NetRange:       108.174.192.0 - 108.174.207.255
CIDR:           108.174.192.0/20
OriginAS:       AS54290
NetName:        HOSTWINDS-20-1
NetHandle:      NET-108-174-192-0-1
Parent:         NET-108-0-0-0-0
NetType:        Direct Allocation
RegDate:        2012-02-01
Updated:        2012-02-01

PTRs in the netblock leave absolutely no ambiguity as to what they're
about - and the entire block seems to be occupied by them. Has this
(spamming) customer leased the entire /20 from them, is this a special
"dumping ground" where they host only spammers, or is HostWinds black-hat?

108.174.192.3    smtp2.iemailaction.com
108.174.192.4    smtp3.iemailaction.com
108.174.192.5    smtp4.iemailaction.com
108.174.192.6    smtp5.iemailaction.com
108.174.192.7    smtp6.iemailaction.com
108.174.192.10   smtp9.iemailaction.com
108.174.192.11   smtp10.iemailaction.com
108.174.192.12   smtp11.iemailaction.com
108.174.192.13   smtp12.iemailaction.com
108.174.192.14   smtp13.iemailaction.com
108.174.192.15   smtp14.iemailaction.com
108.174.192.16   smtp15.iemailaction.com
108.174.192.17   smtp16.iemailaction.com
108.174.192.18   smtp17.iemailaction.com
108.174.192.19   smtp18.iemailaction.com
108.174.192.20   smtp19.iemailaction.com
108.174.192.21   smtp20.iemailaction.com
108.174.192.22   smtp21.iemailaction.com
108.174.192.23   smtp22.iemailaction.com
108.174.192.24   smtp23.iemailaction.com
108.174.192.25   smtp24.iemailaction.com
108.174.192.26   smtp25.iemailaction.com
108.174.192.27   smtp26.iemailaction.com
108.174.192.28   smtp27.iemailaction.com
108.174.192.29   smtp28.iemailaction.com
108.174.192.30   callwithwill.com
108.174.192.31   m1.callwithwill.com
108.174.192.32   m2.callwithwill.com
108.174.192.33   m3.callwithwill.com
108.174.192.34   m4.callwithwill.com
108.174.192.35   m5.callwithwill.com
108.174.192.36   m6.callwithwill.com
108.174.192.37   m7.callwithwill.com
108.174.192.38   smtp37.iemailaction.com
108.174.192.39   smtp38.iemailaction.com
108.174.192.40   smtp39.iemailaction.com
108.174.192.41   smtp40.iemailaction.com
108.174.192.42   smtp41.iemailaction.com
108.174.192.43   smtp42.iemailaction.com
108.174.192.44   smtp43.iemailaction.com
108.174.192.45   smtp44.iemailaction.com
108.174.192.46   smtp45.iemailaction.com
108.174.192.47   smtp46.iemailaction.com
108.174.192.48   smtp47.iemailaction.com
108.174.192.49   smtp48.iemailaction.com
108.174.192.50   smtp49.iemailaction.com
108.174.192.51   smtp50.iemailaction.com
108.174.192.52   smtp51.iemailaction.com
108.174.192.53   smtp52.iemailaction.com
108.174.192.54   smtp53.iemailaction.com
108.174.192.55   smtp54.iemailaction.com
108.174.192.56   smtp55.iemailaction.com
108.174.192.57   smtp56.iemailaction.com
108.174.192.58   smtp57.iemailaction.com
108.174.192.59   smtp59.iemailaction.com
108.174.192.60   smtp59.iemailaction.com
108.174.192.61   smtp60.iemailaction.com
108.174.192.62   smtp61.iemailaction.com
108.174.192.63   smtp62.iemailaction.com
108.174.192.64   smtp63.iemailaction.com
108.174.192.65   smtp64.iemailaction.com
108.174.192.66   smtp65.iemailaction.com
108.174.192.67   smtp66.iemailaction.com
108.174.192.68   smtp68.iemailaction.com
