Jump to content
Sign in to follow this  
Sven Golly

serverhub.com

Recommended Posts

...That wouldn't necessarily be a reason to devnull. They seem to do that mostly when reports to the abuse address bounce or when the admin asks them to not send reports.

Share this post


Link to post
Share on other sites

...That wouldn't necessarily be a reason to devnull. They seem to do that mostly when reports to the abuse address bounce or when the admin asks them to not send reports.

My comment was semi-tongue-in-cheek. ;-) I suspect serverhub.com devnulls SpamCop reports.

Just in the last hour I got 2 more spams originating from serverhub.com.

Share this post


Link to post
Share on other sites

serverhub's IP space is still sending major amounts of spam. Some 60 reports later and they STILL don't even show up on SpamCop's own RBL! I'm really beginning to think SpamCop itself is becoming irrelevant.

Edited by Sven Golly

Share this post


Link to post
Share on other sites

...But the absolute volume of spam is not used in SpamCop's algorithm that determines whether an IP address is included in the SCBL -- see SpamCop FAQ article labeled "What is on the list?"

Share this post


Link to post
Share on other sites

Yes, http://www.spamcop.net/fom-serve/cache/297.html shows how it works in general, reputation points help approximate a ham:spam ratio determination which in turn helps ensure a few bad eggs don't drag down any massive, mostly non-spamming assets to the great detriment of the innocent public. You can then look at data presentations from the SC Stats pages to put your 'problem' networks in context.

Regarding the instance of 107.158.214.212 - from http://www.spamcop.net/spamstats.shtml thence http://www.spamcop.net/w3m?action=map;mask...ratio;sort=spam we can see that 107.158.214.0/24 doesn't get a look in for spam ratio (/200) and is ranked down at 47/200 in spam count - http://www.spamcop.net/w3m?action=map;net=...35;sort=spamcnt

Current metrics:

107.158.214.0/24 No.s
Total email volume 1314
Total spam reports 39789
spam reports vs. email volume 30.28
Number of hosts sending email 90
Number of hosts reported for spam 76
Hosts reported vs. hosts sending 0.73
Average volume per host sending 14.6

There are presently three servers from that 107.158.214.0/24 allocation listed in the SCbl according to http://www.senderbase.org/senderbase_queri....158.214.0%2F24 No doubt if more people were reporting there would be more of them (so don't despair, certainly keep reporting them yourself) but, as you can see for 107.158.214.212 in that display, the network operations for that service spread the load (that specific IP address is currently having a bit of a holiday). An unkind observer might say they 'snowshoe' a little.

[edit - fixed links etc.)

Edited by Farelf

Share this post


Link to post
Share on other sites

Well it would seem to me that because serverhub has setup a special abuse address just for Spamcop (spamcop[at]serverhub.com) and since they allow this spammer to continue (we get about 10 - 20 per day on one address alone), the special spamcop address is simply being ignored.

So assuming there's a special arrangement for between SC and Serverhub to support that address, why does SC continue to do so? All it looks like to me is a way for them to monitor how much spam they can crank out before running afoul of the SCBL.

Am I missing something?

These are all sample Serverhub spams reported to SC. I don't report every single one I get.

http://www.spamcop.net/mcgi?action=gettrac...rtid=6129851586

http://www.spamcop.net/mcgi?action=gettrac...rtid=6129851514

http://www.spamcop.net/mcgi?action=gettrac...rtid=6129851673

http://www.spamcop.net/mcgi?action=gettrac...rtid=6129851511

http://www.spamcop.net/mcgi?action=gettrac...rtid=6129851508

http://www.spamcop.net/mcgi?action=gettrac...rtid=6129851507

http://www.spamcop.net/mcgi?action=gettrac...rtid=6129632531 <- Black Lotus + Serverhub

http://www.spamcop.net/mcgi?action=gettrac...rtid=6129632544 <- Black Lotus + Serverhub

Share this post


Link to post
Share on other sites
...So assuming there's a special arrangement for between SC and Serverhub to support that address, why does SC continue to do so? All it looks like to me is a way for them to monitor how much spam they can crank out before running afoul of the SCBL.

Am I missing something?...

Yes, certainly looks like your initial 'tongue-in-cheek' supposition might not have been far off the mark. 'Follow the money,' as they say, that might be all there is to it, a profitable commercial arrangement for both parties. And illegal in terms of the current US legislation, one imagines, if the service provider is aware of 'marketing' by the client in contravention of the anti-spam provisions (which point might be a touch hard to prove). Those are NOT Tracking URLs by the way - but I'm sure Don will be interested in them. Clearly there is no 'list-washing' going on, which would be the principal SC concern, I suppose, but maybe there's some other form of 'gaming' going on to carefully monitor the (apparent) snowshoe operation, as you suggest.

