I have been getting hammered with spam, as many as 20 per day, from the 67.159.193.* and 74.55.187.* netblocks for the past 90 days. These blocks belong to Forona Technologies, Swiftco, and are downstream from Yipes. I carefully report each and every one via Spamcop, but these netblocks never seem to end up on any kind of blocklist and the spam continues to flow.
Am I spinning my wheels by reporting these netblocks? Are they protected or special somehow? Spamcop assures me that LARTs are being dispatched to abuse[at]yipes.com (forona's and swift's contact email addresses bounce). Is Spamcop simply dev nulling these reports? What can I do to put these spam complaints into the hands of somebody who can actually do something about the Forona/Swift/Yipes spam?
Thanks for letting me rant.
Full Version: Forona/Swift/Yipes spam - Are They Somehow Special?
QUOTE(priruss @ Sep 5 2008, 12:24 PM) 
...Thanks for letting me rant.
Yet, if you give some more data, some useful insights may emerge. I suggest you provide some tracking links so 'we' can see what is actually happening with one or two actual IP addresses without too much guesswork and basic research. Generally it takes more than a few member reports to get an IP address on to the SCbl and, even when a number of other reporters are seeing the same spam, the senders may keep off the blocklist by rotating the addresses. It sounds like this could be the case with 'your' spam. Yes, it seems a little different from the 'run of the mill' spam churned out in huge numbers through botnets. If so, there may be other actions indicated that people 'here' might be able to suggest (and maybe more direct than SC reporting, maybe not).
Just looking for the netblocks you name, in Worst /24 blocks based on total spam count (Stats pages) it is evident they're not appearing on the 'radar' as a major source. That's one datum.
QUOTE(Farelf @ Sep 5 2008, 03:22 PM)
Yet, if you give some more data, some useful insights may emerge. I suggest you provide some tracking links so 'we' can see what is actually happening with one or two actual IP addresses without too much guesswork and basic research.
Thanks for the reply. Here are several tracking links for the Forona/Swift/Yipes spam. I had to let my mouse cool off because you only get 10 or so reports on each page, so I only went back a couple of weeks (but there are many more of these things, all within the IP ranges I mentioned in the OP).
Today:
http://www.spamcop.net/sc?id=z2219220239z4...e10106d570ba93z
67.159.193.66
http://www.spamcop.net/sc?id=z2219219557z8...e0ab6ad3226174z
67.159.193.119
September 1
http://www.spamcop.net/sc?id=z2205556976z0...292b89aba7b53fz
67.159.193.229
August 28
http://www.spamcop.net/sc?id=z2194538236zd...f82671c09d9255z
67.159.193.243
August 22
http://www.spamcop.net/sc?id=z2181187541z0...8e4308e43f3377z
67.159.203.150
August 16
http://www.spamcop.net/sc?id=z2159727747z4...be25e05bb4dee9z
67.159.193.228
I think you called it correctly that Forona/Swift/Yipes might be "snowshoe spamming" (rotating through the large number of IPs within their range) - there are a few exact IP number matches, but not that many.
QUOTE(Farelf @ Sep 5 2008, 03:22 PM)
Generally it takes more than a few member reports to get an IP address on to the SCbl and, even when a number of other reporters are seeing the same spam, the senders may keep off the blocklist by rotating the addresses. It sounds like this could be the case with 'your' spam. Yes, it seems a little different from the 'run of the mill' spam churned out in huge numbers through botnets. If so, there may be other actions indicated that people 'here' might be able to suggest (and maybe more direct than SC reporting, maybe not).
Just looking for the netblocks you name, in Worst /24 blocks based on total spam count (Stats pages) it is evident they're not appearing on the 'radar' as a major source. That's one datum.
Just looking for the netblocks you name, in Worst /24 blocks based on total spam count (Stats pages) it is evident they're not appearing on the 'radar' as a major source. That's one datum.
That information increases my pessimism that anything can be done about these unrepentant repeat spammers. I guess it IS just me, so shut up and eat your spam.
Thanks again. Rant off.
QUOTE(priruss @ Sep 5 2008, 05:24 PM)
I think you called it correctly that Forona/Swift/Yipes might be "snowshoe spamming" (rotating through the large number of IPs within their range) - there are a few exact IP number matches, but not that many.
Seems like it... I looked at only the first IP you listed... only 10 reports over the last week and a very low (actually 0.0) SenderBase volume. In fact the whole range appears to have only a few that have as high as a 1.0 monthly volume (~10 messages seen). This type of scenario works around spamcop's strong point of catching active spam runs. This configuration would need another type of list.