108.174.192.69   smtp69.iemailaction.com
108.174.192.70   smtp69.iemailaction.com
108.174.192.71   smtp70.iemailaction.com
108.174.192.72   smtp71.iemailaction.com
108.174.192.73   smtp72.iemailaction.com
108.174.192.74   smtp73.iemailaction.com
108.174.192.75   smtp74.iemailaction.com
108.174.192.76   smtp75.iemailaction.com
108.174.192.77   smtp76.iemailaction.com
108.174.192.78   smtp77.iemailaction.com
108.174.192.79   smtp78.iemailaction.com
108.174.192.80   smtp79.iemailaction.com
108.174.192.81   smtp80.iemailaction.com
108.174.192.82   smtp81.iemailaction.com
108.174.192.83   smtp82.iemailaction.com
108.174.192.84   smtp83.iemailaction.com
108.174.192.85   smtp84.iemailaction.com
108.174.192.86   smtp85.iemailaction.com
108.174.192.87   smtp86.iemailaction.com
108.174.192.88   smtp87.iemailaction.com
108.174.192.89   smtp88.iemailaction.com
108.174.192.90   smtp89.iemailaction.com
108.174.192.91   smtp90.iemailaction.com
108.174.192.92   smtp91.iemailaction.com
108.174.192.93   smtp92.iemailaction.com
108.174.192.94   smtp93.iemailaction.com
108.174.192.95   smtp94.iemailaction.com
108.174.192.96   smtp95.iemailaction.com
108.174.192.97   smtp96.iemailaction.com
108.174.192.98   smtp97.iemailaction.com
108.174.192.99   smtp98.iemailaction.com
108.174.192.100  smtp99.iemailaction.com
108.174.192.101  smtp100.iemailaction.com
108.174.192.102  smtp101.iemailaction.com
108.174.192.103  smtp102.iemailaction.com
108.174.192.104  smtp103.iemailaction.com
108.174.192.105  smtp104.iemailaction.com
108.174.192.106  smtp105.iemailaction.com
108.174.192.107  smtp106.iemailaction.com
108.174.192.108  smtp107.iemailaction.com
108.174.192.109  smtp108.iemailaction.com
108.174.192.110  smtp109.iemailaction.com
108.174.192.111  smtp110.iemailaction.com
108.174.192.112  smtp111.iemailaction.com
108.174.192.113  smtp112.iemailaction.com
108.174.192.114  smtp113.iemailaction.com
108.174.192.115  smtp114.iemailaction.com
108.174.192.116  smtp115.iemailaction.com
108.174.192.117  smtp116.iemailaction.com
108.174.192.118  smtp117.iemailaction.com
108.174.192.119  smtp118.iemailaction.com
108.174.192.120  smtp119.iemailaction.com
108.174.192.121  smtp120.iemailaction.com
108.174.192.122  smtp121.iemailaction.com
108.174.192.123  smtp122.iemailaction.com
108.174.192.124  smtp123.iemailaction.com
108.174.192.125  smtp124.iemailaction.com
108.174.192.126  smtp125.iemailaction.com
108.174.192.127  smtp126.iemailaction.com
108.174.192.128  smtp127.iemailaction.com
108.174.192.129  smtp128.iemailaction.com
108.174.192.130  smtp129.iemailaction.com
108.174.192.131  smtp130.iemailaction.com
108.174.192.132  smtp131.iemailaction.com
108.174.192.133  smtp132.iemailaction.com
108.174.192.134  smtp133.iemailaction.com
108.174.192.135  smtp134.iemailaction.com
108.174.192.136  smtp135.iemailaction.com
108.174.192.137  smtp136.iemailaction.com
108.174.192.138  smtp137.iemailaction.com
108.174.192.139  smtp138.iemailaction.com
108.174.192.140  smtp139.iemailaction.com
108.174.192.141  smtp140.iemailaction.com
108.174.192.142  smtp141.iemailaction.com
108.174.192.143  smtp142.iemailaction.com
108.174.192.144  smtp143.iemailaction.com
