Jump to content

Search the Community

Showing results for tags 'zombie hacked bogon spam'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Discussions & Observations
    • Announcements
    • Start Here - before you make your first Post
    • How to use .... Instructions, Tutorials
    • Going to make your first post here?
    • SpamCop Reporting Help
    • SpamCop Blocklist Help
    • SpamCop Email System & Accounts
    • Mailhost Configuration of your Reporting Account
    • New Feature Request
    • SpamCop Lounge
    • Geek/Tech Things
    • Suggested Tools and Applications
    • Testing
    • FAQ Under Construction

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL







Found 1 result

  1. Hello: I don't know lots about networks, and here is my problem: Since February I am receiving tons of spam. The messages have a link like: http://zzzzz.standida.com/c.php?aid=xxx&lid=yyyy where x,y,z are message specific numbers (zzzzz seems to identify the target email). The link redirects to another link like http://xtremehealthfit.com/jajbua71u/WWWW/?e=mail[at]something.com&s=XXXXXX And finally, it takes to an offending site (porn, scam, dating....) Spamers are using lots of different domains, but they all point to an IP in AS36263. The most used IP is But other addresses are used, and seems hackers control several entire subnetworks in this AS; since all IPs are in netblocks asigned to "Forona": Subnet Proxy route for FORONA by MZIMA Subnet Forona Technologies Subnet Proxy route for forona technologies by mzima Subnet Forona Technologies Subnet Forona technologies [Full info here: http://ipinfo.io/AS36263] Now, if you check routing tables for this AS you will find sometihing like: show ip bgp 3277 39710 9002 3356 3361 36263 286 3356 3361 36263 7018 2828 3361 36263 Which means that all routes have to pass through AS3361 before reaching the "backbone" Now, if you make a trace you will find that the last hops look like this: (Info from http://ipduh.com/ip/traceroute/) AS3356 (Level3 com) [*] [*] [*] [*] [*] [*] unused-216-168-56-242.forest.net. AS11739 AS36263 I expected to find AS3361 between AS3356 and AS36263, but I found AS11739 (registered to Digital Forest, dfcolo.com), which according to ipinfo.io does not have IP addresses. However, AS3361 does have IP addresses, and AS3361 is registered to Spectrum Networks / Digital Fortress (dfcolo.com, which also is listed in AS36263) So we have here a zombie network, used for SPAMING. And looks exactly like the case of "McColo" (Sounds like DFColo!! ) which involved grave cybercrime (See https://en.wikipedia.org/wiki/Brian_Krebs ) As I stated, I am not a network expert. I would like to ask your help for ending with this posible cybercrime. I sent information to ICANN / ARIN but seems I was ignored. Maybe I could contact Brian Krebs, but I would like to have other options. Do you think it would work contacting level3.com? Thanks.