TTL: 0 (so-5-0-0.mp1.Washington1.level3.net ok)
8 209.244.11.10 96ms 31ms 52ms TTL: 0 (so-6-0-0.edge1.Washington1.Level3.net ok)
9 65.59.88.210 91ms 81ms 39ms TTL: 0 (No rDNS)
10 66.110.8.18 98ms 42ms 50ms TTL: 0 (if-5-0.core1.Newark.Teleglobe.net ok)
11 207.45.223.82 87ms 48ms 36ms TTL: 0 (if-0-0.core2.NewYork.Teleglobe.net ok)
12 207.45.221.120 39ms 41ms 57ms TTL: 0 (if-1-0-0-0.har1.NewYork.teleglobe.net ok)
13 63.243.137.6 408ms 448ms 420ms TTL: 0 (No rDNS)
14 202.54.2.197 335ms 387ms 428ms TTL: 0 (mumbai-ekm-stm-1.Bbone.vsnl.net.in bogus rDNS: host not found [authoritative])
15 202.54.2.189 330ms 401ms 373ms TTL: 0 (vsb-lvsb-stm-1.Bbone.vsnl.net.in bogus rDNS: host not found [authoritative])
16 203.197.33.132 346ms 346ms 337ms TTL: 0 (No rDNS)
17 203.199.67.5 337ms 340ms 338ms TTL: 0 (No rDNS)
18 203.197.47.110 358ms 372ms 392ms TTL:112 (No rDNS)

 

[Aves]

This thread probably belongs in NETWORKING but anyway.



You aren't getting spam from Level3.net

The two traces you posted are to IPs controlled by Asia Pacific Network Information Centre and in turn assigned to whoever applies for them. The route between whoever the end user is and you just happens to traverse Level3's network.

In fact it appears from your traceroutes that your ISP uses Level3.net as at least one of their backbone providers so it's not suprising that many routes will include a path through them.


Here is the info for the first IP - 210.22.157.110

inetnum: 210.22.157.0 - 210.22.157.255
netname: shanghai-cuoshi-corp
country: cn
descr: shanghai city
admin-c: YH276-AP
tech-c: YH276-AP
status: ASSIGNED NON-PORTABLE
changed: daihy@china-netcom.com 20020927
mnt-by: MAINT-CN-HY28
source: APNIC


Here is the info for the second IP - 203.197.47.110

inetnum: 203.197.47.0 - 203.197.47.255
netname: BOMBAYUNIV
descr: LEASED - BOMBAY UNIVERSITY
country: IN
admin-c: VT43-AP
tech-c: IA15-AP
mnt-by: MAINT-VSNL-AP
changed: gpsingh@giasbm01.vsnl.net.in 20000202
changed: hm-change@apnic.net 20020719
status: ALLOCATED PORTABLE
source: APNIC


Check these links out:

Query the APNIC Whois Database

Spammers & hackers: using the APNIC Whois Database to find their network

 

[katka]

I will read the links, thanks. But the traceroutes are 99% of the time the same as the "spammer" as reported by Spamcop. :Q Also, my isp in not listed because these are e-mail header trace results. So maybe microsoft uses level3.net but not me.