108.174.192.145  smtp144.iemailaction.com
108.174.192.146  smtp145.iemailaction.com
108.174.192.147  smtp146.iemailaction.com
108.174.192.148  smtp147.iemailaction.com
108.174.192.149  smtp148.iemailaction.com
108.174.192.150  smtp149.iemailaction.com
108.174.192.151  smtp150.iemailaction.com
108.174.192.152  smtp151.iemailaction.com
108.174.192.153  smtp152.iemailaction.com
108.174.192.154  smtp153.iemailaction.com
108.174.192.155  smtp154.iemailaction.com
108.174.192.156  smtp155.iemailaction.com
108.174.192.157  smtp156.iemailaction.com
108.174.192.158  smtp157.iemailaction.com
108.174.192.159  smtp158.iemailaction.com
108.174.192.160  smtp159.iemailaction.com
108.174.192.161  smtp160.iemailaction.com
108.174.192.162  smtp161.iemailaction.com
108.174.192.163  smtp162.iemailaction.com
108.174.192.164  smtp163.iemailaction.com
108.174.192.165  smtp164.iemailaction.com
108.174.192.166  smtp165.iemailaction.com
108.174.192.167  smtp166.iemailaction.com
108.174.192.168  smtp167.iemailaction.com
108.174.192.169  smtp168.iemailaction.com
108.174.192.170  smtp169.iemailaction.com
108.174.192.171  smtp170.iemailaction.com
108.174.192.172  smtp171.iemailaction.com
108.174.192.173  smtp172.iemailaction.com
108.174.192.174  smtp173.iemailaction.com
108.174.192.175  smtp174.iemailaction.com
108.174.192.176  smtp175.iemailaction.com
108.174.192.177  smtp176.iemailaction.com
108.174.192.178  smtp177.iemailaction.com
108.174.192.179  smtp178.iemailaction.com
108.174.192.180  smtp179.iemailaction.com
108.174.192.181  smtp180.iemailaction.com
108.174.192.182  smtp181.iemailaction.com
108.174.192.183  smtp182.iemailaction.com
108.174.192.184  smtp183.iemailaction.com
108.174.192.185  smtp184.iemailaction.com
108.174.192.186  smtp185.iemailaction.com
108.174.192.187  smtp186.iemailaction.com
108.174.192.188  smtp187.iemailaction.com
108.174.192.189  smtp188.iemailaction.com
108.174.192.190  smtp189.iemailaction.com
108.174.192.191  smtp190.iemailaction.com
108.174.192.192  smtp191.iemailaction.com
108.174.192.193  smtp192.iemailaction.com
108.174.192.194  smtp193.iemailaction.com
108.174.192.195  smtp194.iemailaction.com
108.174.192.196  smtp195.iemailaction.com
108.174.192.197  smtp196.iemailaction.com
108.174.192.198  smtp197.iemailaction.com
108.174.192.199  smtp198.iemailaction.com
108.174.192.200  smtp199.iemailaction.com
108.174.192.201  smtp200.iemailaction.com
108.174.192.202  smtp201.iemailaction.com
108.174.192.203  smtp202.iemailaction.com
108.174.192.204  smtp203.iemailaction.com
108.174.192.205  smtp204.iemailaction.com
108.174.192.206  smtp205.iemailaction.com
108.174.192.207  smtp206.iemailaction.com
108.174.192.208  smtp207.iemailaction.com
108.174.192.209  smtp208.iemailaction.com
108.174.192.210  smtp209.iemailaction.com
108.174.192.211  smtp210.iemailaction.com
108.174.192.212  smtp211.iemailaction.com
108.174.192.213  smtp212.iemailaction.com
108.174.192.214  smtp213.iemailaction.com
108.174.192.215  smtp214.iemailaction.com
108.174.192.216  smtp215.iemailaction.com
108.174.192.217  smtp216.iemailaction.com
108.174.192.218  smtp217.iemailaction.com
108.174.192.219  smtp218.iemailaction.com
108.174.192.220 ...

