Sign in to follow this  
Followers 0
mMerlin

cloudflare bulletproof spammer hosting?

7 posts in this topic

A search here shows an old topic about cloudflare not being responsible for spam from and about sites that normal reporting points to them. And another about joe jobbing of sites they host. However ..,

Almost all of my 'normal' spam for the past few days has been showing links to sites that report to (disabled) abuse[at]cloudflare.com. Some with the email source pointing there too.

That includes spam that is attempting to use the links to collect more information, and sell me 'junk'. Has the manager or the botnet that spews most of my spam shifted their hosting to cloudflare? Is it time / possible to find some other place to report these?

Examples (with guid style suffixes removed)

http:/ /bccdui.com

http:/ /cottage-bb.com

http:/ /banksville.net

http:/ /dcdzine.com

http:/ /escape-tour.com

http:/ /fmuae.com

http:/ /camcoomya.com

Suggestions?

Edited by SteveT (turetzsr) to break the URL links.

Share this post


Link to post
Share on other sites

A search here shows an old topic about cloudflare not being responsible for spam from and about sites that normal reporting points to them. And another about joe jobbing of sites they host. However ..,

Almost all of my 'normal' spam for the past few days has been showing links to sites that report to (disabled) abuse[at]cloudflare.com. Some with the email source pointing there too.

That includes spam that is attempting to use the links to collect more information, and sell me 'junk'. Has the manager or the botnet that spews most of my spam shifted their hosting to cloudflare? Is it time / possible to find some other place to report these?

Examples (with guid style suffixes removed)

http:/ /bccdui.com

http:/ /cottage-bb.com

http:/ /banksville.net

http:/ /dcdzine.com

http:/ /escape-tour.com

http:/ /fmuae.com

http:/ /camcoomya.com

Suggestions?

Edited by SteveT (turetzsr) to break the URL links.

Botnet static (joe job)

The sites are suspicious but "innocent"

http://www.spamcop.net/sc?id=z5911914157z8...46721665405a89z

in notes I have a boiler plate to add to SpamCop report

The bits in RED I added to my boilerplate

14.96.170.206 (Administrator of network where email originates)

BOTNET ATTACK HOST

http://cbl.abuseat.org/lookup.cgi?ip=14.96.170.206

BLOCK OUTBOUND PORT 25,

RESERVE FOR LEGIT EMAIL SERVER

CHANGE TO SECURE PASSWORD

SCAN INFECTED COMPUTER FOR MALWARE

http://spamcop.net/w3m?action=checkblock&ip=14.96.170.206

Other hosts in this "neighborhood" with spam reports

14.96.170.112 14.96.170.181 14.96.170.224 14.96.171.22 14.96.171.49 14.96.171.156 14.96.171.165

Edited by petzl

Share this post


Link to post
Share on other sites
Botnet static (joe job)

The sites are suspicious but "innocent"

Which would be fine if the sites were innocent (for values of). These sites belonged with the spam. Same pattern / structure of emails I get all of the time, with random (bot net and open proxy) sources, and moving urls. The difference is now almost all of the urls are pointing to sites that are owned / hosted / managed [whatever] by cloudflare.

I suppose the spam emails could have been collected (not like they are rare or anything), and sent again from a joe job botnet with adjusted urls. Given that the urls all look 'personalized' with identifier guid, I do not want to go exploring the links to see if they really match with the spamvertized content. I tried some munged variations, but got nothing useful.

Share this post


Link to post
Share on other sites

Which would be fine if the sites were innocent (for values of). These sites belonged with the spam. Same pattern / structure of emails I get all of the time, with random (bot net and open proxy) sources, and moving urls. The difference is now almost all of the urls are pointing to sites that are owned / hosted / managed [whatever] by cloudflare.

I suppose the spam emails could have been collected (not like they are rare or anything), and sent again from a joe job botnet with adjusted urls. Given that the urls all look 'personalized' with identifier guid, I do not want to go exploring the links to see if they really match with the spamvertized content. I tried some munged variations, but got nothing useful.

The sites I looked at are criminal. But don't believe they are "with" the botnet

A while ago this botnet was framing a stolen credit card site/s

could be a "loose cannon" gibbering?

Share this post


Link to post
Share on other sites

It seems to me the CF is doing a better job. I have not seen any criminals hiding behind them for the last week of spam (at least not here).

Now, what to do about hosting RIGHTSIDE.CO AND OVH.CA They host 95% of all spam sites rcvd here.

Howie

Share this post


Link to post
Share on other sites

It seems to me the CF is doing a better job. I have not seen any criminals hiding behind them for the last week of spam (at least not here).

Now, what to do about hosting RIGHTSIDE.CO AND OVH.CA They host 95% of all spam sites rcvd here.

Howie

Not sure about "RIGHTSIDE.CO"

OVH.CA are spam friendly help if you include a SpamCop track to get better advice

OVH have a report site here but I find it not helping

http://www.ovh.com/fr/support/documents_le...nu_illicite.cgi

If it is a porn site spam I include this boiler text makes OVH complacent in Child Porn

Child porn spammer

pictures under 18 or made to look under 18

PORN SPAMMER uses hacked web and email accounts

Change log-on to a more secure password!

Scan for Malware!

Share this post


Link to post
Share on other sites

very, very tired of Cloudflare spam.

Cloudflare was in the news recently for disclosing to alt-right sites the identity of people who complained about the nazi-type stuff they send out through Cloudflare. 

https://www.propublica.org/article/how-cloudflare-helps-serve-up-hate-on-the-web

This is one example why Spamcop ought to be working to do better at removing all the personal identification material including the unique tracking strings the spammers use, to protect people who complain.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0