forrie Posted October 29, 2014 Share Posted October 29, 2014 We have been inundated by a spammer that is (mostly) utilizing IP space from eonix.net (or one of their resellers). Abuse complaints have been sent via the proper channels, which includes SpamCop. It appears their WHOIS record is out of date, as any of the email addresses listed bounces. Furthermore the website seems rather spartan, with no real contact info. The spammer appears to be hopping a couple of large resellers. I eventually had to place a phone call to one of them, ColoCrossing.com, to attempt to get some information. Their claim is they are a large reseller -- the implication being they can't process abuse complaints. Though, the representative was quickly able to bring up one of my SpamCop complaints. This leads me to believe that, at least for eonix.net, they are ignoring the complaints (rather obvious) and/or they are having difficulty handling the incoming complaints. I've included a sanitized sample of one of the messages below. Anyone have contact information for eonix.net? Is anyone else also witnessing this activity into their systems? Thanks. Return-path: <refialert[at]sevenstarhost59.link>X-spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.dce.harvard.eduX-spam-Level: ***X-spam-Status: No, score=3.1 required=7.0 tests=BAYES_50,DATE_IN_PAST_06_12, RDNS_NONE,SPF_HELO_PASS,SPF_PASS autolearn=no version=3.3.1Received: from [23.90.51.41] (helo=sevenstarhost59.link) by [ omitted ] with esmtp (Exim 4.72) (envelope-from <refialert[at]sevenstarhost59.link>) id 1XjXhQ-00065A-2g for[ omitted ]; Wed, 29 Oct 2014 14:10:25 -0400Date: Wed, 29 Oct 2014 04:08:41 -0700Content-Type: text/plainMessage-ID: <17965143refia321lert[at]sevenstarhost59.link-17965143>Subject: Re: Your Home-Rate is 2.87%...From: "Refi Alert" <refialert[at]sevenstarhost59.link>Mime-Version: 1.0To: [ omitted ]DNS-PRop: 17965143-[ omitted ]17965143Refi Alert: Home-Rate Approval--------------------------------Notice: #17965143Date: 10/29/14To: [omitted]Your home-rate is now 2.87% as of 10/29/14*You may now save up to 50% on your home-bill like other American's who have taken advantage of lower rates.Go Here for Info:http://view.sevenstarhost59.linkNotice: #17965143Department: Rate Approvals Link to comment Share on other sites More sharing options...
turetzsr Posted October 29, 2014 Share Posted October 29, 2014        Eonix: http://www.goodsearch.com/search-web?keywords=%2B%22eonix.net%22+%2Bspam        But your note that your Colocrossing contact was able to bring up the SpamCop complaint suggests that a Colocrossing IP address is the spam source. http://www.goodsearch.com/search-web?utf8=%E2%9C%93&keywords=%2B%22ColoCrossing.com%22+%2Bspam. Link to comment Share on other sites More sharing options...
forrie Posted October 29, 2014 Author Share Posted October 29, 2014 It could be a case where the spammer is paying good $$ and they don't care; the representative claimed that they are a hosting provider and have 100's (or more) of virtual customers that resell services. Difficult to say, but the data out there suggests they are very aware of it and don't care. Maybe if their networks got null routed (blackholed) that might get their attention. Link to comment Share on other sites More sharing options...
turetzsr Posted October 29, 2014 Share Posted October 29, 2014 <snip> Maybe if their networks got null routed (blackholed) that might get their attention.        Exactly: so keep reporting! <g> Link to comment Share on other sites More sharing options...
Ben2k Posted November 7, 2014 Share Posted November 7, 2014 We too have been experiening problems with Eonix. 2/3 of all spam we receive either comes from Eonix or advertises sites hosted by them. We continue to report them, but for about a week now Spamcop has been giving us this meassage when we process the spam: Using abuse net on net-admin[at]eonix.netNo abuse net record for eonix.netUsing default postmaster contacts postmaster[at]eonix.netpostmaster[at]eonix.net redirects to net-abuse[at]eonix.netnet-abuse[at]eonix.net bounces (322 sent : 165 bounces) Sorry, no reporting addresses found for 173.232.249.177. Nothing to do. Link to comment Share on other sites More sharing options...