Well that is all plain depressing. That is the old-style spam we all used to complain about and seemed unstoppabe due to low volumes, but why should there be trouble enforcing CAN-SPAМ non-compliance against the 'originators' (of the actual mails)? The cheesy domains are traceable to the registrars at least. Isn't that enough? I don't know. And those same email and web-hosting service providers are coming up time and again. For some reason I can't drag up the topic from http://zeta.cesmail.net/pipermail/old-spamcop-list/ but I note the subject of this net has arisen before - RandallW's post about mail and spamvertizement hosting and Mike Easter's reply
Well, alternative strategies have come and gone, many now think outside of the SC 'box', I'm just wondering whether others 'here' might have some suggestions? What about the KnujOn users, f'rinstance? Any point in reporting this stuff there? FTC reporting? Links at http://forum.spamcop.net/forums/index.php?showtopic=2238#ASS might suggest other avenues.
CODE
From nobody at spamcop.net Sun Jun 4 01:02:40 2006
From: nobody at spamcop.net (RandallW)
Date: Sun Jun 4 03:05:07 2006
Subject: [SpamCop-List] Yipes, Forona, and Swiftco
Message-ID: <e5u0ib$3qi$1[at]news.spamcop.net>
I receive a small daily splurge of spam from an affiliate of
Consumerpromotioncenter.com; the SC parser determines that Yipes.com,
Forona.com, and Swiftco.net host both the e-mail server and webspace where
the spamvertised url is hosted.
Any opinions on these companies' spam policies?
( One SC report I recently sent ):
http://www.spamcop.net/sc?id=z962880152zdb...246f5044d29c95z
From MikeE at ster.invalid Sun Jun 4 03:57:12 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Jun 4 06:00:07 2006
Subject: [SpamCop-List] Re: Yipes, Forona, and Swiftco
References: <e5u0ib$3qi$1[at]news.spamcop.net>
Message-ID: <e5uapj$9i0$1[at]news.spamcop.net>
RandallW wrote:
> I receive a small daily splurge of spam from an affiliate of
> Consumerpromotioncenter.com; the SC parser determines that Yipes.com,
> Forona.com, and Swiftco.net host both the e-mail server and webspace
> where the spamvertised url is hosted.
> Any opinions on these companies' spam policies?
spammer -- spamsource spamvertiser unresponsive spamhaused /22
> ( One SC report I recently sent ):
>
www.spamcop.net/sc?id=z962880152zdb49d2168b8d19ae53246f5044d29c95z
source 204.15.231.227 no rDNS
From: airline-surplus-online.com = MX 204.15.231.225
spamvertiser airline-surplus-online.com
straightup unresponsive spammer/spamvertiser
provider spamhaused all over the place
whois -h whois.arin.net 204.15.231.227 ...
SWIFT VENTURES Inc 204.15.224.0 - 204.15.231.255
OrgTechEmail: abuse[at]swiftco.net
Forona Technologies, 204.15.230.0 - 204.15.231.255
OrgTechEmail: domains[at]forona.com
Forona spamhaused as the /22
204.15.228.0/22 is listed on the Spamhaus Block List
Ref: SBL41952
Spamhaus shows much evidence including spamcop's and also shows the
forona/swift structure for this block and others, and shows that the
AS36263 for forona has the upstream AS6517 YIPESCOM Spamhaus has
numerous other listings for the swiftco/forona, 9 SBLs, including a
ROKSO -- blocks of numerous sizes /22s, /23, /24s etc
The abuse.net reg'd contacts are forona, swiftco, & yipes, which is how
spamcop notifies for source and spamvertiser, so yipes is being informed
of the unresponsiveness of their downstream
--
Mike Easter
kibitzer, not SC admin
(found by Googling). Note they are/were ROKSO listed so, 'Vaster than empires, and more slow' the evidence against them builds but I guess there are worse to deal with first. But note the date of those NG items - Sunday 6 June 2006 f'Pete's sake!From: nobody at spamcop.net (RandallW)
Date: Sun Jun 4 03:05:07 2006
Subject: [SpamCop-List] Yipes, Forona, and Swiftco
Message-ID: <e5u0ib$3qi$1[at]news.spamcop.net>
I receive a small daily splurge of spam from an affiliate of
Consumerpromotioncenter.com; the SC parser determines that Yipes.com,
Forona.com, and Swiftco.net host both the e-mail server and webspace where
the spamvertised url is hosted.
Any opinions on these companies' spam policies?
