Contact for eonix.net, ongoing spam

[forrie]

We have been inundated by a spammer that is (mostly) utilizing IP space from eonix.net (or one of their resellers). Abuse complaints have been sent via the proper channels, which includes SpamCop. It appears their WHOIS record is out of date, as any of the email addresses listed bounces. Furthermore the website seems rather spartan, with no real contact info.

The spammer appears to be hopping a couple of large resellers. I eventually had to place a phone call to one of them, ColoCrossing.com, to attempt to get some information. Their claim is they are a large reseller -- the implication being they can't process abuse complaints. Though, the representative was quickly able to bring up one of my SpamCop complaints.

This leads me to believe that, at least for eonix.net, they are ignoring the complaints (rather obvious) and/or they are having difficulty handling the incoming complaints.

I've included a sanitized sample of one of the messages below.

Anyone have contact information for eonix.net? Is anyone else also witnessing this activity into their systems?

Thanks.

Return-path: <refialert[at]sevenstarhost59.link>X-spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.dce.harvard.eduX-spam-Level: ***X-spam-Status: No, score=3.1 required=7.0 tests=BAYES_50,DATE_IN_PAST_06_12,	RDNS_NONE,SPF_HELO_PASS,SPF_PASS autolearn=no version=3.3.1Received: from [23.90.51.41] (helo=sevenstarhost59.link)	by [ omitted ] with esmtp (Exim 4.72)	(envelope-from <refialert[at]sevenstarhost59.link>)	id 1XjXhQ-00065A-2g	for[ omitted ]; Wed, 29 Oct 2014 14:10:25 -0400Date: Wed, 29 Oct 2014 04:08:41 -0700Content-Type: text/plainMessage-ID: <17965143refia321lert[at]sevenstarhost59.link-17965143>Subject: Re: Your Home-Rate is 2.87%...From: "Refi Alert" <refialert[at]sevenstarhost59.link>Mime-Version: 1.0To: [ omitted  ]DNS-PRop: 17965143-[ omitted ]17965143Refi Alert: Home-Rate Approval--------------------------------Notice: #17965143Date: 10/29/14To: [omitted]Your home-rate is now 2.87% as of 10/29/14*You may now save up to 50% on your home-bill like other American's who have taken advantage of lower rates.Go Here for Info:http://view.sevenstarhost59.linkNotice: #17965143Department: Rate Approvals

[turetzsr]

&nbsp &nbsp&nbsp&nbsp&nbsp Eonix: http://www.goodsearch.com/search-web?keywords=%2B%22eonix.net%22+%2Bspam

&nbsp &nbsp&nbsp&nbsp&nbsp But your note that your Colocrossing contact was able to bring up the SpamCop complaint suggests that a Colocrossing IP address is the spam source. http://www.goodsearch.com/search-web?utf8=%E2%9C%93&keywords=%2B%22ColoCrossing.com%22+%2Bspam.

[forrie]

It could be a case where the spammer is paying good $$ and they don't care; the representative claimed that they are a hosting provider and have 100's (or more) of virtual customers that resell services. Difficult to say, but the data out there suggests they are very aware of it and don't care.

Maybe if their networks got null routed (blackholed) that might get their attention.

[turetzsr]

<snip>

Maybe if their networks got null routed (blackholed) that might get their attention.

&nbsp &nbsp&nbsp&nbsp&nbsp Exactly: so keep reporting! <g>

[Ben2k]

We too have been experiening problems with Eonix. 2/3 of all spam we receive either comes from Eonix or advertises sites hosted by them.

We continue to report them, but for about a week now Spamcop has been giving us this meassage when we process the spam:

Using abuse net on net-admin[at]eonix.net
No abuse net record for eonix.net
Using default postmaster contacts postmaster[at]eonix.net
postmaster[at]eonix.net redirects to net-abuse[at]eonix.net
net-abuse[at]eonix.net bounces (322 sent : 165 bounces)

Sorry, no reporting addresses found for 173.232.249.177.