forrie Posted November 7, 2014 Author Share Posted November 7, 2014 The eonix addresses I've found published in their WHOIS records all bounce. The other offender, ColoCrossing, I believe is knowingly allowing the activity and ignoring the complaints. This has been going on for weeks -- I called ColoCrossing and though the tech support person says they are a large provider and this spammer is traversing virtual providers, they were quickly able to pull up my SpamCop complaints. Eonix is out of CA, I believe. Their webpage is spartan. Link to comment Share on other sites More sharing options...
turetzsr Posted November 7, 2014 Share Posted November 7, 2014 <snip> We continue to report them, but for about a week now Spamcop has been giving us this meassage when we process the spam: Using abuse net on net-admin[at]eonix.net No abuse net record for eonix.net Using default postmaster contacts postmaster[at]eonix.net postmaster[at]eonix.net redirects to net-abuse[at]eonix.net net-abuse[at]eonix.net bounces (322 sent : 165 bounces) Sorry, no reporting addresses found for 173.232.249.177. Nothing to do.        Don't be misled by that last statement "Nothing to do." That just means that the SpamCop parser couldn't find an abuse address to whom it would send a complaint. If you clicked the "Send spam Report(s) Now" button, it did add your spam to the statistics that it uses to decide whether to place the source IP address on the SpamCop blacklist (or, if it is already there, whether and how long to keep it there). <g> Link to comment Share on other sites More sharing options...
Ben2k Posted November 8, 2014 Share Posted November 8, 2014 When Spamcop shows that "nothing to do" message, there's no "Send spam Report(s) Now" button to click.For other ISPs that don't have a valid abuse address, Spamcop lists a devnull address and explicitly states it's using that address for statistical or tracking purposes. In the case of Eonix, it doesn't list such an address and there's no "Send spam Report(s) Now" button to click. Link to comment Share on other sites More sharing options...
anyone8 Posted November 8, 2014 Share Posted November 8, 2014 When Spamcop shows that "nothing to do" message, there's no "Send spam Report(s) Now" button to click. For other ISPs that don't have a valid abuse address, Spamcop lists a devnull address and explicitly states it's using that address for statistical or tracking purposes. In the case of Eonix, it doesn't list such an address and there's no "Send spam Report(s) Now" button to click. A tracking URL would probably help folks troubleshoot this. On the page that is missing the button to send the spam reports, there should be a line "Here is your TRACKING URL - it may be saved for future reference:" near the top and a link (the tracking URL) right below the "Here is your TRACKING URL - it may be saved for future reference:" line. Link to comment Share on other sites More sharing options...
Ben2k Posted November 8, 2014 Share Posted November 8, 2014 Ok, here's a few recent ones: http://www.spamcop.net/sc?id=z6008951425z54448b21edb6887965a6299e92f990fdz http://www.spamcop.net/sc?id=z6008952234zd45e85a100f37947f3537415885b457cz http://www.spamcop.net/sc?id=z6008952236z2ff4a8c762e63c42f6ce409bfa1b96bdz http://www.spamcop.net/sc?id=z6008952233z7b3cb31268b5bb9a3a49dae4cc0c491az http://www.spamcop.net/sc?id=z6008951421z12c421b49762159613d82987c53b159fz Link to comment Share on other sites More sharing options...