( One SC report I recently sent ):
http://www.spamcop.net/sc?id=z962880152zdb...246f5044d29c95z
From MikeE at ster.invalid Sun Jun 4 03:57:12 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Jun 4 06:00:07 2006
Subject: [SpamCop-List] Re: Yipes, Forona, and Swiftco
References: <e5u0ib$3qi$1[at]news.spamcop.net>
Message-ID: <e5uapj$9i0$1[at]news.spamcop.net>
RandallW wrote:
> I receive a small daily splurge of spam from an affiliate of
> Consumerpromotioncenter.com; the SC parser determines that Yipes.com,
> Forona.com, and Swiftco.net host both the e-mail server and webspace
> where the spamvertised url is hosted.
> Any opinions on these companies' spam policies?
spammer -- spamsource spamvertiser unresponsive spamhaused /22
> ( One SC report I recently sent ):
>
www.spamcop.net/sc?id=z962880152zdb49d2168b8d19ae53246f5044d29c95z
source 204.15.231.227 no rDNS
From: airline-surplus-online.com = MX 204.15.231.225
spamvertiser airline-surplus-online.com
straightup unresponsive spammer/spamvertiser
provider spamhaused all over the place
whois -h whois.arin.net 204.15.231.227 ...
SWIFT VENTURES Inc 204.15.224.0 - 204.15.231.255
OrgTechEmail: abuse[at]swiftco.net
Forona Technologies, 204.15.230.0 - 204.15.231.255
OrgTechEmail: domains[at]forona.com
Forona spamhaused as the /22
204.15.228.0/22 is listed on the Spamhaus Block List
Ref: SBL41952
Spamhaus shows much evidence including spamcop's and also shows the
forona/swift structure for this block and others, and shows that the
AS36263 for forona has the upstream AS6517 YIPESCOM Spamhaus has
numerous other listings for the swiftco/forona, 9 SBLs, including a
ROKSO -- blocks of numerous sizes /22s, /23, /24s etc
The abuse.net reg'd contacts are forona, swiftco, & yipes, which is how
spamcop notifies for source and spamvertiser, so yipes is being informed
of the unresponsiveness of their downstream
--
Mike Easter
kibitzer, not SC admin
Well, alternative strategies have come and gone, many now think outside of the SC 'box', I'm just wondering whether others 'here' might have some suggestions? What about the KnujOn users, f'rinstance? Any point in reporting this stuff there? FTC reporting? Links at http://forum.spamcop.net/forums/index.php?showtopic=2238#ASS might suggest other avenues.
QUOTE(Farelf @ Sep 5 2008, 09:15 PM)
For some reason I can't drag up the topic from http://zeta.cesmail.net/pipermail/old-spamcop-list/ but I note the subject of this net has arisen before - RandallW's post about mail and spamvertizement hosting and Mike Easter's reply ..... (found by Googling).
Off-Topic .. perhaps to be split out and moved if further discussion is needed.
The same text/archive file exists on both the old and current servers. However, the zeta-server file has not been archived by Google. Perhaps adding http://zeta.cesmail.net/pipermail/old-spam...t/2006-June.txt here might help ???? No idea if it's a 'duplicate content' issue or simply that this path has not been crawled yet. How many other files/archives might be in the same state????
Once again, the request goes out for the www.spamcop.net help pages to be update and change the newsgroup archive links to the current location (the zeta server) .. When this happenes, the old/ancient archives on the 'news' server can be hidden/removed so this kind of stuff won't happen. (Of course, that also means that I'll have to find the time, energy, and desire to edit all those HTML files that were simply copied over from the old server to the new, in order to make the links point to the right place. Gads what a pain. Yeah, yeah, I know some of you are thinking that a bit of awk and sed would do the trick, but .... the actual problem is that some of those files no longer actually exist .. deleted to make space available on the 'disk full' hard-drive. I believe most of you know that I don't like doing things only as a partial fix.)
In addition, having to note that June 2006 was the timeframe of the 'disk full' condition that stopped the newsgroup archiving. I'm having to assume that this (disk full condition) is why the threaded list of posts doesn't match the 'full text' listing for this month's/year's Archives. Not really sure how to fix that problem .. the last time I was 'smart' on this tool was a couple of years back, when I got it running on this server.
I've found that a lot of their spam seems to get nailed by filters. Almost all the email in my yahoo webmail spam folder is from Forona - all the basic chicken bone stuff Viagra, $500 Gift Cards, etc. They seem to be marketing to the last few million people who don't have any spam filters.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.