Nothing to do.

[forrie]

The eonix addresses I've found published in their WHOIS records all bounce. The other offender, ColoCrossing, I believe is knowingly allowing the activity and ignoring the complaints. This has been going on for weeks -- I called ColoCrossing and though the tech support person says they are a large provider and this spammer is traversing virtual providers, they were quickly able to pull up my SpamCop complaints.

Eonix is out of CA, I believe. Their webpage is spartan.

[turetzsr]

<snip>

We continue to report them, but for about a week now Spamcop has been giving us this meassage when we process the spam:

Using abuse net on net-admin[at]eonix.net

No abuse net record for eonix.net

Using default postmaster contacts postmaster[at]eonix.net

postmaster[at]eonix.net redirects to net-abuse[at]eonix.net

net-abuse[at]eonix.net bounces (322 sent : 165 bounces)

Sorry, no reporting addresses found for 173.232.249.177.

Nothing to do.

&nbsp &nbsp&nbsp&nbsp&nbsp Don't be misled by that last statement "Nothing to do." That just means that the SpamCop parser couldn't find an abuse address to whom it would send a complaint. If you clicked the "Send spam Report(s) Now" button, it did add your spam to the statistics that it uses to decide whether to place the source IP address on the SpamCop blacklist (or, if it is already there, whether and how long to keep it there). <g>

[Ben2k]

When Spamcop shows that "nothing to do" message, there's no "Send spam Report(s) Now" button to click.

For other ISPs that don't have a valid abuse address, Spamcop lists a devnull address and explicitly states it's using that address for statistical or tracking purposes. In the case of Eonix, it doesn't list such an address and there's no "Send spam Report(s) Now" button to click.

[anyone8]

When Spamcop shows that "nothing to do" message, there's no "Send spam Report(s) Now" button to click.

For other ISPs that don't have a valid abuse address, Spamcop lists a devnull address and explicitly states it's using that address for statistical or tracking purposes. In the case of Eonix, it doesn't list such an address and there's no "Send spam Report(s) Now" button to click.

A tracking URL would probably help folks troubleshoot this. On the page that is missing the button to send the spam reports, there should be a line "Here is your TRACKING URL - it may be saved for future reference:" near the top and a link (the tracking URL) right below the "Here is your TRACKING URL - it may be saved for future reference:" line.

[Ben2k]

Ok, here's a few recent ones:

• http://www.spamcop.net/sc?id=z6008951425z54448b21edb6887965a6299e92f990fdz
• http://www.spamcop.net/sc?id=z6008952234zd45e85a100f37947f3537415885b457cz
• http://www.spamcop.net/sc?id=z6008952236z2ff4a8c762e63c42f6ce409bfa1b96bdz
• http://www.spamcop.net/sc?id=z6008952233z7b3cb31268b5bb9a3a49dae4cc0c491az
• http://www.spamcop.net/sc?id=z6008951421z12c421b49762159613d82987c53b159fz

[anyone8]

Thanks for posting the tracking URLs. Unfortunately, they're now showing the "Sorry, this email is too old to file a spam report" message. Maybe I should check back more often!

Anyway, I fed the IP address from one of them to the parser, which will usually get it to tell the email address a person could send an abuse report to. Sure enough, it gave the problem you described. Since what I did doesn't produce a tracking URL, I'll quote the parser's output:

Parsing input: 104.206.22.85

[report history]
Routing details for 104.206.22.85
[refresh/show] Cached whois for 104.206.22.85 : net-admin[at]eonix.net
Using abuse net on net-admin[at]eonix.net
No abuse net record for eonix.net
Using default postmaster contacts postmaster[at]eonix.net
postmaster[at]eonix.net redirects to net-abuse[at]eonix.net
net-abuse[at]eonix.net bounces (322 sent : 165 bounces)

Cannot find master for:104.206.22.85

No valid email addresses found, sorry!

