Jump to content
Sign in to follow this  
marc1

[Resolved] Reporting Address for 67.14.182.70

Recommended Posts

It seems that no one is getting these spam reports. Consequently, I keep getting spam from this IP. Any help/suggestions?

Cached whois for 67.14.182.70 : admin[at]hostmetro.net

Using abuse net on admin[at]hostmetro.net

No abuse net record for hostmetro.net

Using default postmaster contacts postmaster[at]hostmetro.net

postmaster[at]hostmetro.net bounces (6 sent : 6 bounces)

Share this post


Link to post
Share on other sites

Well now, that's one wonky little /19. The IP is pingable and reverses to pw70.people-who.com, but people-who.com is unreachable and the details of all the players are, of course, using privacy services for whois.

The best advice is to keep reporting them until someone notices!

UPDATE: I believe you should send a manual complaint to the abuse address shown here, attaching spam from hostmetro.net and perhaps adding hostmetro.net in the subject line. KCNAP seems to be who they get their connection from, although the BGP routes aren't advertised TTBOMK.

Edited by SpamCop 98

Share this post


Link to post
Share on other sites

thanks for the update on the contact info.

i have been using spamcop for many years. once i report to abuse to the correct contact, spam typically stops from that source.

in this case, i keep getting spam from hostmetro. in fact, it has increased in the past few days. is it possible these reports are ending up in the wrong hands? maybe even in the hands of the spammers?

Share this post


Link to post
Share on other sites
in this case, i keep getting spam from hostmetro. in fact, it has increased in the past few days. is it possible these reports are ending up in the wrong hands? maybe even in the hands of the spammers?

Looking at the tool provided at http://www.senderbase.org/senderbase_queries/main ... the Domain in question doesn't show much. However, as you are the one receiving the spam, you have the IP Addresses involved. Try looking a few of them up and see what things look like.

Share this post


Link to post
Share on other sites
Looking at the tool provided at http://www.senderbase.org/senderbase_queries/main ... the Domain in question doesn't show much. However, as you are the one receiving the spam, you have the IP Addresses involved. Try looking a few of them up and see what things look like.

It is interesting. They are pretty clean. 67.14.175.191 is another one that was used recently.

Share this post


Link to post
Share on other sites
67.14.175.17 is another.
Well, that is intersting - looks like all of 67.14.175.0/24 has the same rDNS (which is not kosher), SenderBase shows most addresses 'seen' have a similar up and down sending pattern ± ~400% which would make the whole thing a snowshoe operation or something indistinguishable from one.

Terribly hard to nail in that case. AFAIK only spamhaus specifically looks out for these - see http://forum.spamcop.net/forums/index.php?showtopic=10622 - and evidently it takes a while before that facility on sbl.spamhaus.org lookups will trigger (and they have to 'see' submissions first). Not sure why the 'policy' blocks (including SORBS, notoriously) haven't picked up on sending from 'dynamic' address space but I guess they will, eventually (that's their purpose). SpamCop is never going to amass enough hits unless a spamtrap gets onto the distribution lists (which are possibly more tightly controlled than most).

They send spam yet don't register on a single one of the 224 RBLs checked by http://multirbl.valli.org/dnsbl-lookup/ - I guess the only thing giving them away is their impossible 'cleanliness'. I have yet to see a regular address that is as untainted as any and all of those in the 67.14.175.0/24 seem to be.

I guess the only thing from which comfort could be taken is that it must be costing an arm and a leg to run that operation, logically there is no way spam could pay for it and accordingly they should be quite alert to spam in their network. Or maybe the wages of sin are higher than we thought :ph34r:

Share this post


Link to post
Share on other sites

Thanks for the reply. This is all new to me, so not sure I understand what can be done.

It goes beyond, 67.14.175.*

67.14.174.7 and 67.14.182.70 are sending spam. 173.244.45.239 is also from the same source.

Can I report this one level higher? Who is providing them access? It is unclear to me who is the bad guy here...Hostmetro?

Share this post


Link to post
Share on other sites
...Can I report this one level higher? Who is providing them access? It is unclear to me who is the bad guy here...Hostmetro?
Upstreams are a bit of a mystery to me too but SpamCop 98 seems to have a handle on it and made a suggestion in the post linked which takes all of those 67.14.160.0/19 addresses (67.14.160.0 - 67.14.191.255) into account.

Share this post


Link to post
Share on other sites
Upstreams are a bit of a mystery to me too but SpamCop 98 seems to have a handle on it and made a suggestion in the post linked which takes all of those 67.14.160.0/19 addresses (67.14.160.0 - 67.14.191.255) into account.

Yes, indeed I missed SpamCop 98 suggestion. I have notified the upstream provider. Although it is unclear how SpamCop 98 got KCNAP as the upstream provider. I would like to notify the upstream of 173.244.45.239 as well. How can I do that?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×