At first glance, you'd think it was yet another "mainsleaze" mailing outfit, but when you get spam to a role account you generally tend to sit up and take notice. And when you discover the "mailer" outfits are run by Indians, your interest really gets piqued.
PTRs in the netblock leave absolutely no ambiguity as to what they're about - and the entire block seems to be occupied by them. Has this (spamming) customer leased the entire /20 from them, is this a special "dumping ground" where they host only spammers, or is HostWinds black-hat?
> On Saturday, 12 May 2012 18:58 +1000,
> in article <jol8ni$qc...@dont-email.me>,
> Bob Milutinovic <cogni...@gmail.com> wrote:
>> At first glance, you'd think it was yet another "mainsleaze" mailing
>> outfit, but when you get spam to a role account you generally tend
>> to sit up and take notice. And when you discover the "mailer"
>> outfits are run by Indians, your interest really gets piqued.
> I think one may safely assume a hat shade darker than charcoal. To
> make matters worse, HOSTWINDS is allocating their 18.104.22.168/20
> CIDR by the /32; single IP addresses. This makes it impossible to
> query their RWHOIS server is such a way, to determine which IPs are
> assigned to any given show shoe spam opearation^W^W^W customer.
A deliberate ploy; very similar to my experiences in tracking down offending netblocks in India, where they seem to love breaking /15s (and even a /13) down to /24s, just to make life more "interesting."
I'm usually content to block a /32 or maybe a /29 when I first see spam, but when I see this sort of behaviour ("micro-delegation?"), their entire range goes onto the chopping block.
> One could also consider their other CIDRs firewall fodder.
> $ whois -a 'n HOSTWINDS*' | iprange2cidr.pl
Thanks for that list, David; it'll be getting put to good use, I can assure you ;-)
On Sunday, 13 May 2012 09:31 -0700, in article <MPG.2a197c3d83183763989...@news.supernews.com>,
Jessie_C <Jessie_C> wrote:
> In article <alpine.OSX.2.00.1205122246210.56...@mako.ath.cx>, > dr...@mindspring.com says...
>> This makes it impossible to query their RWHOIS server is such a >> way, to determine which IPs are assigned to any given show shoe >> spam operation^W^W^W customer.
> In that case it's easy to determine the spam operation: It's > Hostwinds themselves. Block their entire netblock and the problem > magically goes away :)
It's a bit difficult to say that Hostwinds, themselves, are spammers. They certainly provide spam support and spam hosting.
That is exactly why I identified all four of the ARIN CIDRs assigned to Hostwinds in my response to Bob, suggesting they could all be considered firewall fodder.
$ whois -h whois.cymru.com 22.214.171.124
AS | IP | AS Name
26146 | 126.96.36.199 | EASYTEL - EasyTEL Communications, Inc.
$ whois -h whois.cymru.com 188.8.131.52
AS | IP | AS Name
13354 | 184.108.40.206 | ASN-EBLGLOBAL - EBL Global Networks, Inc.
$ whois -h whois.cymru.com 220.127.116.11
AS | IP | AS Name
13354 | 18.104.22.168 | ASN-EBLGLOBAL - EBL Global Networks, Inc.
$ whois -h whois.cymru.com 22.214.171.124
AS | IP | AS Name
13354 | 126.96.36.199 | ASN-EBLGLOBAL - EBL Global Networks, Inc.
$ whois -m AS26146
descr: EasyTEL Communications, Inc.
7335 S. Lewis Ave. Ste. 100
Tulsa, OK 74136
changed: trho...@easytel.com 20020725
$ whois -m AS13354
descr: Corexchange / EBL Global Networks
import: from AS2914 accept ANY
import: from AS3356 accept ANY
import: from AS3549 accept ANY
import: from AS7018 accept ANY
import: from AS-COREXCHANGE-US accept <^AS-COREXCHANGE-US+$>
import: from AS174 accept ANY
import: from AS6461 accept ANY
export: to AS174 announce AS13354 AS-COREXCHANGE-US
export: to AS6461 announce AS13354 AS-COREXCHANGE-US
export: to AS2914 announce AS13354 AS-COREXCHANGE-US
export: to AS3549 announce AS13354 AS-COREXCHANGE-US
export: to AS-COREXCHANGE-US announce ANY
export: to AS7018 announce AS13354 AS-COREXCHANGE-US
export: to AS3356 announce AS13354 AS-COREXCHANGE-US
changed: ip...@corexchange.com 20100729 #18:30:12Z
- -- David Ritz <dr...@mindspring.com>
Be kind to animals; kiss a shark.
On Sun, 13 May 2012 11:48:20 -0500, David Ritz wrote:
> The RWHOIS server is configured to return a maximum of ten responses.
> Where one response should suffice, HOSTWINDS is intentionally using
Not disputing their hat color (I really don't know, this seems to me more a case of "Never attribute to malice what can be explained by incompetence".
> Some stuff on the iemailaction.com domain, courtesy Zscaler. Gave it
> a 0/100 score, which means no suspicious content (such as malware or
> spam-gang source problems.)
There was never any suggestion that they're malware vendors; merely spammers. Something tells me Zscaler (not that I've ever even visited them) is useful only for identifying malicious sites, and has nothing to do with spam sources.