• There are several possible reasons for this:
• The site involved may not want reports from SpamCop.
• SpamCop administrators may have decided to stop sending reports to the site to prevent listwashing.
• SpamCop uses internal routeing to contact this site, only knows about the internal method and so cannot provide an externally-valid email address.
• There may be no working email address to receive reports.

I also tried another IP address (108.160.150.154) from one of my spam reports that had recently gone to an address at devnull.spamcop.net.

I noticed three differences between the parser output for these two IP addresses (not counting the long explanation starting with "There are several possible reasons for this", which I included in the quote in case it would be useful to someone):

1. "No abuse net record for eonix.net". I don't think this is the problem, but I'm not an expert, just an experienced user.
2. "postmaster[at]eonix.net redirects to net-abuse[at]eonix.net" followed by "net-abuse[at]eonix.net bounces (322 sent : 165 bounces)". I suspect this is where the problem is. My suspicion is that the parser doesn't handle the scenario where it follows a redirect and then finds out that it bounces. In other words, my guess is that if that redirect didn't exist, the parser would do somthing like postmaster#eonix[at]devnull.spamcop.net.
3. The IP address I tried still had at least one valid email address after the parser devnull'ed the ones it didn't like. However, I think the parser will handle the case where all addresses are devnull.

Although my reply doesn't solve anything, I'm hoping this discussion will lead to an action by someone who can make a difference. Since the previous discussion in this thread indicates that all the contact addresses for the ISP bounce, I think that makes getting the statistics on the IP address even more important. Maybe some time on the SpamCop blocklist will help the situation somehow.

For the IP 104.206.22.85, I did notice the whois says

Comment: Please contact us directly to report abuse: net-abuse[at]eonix.net

and wondered if that meant they want abuse reports directly from the user rather than through spamcop. Of course, that could be because spamcop gives a little anonymity to abuse reports, which would probably make it harder for an ISP to listwash those who complain. Heaven forbid they actually get rid of the spammer(s) on their network.

Hope something I've wrote helps somehow.

[CactusPete]

I have a couple of recent ones:

http://www.spamcop.net/sc?id=z6010388215z2100d0f2278e90e49bdda2acfbcaf1fbz

http://www.spamcop.net/sc?id=z6010268018z8eb2cfe3c37c205b1f5e7888cb589870z

edit: add http://www.spamcop.net/sc?id=z6010527864zd7b7aa30c5f6a90e8e1197bd7675127dz

Hope that helps.

-Dan

[forrie]

FWIW, this spammer is crossing over to/from EONIX and ColoCrossing.com. While I was able to speak to someone at ColoCrossing (as I mentioned), it's pretty obvious they aren't doing anything about it. Furthermore, I beleive the spammer's systems (virtual or otherwise) are located in the EST timezone. They seem to cease sending spam at night, but resume during EST business hours. It's pretty much a constant influx.

I work for a major *.edu and so blocking /24's has more impact for us (ie: remote students, networks, et al) and I don't run the MTA in our department -- otherwise I would block these idiots outright.

I would love to see someone BGP null route ColoCrossing and EONIX.

[petzl]

FWIW, this spammer is crossing over to/from EONIX and ColoCrossing.com. While I was able to speak to someone at ColoCrossing (as I mentioned), it's pretty obvious they aren't doing anything about it. Furthermore, I beleive the spammer's systems (virtual or otherwise) are located in the EST timezone. They seem to cease sending spam at night, but resume during EST business hours. It's pretty much a constant influx.

I work for a major *.edu and so blocking /24's has more impact for us (ie: remote students, networks, et al) and I don't run the MTA in our department -- otherwise I would block these idiots outright.

