Jump to content
Sign in to follow this  
goldeneye

Romanian snow shoe spammers - having trouble with them!

Recommended Posts

I am getting bombarded with at least 2 of those per day that are not caught in my e-mail account's spam filter, and they are always image spam, directing to IP addresses in Romania - and usually now in octal IP addresses.

Problem is that the default reporting addresses point back to an abuse address at a domain which is controlled by the spammer network themselves.

Would it be best to report to their upstreams? I can provide IP addresses and AS numbers if necessary, but those should be pretty known to be IP networks/AS numbers that are totally owned by spammers themselves (either bought out or totally stolen). Usually these are /20 or /21 IP blocks, but are known to go to as much as a /16 or /15, based on the IP addresses involved.

Edited by goldeneye

Share this post


Link to post
Share on other sites

Long ago I had a similar issue and resorted to a similar approach. I am fortunate to speak that language and eventually got hold of the agency overseeing internet for that entire country ...I haven't had much of an issue with them since. I do get occasional phishing attempts traceable there and an odd spam or two, but not as much as I used to before complaining. I had some heated exchanges with networks admins there, their typical reply was that we (in USA) are a lot worse at sending spam as they are. You can find the original threads here if you search for them.

Share this post


Link to post
Share on other sites

As an update - I put in four more reports, but yet to submit...

http://www.spamcop.net/sc?id=z3721076284z9...456d0ecaba7855z

http://www.spamcop.net/sc?id=z3721166004zf...51f2602888ec1fz

http://www.spamcop.net/sc?id=z3721191020z8...00cf8b8414f50az

http://www.spamcop.net/sc?id=z3721233838z5...f949e3c8ba21cbz

I put in two more earlier today, but submitted to my own address...

http://www.spamcop.net/sc?id=z3719914935z0...45bf761cc786b5z

http://www.spamcop.net/sc?id=z3719908895zf...8213a0487f93daz

IPs so far identified...

93.168.88.78

93.168.88.80

95.157.91.129

95.157.91.157

95.157.91.185

95.177.155.136

188.170.209.232

188.208.50.166

188.208.50.168

188.229.96.130

The 93.168.88.x crap is apparently part of the supernetwork 93.168.0.0/17 from network ID AS48976, not blacklisted anywhere.

Spamhaus has already blacklisted the 95.157.91.x crap from network 95.157.64.0/18, network ID AS47968 as a snowshoe spam operation according to http://www.spamhaus.org/sbl/sbl.lasso?query=SBL76453

The 188.170.209.x one comes from supernetwork 188.170.208.0/20, network ID AS50041, not blacklisted anywhere.

The 188.208.50.x crap comes from supernetwork 188.208.48.0/20, network ID AS49436, not blacklisted anywhere.

That 188.229.96.x one comes from supernetwork 188.229.96.0/21, network ID AS50068, not blacklisted anywhere either.

I wonder if we should start rejecting anything coming from network IDs AS47968, AS48976, AS49436, AS50041 and AS50068 among others (a few more, and it includes AS50042).

Some of those AS's are very suspicious too IMO.

Another spam from those idiots just came in...

http://www.spamcop.net/sc?id=z3721455893zd...f32198465e20e1z

New crap IP from Romania again...

93.118.2.110 - from supernetwork 93.118.0.0/20, network ID AS44954

Edited by goldeneye

Share this post


Link to post
Share on other sites

Add one more Romanian network to add to the idiocy...

http://www.spamcop.net/sc?id=z3722879400z9...86fd3eb5ea25e0z

New crap IPs...

109.199.112.48

109.206.7.7

First one is from the supernetwork 109.199.96.0/19, network ID AS50075 - probably a fake network set up just for spamming

Second one is from the supernetwork 109.206.0.0/19, network ID AS50319 - yet again another fake network just to use for spam.

Added - another piece of crap from Network ID AS48976

http://www.spamcop.net/sc?id=z3723080483z9...87956dcbb9474az

New crap IP of 93.168.5.246

Note that the forged domain (hibr123picked.com) is from 93.168.64.11 - however, from the same Network ID AS48976, with supernetwork 93.168.0.0/17.

Edited by goldeneye

Share this post


Link to post
Share on other sites

Add three more spams, even tho one of these is probably not a Romanian one...

http://www.spamcop.net/sc?id=z3723622044z1...906e1ce1cefb88z

IPs of this first one:

188.209.23.242 and 188.209.24.127, from network ID AS15884, part of network 188.209.16.0/20

http://www.spamcop.net/sc?id=z3723660874z5...629178038cd806z

IPs of this second one:

69.169.97.252, from network IDs AS20001, AS33597 and AS46801, part of networks 69.169.0.0/17, 69.169.96.0/19 and 69.169.96.0/20 (not sure which is the legitimate owner of these addresses, sounds like stolen IP space).

213.247.2.71, from network IDs AS28045 (), part of networks 213.247.0.0/19 and 213.247.0.0/20, probably another set of stolen IP space.

http://www.spamcop.net/sc?id=z3723695986ze...39d75e9321a6c5z

IPs of this third one:

188.209.23.251 and 188.209.24.253, AGAIN from network ID AS15884, part of network 188.209.16.0/20

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×