spam from: singlehop & blacklotus

[sehh]

Hello,

Over the past several months, we've received thousands of spam, originating from IP addresses owned by a provider called SingleHop, which in turn advertise sites hosted by another provider called Blacklotus.

What we found interesting, is that once we block their IP network range, a few months later they change to another network, again owned by SingleHop.

SpamCop as well, seems not to have them blacklisted (at least not their current range of IP's, which is 108.178.0.0/18). SpamCop sends reports to abuse[at]singlehop.com and to abuse[at]blacklotus.net, but of course that makes no difference.

Does the above imply that these two "businesses" are in bed together, or owned by the same person(s)? Since any spam sent from SingleHop always points to Blacklotus sites.

[Farelf]

Hi sehh,

Don't see any obvious evidence of connection between singlehop.com and blacklotus.net other than, if you're seeing it, client-provider - but blacklotus,net is 'interesting'. They have a substantial network of their own (192.184.8.0/21) yet their mail exchange is through Google provision - aspmx.l.google.com, aspmx2.googlemail.com, alt1.aspmx.l.google.com and alt2.aspmx.l.google.com and now you're saying their actual 'marketing campaigns' are going through singlehop.com? You really need to provide a Tracking URL or two so people can see what you're seeing.

Seems like they're just trying every which way to keep their mission-sensitive network operations sanitised from their marketing. That ought to be telling them something, so you're right, they already know they're spamming. But as to whether or not your reports do any good? The SURBL takes feed from SC and you should check to see if those websites are being included in the SURBL. Just keep reporting is my advice. Maybe you can incorporate the SURBL into your filtering if those websites are cropping up there. Divert and report.

Steve

[Sven Golly]

I'm seeing the same spam here -- singlehop / black lotus. I also saw a crossover spam from serverhub.com that was spamvertising a black lotus site. Right now 75% of my spam is from serverhub.com but they STILL haven't made it to the SpamCop's own RBL. Which is why I'm getting more and more disappointed with SpamCop.

[turetzsr]

<snip>

Right now 75% of my spam is from serverhub.com but they STILL haven't made it to the SpamCop's own RBL. Which is why I'm getting more and more disappointed with SpamCop.

...Well, you might have reason to be if SpamCop determined whether to place servers of domains on the blacklist in the way it seems that you're suggesting; it doesn't: see the SpamCop FAQ article labeled "What is on the list?" for more detail, especially the section labeled "How the SCBL Works" and, for even more technical detail, the section labeled "SCBL Rules."

[astroguard]

More than 90% of the spam I've received over the past two months contains links from a Blacklotus server, for example this morning:

Finding links in message body

Resolving link obfuscation

http://end.fastcarsavings.com

http://reservenow.fastcarsavings.com

Host reservenow.fastcarsavings.com (checking ip) = 192.31.186.4

Resolves to 192.31.186.4

Cached whois for 192.31.186.4 : noc[at]blacklotus.net

routeid: 72768102 192.31.184.0 - 192.31.187.255 to: noc[at]blacklotus.net

... and this is just one of about a dozen.

[edit] thanks for data but live links broken - please don't do the spammers jobs for them

[gdeputy]

Is there any filtering tools / plugins that can parse urls like spamcop and allow server admins to block/score emails based on the hosting of the urls? 90% of the spam i'm seeing contains links hosted by blacklotus, and i'd like to be able to use that criteria.

[msealey]

Most of the spam I get comes from Black Lotus - and/or its 'customers'.

Reporting to abuse[at]blacklotus.net isn't stemming the flood at all; if anything, it's getting worse.

Anyone any experience, ideas or suggestions, please?

They're surely not a legitimate company, are they?

TIA!

[turetzsr]

Hi, Mark,

&nbsp &nbsp&nbsp&nbsp&nbsp Please see the conversation above (note to others: Mark raised this as a separate topic and I merged it here).

[msealey]

Thanks, Steve, Yes.

Is there any point, though, in continuing to report BlackLotus?

I've filed three reports with local and state D/A's…

[turetzsr]

<snip>

Is there any point, though, in continuing to report BlackLotus?

<snip>

&nbsp &nbsp&nbsp&nbsp&nbsp The general answer that we here give to such questions (with respect to reporting to SpamCop) is: yes, please continue if you are so inclined, as it feeds the statistics that SpamCop uses to decide whether to list an IP address from which the spam is coming in its blacklist, which is used by many ISPs and e-mail admins to block or filter suspected spam.

[msealey]

Steve,

That makes good sense. I am certainly so inclined.

My reservation comes from the probably erroneous sense that spam from Black Lotus has increased since I started to report.

Given than SC munges my address, that's just not possible, is it?

[turetzsr]

<snip>

My reservation comes from the probably erroneous sense that spam from Black Lotus has increased since I started to report.

Given than SC munges my address, that's just not possible, is it?

&nbsp &nbsp&nbsp&nbsp&nbsp Well, no, SC tries to munge your address everywhere it can "see" it but some claim that it doesn't always succeed and there are also other ways for spammers to tell to whom they sent a particular message if whoever reads the SpamCop report forwards it to (or is) the spammer. On the other hand, spammers probably have better things to do than to carefully inspect all two or three SpamCop spam reports they might receive in a year and add the reporter's e-mail address to some list that doesn't already have your e-mail address on it for use by other spammers who go through Black Lotus (the spammer already has your address, after all!). <g>

[msealey]

Thanks, Steve!

Since I don't expect to understand the way spammers work and think even if I live to be 100 (why they do what they do and how they can possibly make a living, let alone make any money), I assume… revenge

[turetzsr]

&nbsp &nbsp&nbsp&nbsp&nbsp My guess would be that your e-mail address somehow found its way onto a spammer's list and has since been propagated to other spammers or a batch of different Black Lotus machines that have been captured by a spammer and your address is on the spammer's list multiple times. If it's UCE, it could even be a single spammer selling "get rich quick sending e-mails" kits to the naive.

[msealey]

Thanks again, Steve!

I've now taken it up with the state and local BBB and state (CA) D/A.

Worth ten minutes of my time, I suppose.

Good luck!

[msealey]

black lotus seems to have transformed themselves into namecheaphosting now.

Is there a known connection: the muck is the same only the headers have been changed to protect the criminals :-(

[msealey]

For a few weeks in September, 90% of the spam I was receiving came to promote spamvertised sites hosted by blacklotus.

All reported.

It suddenly stopped.

A few days later I started to receive floods of similar-looking material for spamvertised sites hosted by namecheap/namecheaphosting.

Also all reported.

Continued.

Am I right in concluding (from the below) that namecheap's upstream provider is blacklotus, please?

If so, what are the implications (and what can I do about it)?

nslookup namecheap.com

Name: namecheap.com

Address: 199.59.161.100

then this whois query returns:

Net Range 199.59.160.0 - 199.59.167.255

CIDR 199.59.160.0/21

Name BLACK-LOTUS-COMMUNICATIONS

Thanks!