read more »

I'm usually content to block a /32 or maybe a /29 when I first see spam, but
when I see this sort of behaviour ("micro-delegation?"), their entire range
goes onto the chopping block.

--
Bob Milutinovic
Cognicom

On Sunday, 13 May 2012 09:31 -0700,
 in article <MPG.2a197c3d83183763989...@news.supernews.com>,

That is exactly why I identified all four of the ARIN CIDRs assigned to
Hostwinds in my response to Bob, suggesting they could all be
considered firewall fodder.

 $ whois -h whois.arin.net n\ HOSTWINDS\* | iprange2cidr.pl
 64.207.238.104/30
 108.174.192.0/20
 198.143.96.0/19
 199.59.56.0/21

Also note their routes.

 $ whois -h whois.cymru.com 64.207.238.104
 AS      | IP               | AS Name
 26146   | 64.207.238.104   | EASYTEL - EasyTEL Communications, Inc.

 $ whois -h whois.cymru.com 108.174.192.0
 AS      | IP               | AS Name
 13354   | 108.174.192.0    | ASN-EBLGLOBAL - EBL Global Networks, Inc.

 $ whois -h whois.cymru.com 198.143.96.0
 AS      | IP               | AS Name
 13354   | 198.143.96.0     | ASN-EBLGLOBAL - EBL Global Networks, Inc.

 $ whois -h whois.cymru.com 199.59.56.0
 AS      | IP               | AS Name
 13354   | 199.59.56.0      | ASN-EBLGLOBAL - EBL Global Networks, Inc.

 $ whois -m  AS26146
 aut-num:        AS26146
 as-name:        EASYTEL
 descr:          EasyTEL Communications, Inc.
                 7335 S. Lewis Ave. Ste. 100
                 Tulsa, OK 74136
 admin-c:        TR750-ARIN
 tech-c:         TR750-ARIN
 mnt-by:         MNT-EASYTE-1
 changed:        trho...@easytel.com 20020725
 source:         ARIN

 $ whois -m AS13354
 aut-num:    AS13354
 as-name:    COREXCHANGE-AS
 descr:      Corexchange / EBL Global Networks
 import:     from AS2914   accept ANY
 import:     from AS3356   accept ANY
 import:     from AS3549   accept ANY
 import:     from AS7018   accept ANY
 import:     from AS-COREXCHANGE-US   accept <^AS-COREXCHANGE-US+$>
 import:     from AS174   accept ANY
 import:     from AS6461   accept ANY
 export:     to AS174   announce AS13354 AS-COREXCHANGE-US
 export:     to AS6461   announce AS13354 AS-COREXCHANGE-US
 export:     to AS2914   announce AS13354 AS-COREXCHANGE-US
 export:     to AS3549   announce AS13354 AS-COREXCHANGE-US
 export:     to AS-COREXCHANGE-US   announce ANY
 export:     to AS7018   announce AS13354 AS-COREXCHANGE-US
 export:     to AS3356   announce AS13354 AS-COREXCHANGE-US
 admin-c:    NETWO1615-ARIN
 tech-c:     NETWO1615-ARIN
 notify:     ip...@corexchange.com
 mnt-by:     MAINT-AS13354
 changed:    ip...@corexchange.com 20100729  #18:30:12Z
 source:     RADB

- --
David Ritz <dr...@mindspring.com>
 Be kind to animals; kiss a shark.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (Darwin)
Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>

iEYEARECAAYFAk+v6pgACgkQUrwpmRoS3uvGOACfWo25qCTzza6SuUiCneAdiuFV
ChEAoJR7lDw/iiZoXEIrreddxjbKjEx3
=QymN
-----END PGP SIGNATURE-----

URL: http://iemailaction.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)

Referer:

Submitted on 05/14/2012 at 03:23 GMT

Status: finished

Redirections:

HTTP Status Code: 200 OK

Content Size: 523 bytes

Content Type: text/html;charset=ISO-8859-1

IP Address: 108.174.192.2

Country: United States

Web Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-
rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635

M4

There was never any suggestion that they're malware vendors; merely
spammers. Something tells me Zscaler (not that I've ever even visited them)
is useful only for identifying malicious sites, and has nothing to do with
spam sources.

Below is the header of the drivel which triggered my examination of the
netblock - and, dare I remind you, the entire netblock _is_ full of nothing
but spam mailers.

