I got an unusual spammer today.  He didn't go away when he got the
450 result that Postfix gave for his IP number not having a name in
reverse-DNS.  Instead, like a real mailer, he kept trying periodically,
so I whitelisted him to see what was being sent.

It was spam.

I did a little looking around and tracerouted the connecting machine
(218.45.234.31):

 [...]
15  gige11-0-10.hsipaccess2.tok1.net.reach.com (210.57.4.196)  248.464 ms  249.307 ms  248.133 ms
16  unknown.net.reach.com (210.57.52.50)  249.223 ms  248.807 ms  249.133 ms
17  10.0.1.17 (10.0.1.17)  242.064 ms  244.924 ms  243.203 ms
18  10.15.0.30 (10.15.0.30)  249.702 ms  254.012 ms  249.626 ms
19  218.45.234.31 (218.45.234.31)  255.120 ms  242.816 ms  243.469 ms

...look at hops #17 and #18.

I thought that 10.0/8 was not allowed on the public 'net.  Has the
rule changed, or is something really fishy going on here?  (I remember
starting to ask this before, but decided to delete the message, as I
recall.)

There seems to be (at least) a class C subnet living behind those
"forbidden" nodes.

Is a router just giving bogus ICMP results, or what?

(Yes, I normally filter all outside traffic from 10.0/8, but I also normally
filter all ICMP traffic, so I have to disable ipf in order to run a
traceroute.  (^&)


-- 
  "I probably don't know what I'm talking about."  http://www.olib.org/~rkr/