anyone8 Posted November 10, 2014 Share Posted November 10, 2014 Thanks for posting the tracking URLs. Unfortunately, they're now showing the "Sorry, this email is too old to file a spam report" message. Maybe I should check back more often! Anyway, I fed the IP address from one of them to the parser, which will usually get it to tell the email address a person could send an abuse report to. Sure enough, it gave the problem you described. Since what I did doesn't produce a tracking URL, I'll quote the parser's output: Parsing input: 104.206.22.85 [report history]Routing details for 104.206.22.85[refresh/show] Cached whois for 104.206.22.85 : net-admin[at]eonix.netUsing abuse net on net-admin[at]eonix.netNo abuse net record for eonix.netUsing default postmaster contacts postmaster[at]eonix.netpostmaster[at]eonix.net redirects to net-abuse[at]eonix.netnet-abuse[at]eonix.net bounces (322 sent : 165 bounces) Cannot find master for:104.206.22.85 No valid email addresses found, sorry! There are several possible reasons for this: The site involved may not want reports from SpamCop. SpamCop administrators may have decided to stop sending reports to the site to prevent listwashing. SpamCop uses internal routeing to contact this site, only knows about the internal method and so cannot provide an externally-valid email address. There may be no working email address to receive reports. I also tried another IP address (108.160.150.154) from one of my spam reports that had recently gone to an address at devnull.spamcop.net. I noticed three differences between the parser output for these two IP addresses (not counting the long explanation starting with "There are several possible reasons for this", which I included in the quote in case it would be useful to someone): "No abuse net record for eonix.net". I don't think this is the problem, but I'm not an expert, just an experienced user. "postmaster[at]eonix.net redirects to net-abuse[at]eonix.net" followed by "net-abuse[at]eonix.net bounces (322 sent : 165 bounces)". I suspect this is where the problem is. My suspicion is that the parser doesn't handle the scenario where it follows a redirect and then finds out that it bounces. In other words, my guess is that if that redirect didn't exist, the parser would do somthing like postmaster#eonix[at]devnull.spamcop.net. The IP address I tried still had at least one valid email address after the parser devnull'ed the ones it didn't like. However, I think the parser will handle the case where all addresses are devnull. Although my reply doesn't solve anything, I'm hoping this discussion will lead to an action by someone who can make a difference. Since the previous discussion in this thread indicates that all the contact addresses for the ISP bounce, I think that makes getting the statistics on the IP address even more important. Maybe some time on the SpamCop blocklist will help the situation somehow. For the IP 104.206.22.85, I did notice the whois says Comment: Please contact us directly to report abuse: net-abuse[at]eonix.net and wondered if that meant they want abuse reports directly from the user rather than through spamcop. Of course, that could be because spamcop gives a little anonymity to abuse reports, which would probably make it harder for an ISP to listwash those who complain. Heaven forbid they actually get rid of the spammer(s) on their network. Hope something I've wrote helps somehow. Link to comment Share on other sites More sharing options...
CactusPete Posted November 10, 2014 Share Posted November 10, 2014 I have a couple of recent ones: http://www.spamcop.net/sc?id=z6010388215z2100d0f2278e90e49bdda2acfbcaf1fbz http://www.spamcop.net/sc?id=z6010268018z8eb2cfe3c37c205b1f5e7888cb589870z edit: add http://www.spamcop.net/sc?id=z6010527864zd7b7aa30c5f6a90e8e1197bd7675127dz Hope that helps. -Dan Link to comment Share on other sites More sharing options...
forrie Posted November 10, 2014 Author Share Posted November 10, 2014 FWIW, this spammer is crossing over to/from EONIX and ColoCrossing.com. While I was able to speak to someone at ColoCrossing (as I mentioned), it's pretty obvious they aren't doing anything about it. Furthermore, I beleive the spammer's systems (virtual or otherwise) are located in the EST timezone. They seem to cease sending spam at night, but resume during EST business hours. It's pretty much a constant influx. I work for a major *.edu and so blocking /24's has more impact for us (ie: remote students, networks, et al) and I don't run the MTA in our department -- otherwise I would block these idiots outright. I would love to see someone BGP null route ColoCrossing and EONIX. Link to comment Share on other sites More sharing options...
petzl Posted November 10, 2014 Share Posted November 10, 2014 FWIW, this spammer is crossing over to/from EONIX and ColoCrossing.com. While I was able to speak to someone at ColoCrossing (as I mentioned), it's pretty obvious they aren't doing anything about it. Furthermore, I beleive the spammer's systems (virtual or otherwise) are located in the EST timezone. They seem to cease sending spam at night, but resume during EST business hours. It's pretty much a constant influx. I work for a major *.edu and so blocking /24's has more impact for us (ie: remote students, networks, et al) and I don't run the MTA in our department -- otherwise I would block these idiots outright. I would love to see someone BGP null route ColoCrossing and EONIX. go to their Facebook page and badger them there Also forward as attachment to their abuse address AND spam[at]uce.gov INCLUDE NOTES (like/similar below) seems to throw more weight behind abuse complaint SpamCop TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z6010388215z2100d0f2278e90e49bdda2acfbcaf1fbz net-abuse[at]eonix.net bounces (322 sent : 165 bounces) USA - Nevada spam crime gang using "Eonix Corporation" servers http://spamcop.net/w3m?action=checkblock&ip=104.206.22.120 Other hosts in this "neighborhood" with spam reports 104.206.22.66 104.206.22.67 104.206.22.70 104.206.22.74 104.206.22.75 104.206.22.79 104.206.22.83 104.206.22.84 104.206.22.85 104.206.22.86 104.206.22.87 104.206.22.88 104.206.22.89 104.206.22.90 104.206.22.97 104.206.22.98 104.206.22.99 104.206.22.100 104.206.22.101 104.206.22.102 104.206.22.103 104.206.22.104 104.206.22.105 104.206.22.106 104.206.22.107 104.206.22.108 104.206.22.109 104.206.22.110 104.206.22.111 104.206.22.112 104.206.22.113 104.206.22.114 104.206.22.115 104.206.22.116 104.206.22.117 104.206.22.118 104.206.22.119 104.206.22.121 104.206.22.122 104.206.22.123 104.206.22.124 104.206.22.125 104.206.22.126 Dispute Listing Link to comment Share on other sites More sharing options...