Received: from smtp37.beautyandstyletips.com ([108.174.193.102])
 by <mymailserver>
 (using TLSv1/SSLv3 with cipher AES256-SHA (256 bits))
 for <roleaccount@oneofmydomains>;
 Sat, 12 May 2012 11:14:53 +1000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=beautyandstyletips.com; s=default;
 h=Content-Transfer-Encoding:Content-Type:List-Unsubscribe:MIME-Version:Repl y-To:From:Date:Message-ID:Subject:To;bh=mkC/lFqQoLi/S/1aJckLCfa6plxlb1cfn4z IRGwHFbE=; b=FuWp2My9pNTs1mcG2YhGne9OUYFqh0ZGkrw67lf/px6E2A2KVHuJhEwboLTEKTTfY1qNLU/xf gUXBEBtM1puJBpjDDOs1sa5BTRrvUZaOcTfW9vzM/mAg3dW/PuCj5jo;Received: from 108.174.193.102 (helo=smtp37.beautyandstyletips.com) by smtp37.beautyandstyletips.com with esmtpa (Exim 4.77) id 1ST0qZ-0001uc-R9 for <roleaccount@oneofmydomains>; Fri, 11 May 2012 21:10:12 -0400To: <roleaccount@oneofmydomains>Subject: 7 Odd Foods that will KILL Your Abdominal Fat?Message-ID: <0a95594e5ca2c00bf5a267d87afd2...@beautyandstyletips.com>Date: Fri, 11 May 2012 15:02:12 -0400From: "Flat Abs" <ad...@beautyandstyletips.com>Reply-To: ad...@beautyandstyletips.comMIME-Version: 1.0X-Mailer-LID: 24List-Unsubscribe:<http://beautyandstyletips.com/interspire/unsubscribe.php?M=2966835&C=...>X-Mailer-RecptId: 2966835X-Mailer-SID: 22X-Mailer-Sent-By: 1Content-Type: multipart/alternative; charset="UTF-8";boundary="b1_75f8fe944b40b9c64beff3fce2bdf753"Content-Trans fer-Encoding: 8bitX-AntiAbuse: This header was added to track abuse, please include it withany abuse reportX-AntiAbuse: Primary Hostname - smtp1.beautyandstyletips.comX-AntiAbuse: Original Domain - <oneofmydomains>X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]X-AntiAbuse: Sender Address Domain - beautyandstyletips.com--Bob MilutinovicCognicom

host iemailaction.com.dbl.spamhaus.org
iemailaction.com.dbl.spamhaus.org has address 127.0.1.2

Being listed on the DBL is apparently not sufficient for you to remove them?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAk+0ilEACgkQL6j7milTFsEWAQCfZFpcDUc4x84IwnfctQsgeH1g
SP4AnAnJaw/1i85/f1LL9GXu5YXj0Bws
=6n9j
-----END PGP SIGNATURE-----

Since you have brought this to our attention we have nullrouted

108.174.192.1/24
AND
108.174.193.128/25

The two blocks we had allocated to that client, I appreciate everyone's help in bringing this matter to our attention

We use a program called SolusVM to manage all of our IP addresses, as well as all of our VPS's, and this program randomly selects IP's to assign to a client based on the available pool at the time, because of this we have found the easiest way to manage our IP space and rwhois server is by exporting our solusVM database into our IP manager, and then exporting that into our rwhoisd server. The ipmanager we are using is

http://sourceforge.net/projects/phpipam/

This only allows us to export our IP addresses as individual addresses, not as blocks to my knowledge

--Peter Holden

--Peter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAk+1r0EACgkQL6j7milTFsElaACfcT1qWhwaWL4gLr17Y4+FJoV/
tA8An09oj9k0Y1MNPUexgxBkxrF6XB0x
=lFUH
-----END PGP SIGNATURE-----

If you have a look at the header of the spam I quoted, it was actually from
a "client" you chose not to block - beautyandstyletips.com, which seems to
be part of the greater 108.174.193/24 (of which you purport to have only
blocked half).

Have a look through the PTRs of the rest of your /20 and you'd be hard
pressed to find one that doesn't just scream "I'm a spammer!"

BTW, merely nulling or editing the PTRs doesn't count as "taken care of the
spammer."

I do hope you managed to retain a sizable security bond from your "client,"
because by the looks of it the only way you're going to get out of this mess
is to relinquish your entire /20 and purchase a new one (or wait many MANY
years 'til everyone here decides to remove that block from their routers).

--
Bob Milutinovic
Cognicom

Lots of /32s in there clearly run by the same spammer, but using different names.