I would love to see someone BGP null route ColoCrossing and EONIX.

go to their Facebook page and badger them there

Also forward as attachment to their abuse address AND spam[at]uce.gov

INCLUDE NOTES (like/similar below) seems to throw more weight behind abuse complaint

SpamCop TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z6010388215z2100d0f2278e90e49bdda2acfbcaf1fbz

net-abuse[at]eonix.net bounces (322 sent : 165 bounces)

USA - Nevada

spam crime gang using "Eonix Corporation" servers

http://spamcop.net/w3m?action=checkblock&ip=104.206.22.120

Other hosts in this "neighborhood" with spam reports

104.206.22.66 104.206.22.67 104.206.22.70 104.206.22.74 104.206.22.75 104.206.22.79 104.206.22.83 104.206.22.84 104.206.22.85 104.206.22.86 104.206.22.87 104.206.22.88 104.206.22.89 104.206.22.90 104.206.22.97 104.206.22.98 104.206.22.99 104.206.22.100 104.206.22.101 104.206.22.102 104.206.22.103 104.206.22.104 104.206.22.105 104.206.22.106 104.206.22.107 104.206.22.108 104.206.22.109 104.206.22.110 104.206.22.111 104.206.22.112 104.206.22.113 104.206.22.114 104.206.22.115 104.206.22.116 104.206.22.117 104.206.22.118 104.206.22.119 104.206.22.121 104.206.22.122 104.206.22.123 104.206.22.124 104.206.22.125 104.206.22.126

Dispute Listing

[anyone8]

I have a couple of recent ones:

http://www.spamcop.net/sc?id=z6010388215z2100d0f2278e90e49bdda2acfbcaf1fbz

http://www.spamcop.net/sc?id=z6010268018z8eb2cfe3c37c205b1f5e7888cb589870z

edit: add http://www.spamcop.net/sc?id=z6010527864zd7b7aa30c5f6a90e8e1197bd7675127dz

Hope that helps.

-Dan

I guess it works part of the time, as the one you added last has the button to send spam reports instead of erroring out. Of course, they'd go to devnull.spamcop.net, but at least they'd be counted instead of lost because of some error in the parser.

[CactusPete]

I guess it works part of the time, as the one you added last has the button to send spam reports instead of erroring out. Of course, they'd go to devnull.spamcop.net, but at least they'd be counted instead of lost because of some error in the parser.

Actually, it seems something changed, and all my submissions yesterday allowed me to report, and I haven't had these again since. It's been mostly an ADP scam today.

[anyone8]

Actually, it seems something changed, and all my submissions yesterday allowed me to report, and I haven't had these again since. It's been mostly an ADP scam today.

The parser seems to be handling this for some IP addresses but not others, as it still gives the "No valid email addresses found, sorry!" error for 104.206.22.85.

[mobman]

this is over 2 years old... and yet  eonix.net still sending spam.

https://whois.arin.net/rest/net/NET-104-140-158-0-1/pft?s=104.140.158.22

from this ip address

This website is crap, and all thier phone and other contact information is wrong..

arin even made a note on the account saying it was wrong... yet hasnt pulled the IP range off yet or blackhole them.

 

[Lking]

Some times leopards don't change their spots.  Although the ICANN (Internet Corporation for Assigned Names and Numbers) should police the assigned IP addresses and the abuse, it is well documented that they are "not that aggressive" in the execution of their policing responsibilities.  JMHO

Given the ongoing situation the only thing to do is continue to report spam so that the source IPs can be blocked.

[Skylance]

Doing research on eonix and this Spamcop thread is top.   At present, we're in a bit of a scrap with this spam-friendly outfit.   A non-allocated email address on our domain, created for a special purpose, allowed me to figure that either another company sold their contact list, or was hacked.   Of course, they deny either,; but considering the caliber of technical ignorance even the "supervisor" showed, I'm not convinced.   Anyhow, courtesy of them, eonix is complicate in a spam campaign against my domain.   All domains are registered through Namecheap, some using false info.   A BBB complaint is now active, with some hogwash "we take spam reports seriously" (never responded, phone numbers invalid, email adreses in valid).   I'm surprised they're still up, still operational, and not blacklisted.   I thought ICANN and ARIN took bogus contact info more seriously...