anyone8 Posted November 11, 2014 Share Posted November 11, 2014 I have a couple of recent ones: http://www.spamcop.net/sc?id=z6010388215z2100d0f2278e90e49bdda2acfbcaf1fbz http://www.spamcop.net/sc?id=z6010268018z8eb2cfe3c37c205b1f5e7888cb589870z edit: add http://www.spamcop.net/sc?id=z6010527864zd7b7aa30c5f6a90e8e1197bd7675127dz Hope that helps. -Dan I guess it works part of the time, as the one you added last has the button to send spam reports instead of erroring out. Of course, they'd go to devnull.spamcop.net, but at least they'd be counted instead of lost because of some error in the parser. Link to comment Share on other sites More sharing options...
CactusPete Posted November 12, 2014 Share Posted November 12, 2014 I guess it works part of the time, as the one you added last has the button to send spam reports instead of erroring out. Of course, they'd go to devnull.spamcop.net, but at least they'd be counted instead of lost because of some error in the parser. Actually, it seems something changed, and all my submissions yesterday allowed me to report, and I haven't had these again since. It's been mostly an ADP scam today. Link to comment Share on other sites More sharing options...
anyone8 Posted November 12, 2014 Share Posted November 12, 2014 Actually, it seems something changed, and all my submissions yesterday allowed me to report, and I haven't had these again since. It's been mostly an ADP scam today. The parser seems to be handling this for some IP addresses but not others, as it still gives the "No valid email addresses found, sorry!" error for 104.206.22.85. Link to comment Share on other sites More sharing options...
mobman Posted July 27, 2016 Share Posted July 27, 2016 this is over 2 years old... and yet eonix.net still sending spam. https://whois.arin.net/rest/net/NET-104-140-158-0-1/pft?s=104.140.158.22 from this ip address This website is crap, and all thier phone and other contact information is wrong.. arin even made a note on the account saying it was wrong... yet hasnt pulled the IP range off yet or blackhole them. Link to comment Share on other sites More sharing options...
Lking Posted July 27, 2016 Share Posted July 27, 2016 Some times leopards don't change their spots. Although the ICANN (Internet Corporation for Assigned Names and Numbers) should police the assigned IP addresses and the abuse, it is well documented that they are "not that aggressive" in the execution of their policing responsibilities. JMHO Given the ongoing situation the only thing to do is continue to report spam so that the source IPs can be blocked. Link to comment Share on other sites More sharing options...
Skylance Posted July 23, 2017 Share Posted July 23, 2017 Doing research on eonix and this Spamcop thread is top. At present, we're in a bit of a scrap with this spam-friendly outfit. A non-allocated email address on our domain, created for a special purpose, allowed me to figure that either another company sold their contact list, or was hacked. Of course, they deny either,; but considering the caliber of technical ignorance even the "supervisor" showed, I'm not convinced. Anyhow, courtesy of them, eonix is complicate in a spam campaign against my domain. All domains are registered through Namecheap, some using false info. A BBB complaint is now active, with some hogwash "we take spam reports seriously" (never responded, phone numbers invalid, email adreses in valid). I'm surprised they're still up, still operational, and not blacklisted. I thought ICANN and ARIN took bogus contact info more seriously... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.