Below is the header of the drivel which triggered my examination of the netblock - and, dare I remind you, the entire netblock _is_ full of nothing but spam mailers.
Received: from smtp37.beautyandstyletips.com ([188.8.131.52])
(using TLSv1/SSLv3 with cipher AES256-SHA (256 bits))
Sat, 12 May 2012 11:14:53 +1000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=beautyandstyletips.com; s=default;
h=Content-Transfer-Encoding:Content-Type:List-Unsubscribe:MIME-Version:Repl y-To:From:Date:Message-ID:Subject:To;bh=mkC/lFqQoLi/S/1aJckLCfa6plxlb1cfn4z IRGwHFbE=; b=FuWp2My9pNTs1mcG2YhGne9OUYFqh0ZGkrw67lf/px6E2A2KVHuJhEwboLTEKTTfY1qNLU/xf gUXBEBtM1puJBpjDDOs1sa5BTRrvUZaOcTfW9vzM/mAg3dW/PuCj5jo;Received: from 184.108.40.206 (helo=smtp37.beautyandstyletips.com) by smtp37.beautyandstyletips.com with esmtpa (Exim 4.77) id 1ST0qZ-0001uc-R9 for <roleaccount@oneofmydomains>; Fri, 11 May 2012 21:10:12 -0400To: <roleaccount@oneofmydomains>Subject: 7 Odd Foods that will KILL Your Abdominal Fat?Message-ID: <0a95594e5ca2c00bf5a267d87afd2...@beautyandstyletips.com>Date: Fri, 11 May 2012 15:02:12 -0400From: "Flat Abs" <ad...@beautyandstyletips.com>Reply-To: ad...@beautyandstyletips.comMIME-Version: 1.0X-Mailer-LID: 24List-Unsubscribe:<http://beautyandstyletips.com/interspire/unsubscribe.php?M=2966835&C=...>X-Mailer-RecptId: 2966835X-Mailer-SID: 22X-Mailer-Sent-By: 1Content-Type: multipart/alternative; charset="UTF-8";boundary="b1_75f8fe944b40b9c64beff3fce2bdf753"Content-Trans fer-Encoding: 8bitX-AntiAbuse: This header was added to track abuse, please include it withany abuse reportX-AntiAbuse: Primary Hostname - smtp1.beautyandstyletips.comX-AntiAbuse: Original Domain - <oneofmydomains>X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]X-AntiAbuse: Sender Address Domain - beautyandstyletips.com--Bob MilutinovicCognicom
On Wed, 16 May 2012 20:33:43 -0700, Peter Holden wrote:
> We are asking for them to disclose and prove their methods are
> CAN-SPAM compliant, if they are in fact spamming , we will take
> appropriate action and suspend the entire account, per our TOS
On Thursday, May 17, 2012 12:19:48 AM UTC-5, Carl Byington wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Wed, 16 May 2012 20:33:43 -0700, Peter Holden wrote:
> > We are asking for them to disclose and prove their methods are
> > CAN-SPAM compliant, if they are in fact spamming , we will take
> > appropriate action and suspend the entire account, per our TOS
On Monday, May 14, 2012 1:53:45 AM UTC-5, Martijn Lievaart wrote:
> On Sun, 13 May 2012 11:48:20 -0500, David Ritz wrote:
> > The RWHOIS server is configured to return a maximum of ten responses.
> > Where one response should suffice, HOSTWINDS is intentionally using
> > hundreds.
> Not disputing their hat color (I really don't know, this seems to me more > a case of "Never attribute to malice what can be explained by > incompetence".
I believe we have increased the maximum number of queries our rwhoisd server can handle, the reason we block our IP's out in /32's is simple
We use a program called SolusVM to manage all of our IP addresses, as well as all of our VPS's, and this program randomly selects IP's to assign to a client based on the available pool at the time, because of this we have found the easiest way to manage our IP space and rwhois server is by exporting our solusVM database into our IP manager, and then exporting that into our rwhoisd server. The ipmanager we are using is
> On Thursday, May 17, 2012 12:19:48 AM UTC-5, Carl Byington wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> On Wed, 16 May 2012 20:33:43 -0700, Peter Holden wrote:
>> > We are asking for them to disclose and prove their methods are
>> > CAN-SPAM compliant, if they are in fact spamming , we will take
>> > appropriate action and suspend the entire account, per our TOS
> We have thousands of client's and we do not monitor our client's domain > names, only IP addresses
> Since you have brought this to our attention we have nullrouted
> The two blocks we had allocated to that client, I appreciate everyone's > help in bringing this matter to our attention
What about the remainder of the infested /20?
If you have a look at the header of the spam I quoted, it was actually from a "client" you chose not to block - beautyandstyletips.com, which seems to be part of the greater 108.174.193/24 (of which you purport to have only blocked half).
Have a look through the PTRs of the rest of your /20 and you'd be hard pressed to find one that doesn't just scream "I'm a spammer!"
BTW, merely nulling or editing the PTRs doesn't count as "taken care of the spammer."
I do hope you managed to retain a sizable security bond from your "client," because by the looks of it the only way you're going to get out of this mess is to relinquish your entire /20 and purchase a new one (or wait many MANY years 'til everyone here decides to remove that block from their routers).