All-in-all, some thin lines involved and many thanks for highlighting the situation! If they're cunning enough to snowshoe without tripping the dedicated component of the Spamhaus SBL (http://www.spamhaus.org/css/) then they're certainly a problem for the internet community. No single RBL or anti-spam tool can ever catch all spam.

Share this post


Link to post
Share on other sites

Yeah I didn't save the tracking URLs for those -- so I just went to Recent Reports to snag what I could. Would be nice if SC presented the tracking URL in Recent Reports. Anyway here are two of today's serverhub.com spams by tracking URL.

http://www.spamcop.net/sc?id=z5888418267z5...1b97b6d3fc9bbbz

http://www.spamcop.net/sc?id=z5888418191z6...11bde60310273bz

These spams are just goofy with weird keywords. I don't know if they are to get past spam filters or if they are a form of reverse tracking. Report the spam and they know you did because they see what was reported and can track it back to the reporter / recipient. All serverhub.com spam gets copied to spam[at]uce.gov and knujon.

Share this post


Link to post
Share on other sites

Yeah I didn't save the tracking URLs for those -- so I just went to Recent Reports to snag what I could. Would be nice if SC presented the tracking URL in Recent Reports. Anyway here are two of today's serverhub.com spams by tracking URL.

Nice is our middle name:

FAQ Entry: Getting a Tracking URL from a Report ID

But don't worry about retrieving - SC staff can use the Report IDs you provided earlier, if they want to investigate.

...

These spams are just goofy with weird keywords. I don't know if they are to get past spam filters or if they are a form of reverse tracking. Report the spam and they know you did because they see what was reported and can track it back to the reporter / recipient. All serverhub.com spam gets copied to spam[at]uce.gov and knujon.

Yes, unusually pointless-seeming but one imagines it has some point, since it is presumably costing "Rendering Partner" or someone something to send it. Anyway thanks for the alert - maybe someone 'here' can shed some light and maybe it will interest SC too. This really looks like a snowshoe operation to me, very low volume detected by SenderScore but SenderBase seems to be seeing short intense bursts of activity - about as high as volumes for individual servers ever get (5.1 and 5.3 magnitude for those last two IP addresses) which is a liability on the resources of the internet and on the patience of its users, if all of it is spam (or even one tenth of it).

Curious ...

Share this post


Link to post
Share on other sites

Thanks for the info on getting the tracking link. I had never noticed the "Parse" link at the top. The FAQ is kind of arcane in many ways.

I have dealt with whoever is behind the serverhub spam in the past since I recognize the writing / subject line style and what they usually promote. The spammer is active for anywhere from 1 month to as long as a year, eventually gets shut down, then starts all over again from a new spam-friendly ISP. Serverhub is going on 3 months now I think.

Share this post


Link to post
Share on other sites

We're not going to stop sending reports to spamcop[at]serverhub.com.

We've sent 184,926 reports to that address since it was created in March of 2013.

- Don D'Minion - SpamCop Admin -

- Service[at]Admin.SpamCop.net -

Share this post


Link to post
Share on other sites

We're not going to stop sending reports to spamcop[at]serverhub.com.

We've sent 184,926 reports to that address since it was created in March of 2013.

- Don D'Minion - SpamCop Admin -

- Service[at]Admin.SpamCop.net -

Has it accomplished anything other than make it "look like" an ISP might be doing something?

Share this post


Link to post
Share on other sites

Has it accomplished anything other than make it "look like" an ISP might be doing something?

If nothing else, continuing to report emails with a serverhub.com connection will help keep them in sight of the processes which feed the SCBL.

Share this post


Link to post
Share on other sites

Yep, and denies them wriggle room should they subsequently try to profess ignorance, should the question ever arise with any enforcement agency.

Share this post


Link to post
Share on other sites

Yep, and denies them wriggle room should they subsequently try to profess ignorance, should the question ever arise with any enforcement agency.

Interesting logic I guess. But they still never make it onto the SCBL. They are good at the snowshoe tapdance.

Share this post


Link to post
Share on other sites

Shouldn't we also cc to "support[at]serverhub.com? That is where their spam Policy asks for reports to be made:

"If you have additional questions regarding this policy or wish to report this type of activity with included headers to us please feel free to contact us(support[at]serverhub.com)."

Share this post


Link to post
Share on other sites

I've just received a dozen emails from serverhub along the lines -

====================================================

This email concerns your recent ticket: [spamCop (http://clickhere.dedicatdd.com/rt/bxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx to the site! (1446)

As part of our commitment to improving your customer support experience, we would like to know how you think we are doing.

Please take a moment to complete a short survey consisting of just a few multiple-choice questions.

==================================================

I was strongly tempted to report them as spam but I suspect it might be "report denial justification" technique.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×