Jump to content
Sign in to follow this  
RobiBue

spammer using IP range 58.14.0.0/16 is changing to range 27.146.0.0/16

Recommended Posts

Posted (edited)

Since mid-May I have been reporting spam originating from IP-range 58.14/16

May 18, 2018 - June 29, 2018 total of 3359 spam messages from that IP range! That's over 76 per day...

It looks like my reporting is working, as the spammer seems to be switching to 27.146/16 as I have already received 10 from there in the last 1.5 hour...

Unfortunately, Cloudflare is still hosting their spamvertised websites... and doesn't seem to give "a barrier constructed to hold back water"

Edited by RobiBue
little addition about Cloudflare...

Share this post


Link to post
Share on other sites
Posted (edited)

What type of spam is being sent, is it the same thing? If you could give some examples of what's being sent it would be easier to find out what's the best way to stop it. I've dealt with persistent nuisance spammers by using any of the email address on their advertised spam pages, and digging out as many of their mail addresses as possible by using URL scan, and 'who is' e.t.c. Then I contact them and tell them they are being reported, all the info is logged and recorded, and tell them it will be passed on to the Federal Trades Commission (Or whichever regulator deals with unsolicited spam where you live) The junk mail has stopped immediately.

Cloudflare are indeed the absolute pits for junk spam and not dealing with it.

Edited by mojorisin

Share this post


Link to post
Share on other sites

I had the same problem with a cowboy spammer called rutherl.com
There was no way to contact them, and the only web page they seem to have is here
http://www.rutherl.com/

They sent loads of this advertising rubbish for all manner of things, online gambling, glossy bingo, health care e.t.c. All this crap was hosted by Limestone Networks, like Cloudflare they take no notice of abuse reports, and are a haven for spammers.

You can see many other people aren't happy with Limestone Networks  by looking at the reviews they get on their facebook page here.
https://www.facebook.com/pg/limestoneinc/reviews/

The spamvertised pages either had no un-subscribe option, or if it did, it wouldn't work. On the few occasions it did work, they didn't act on it and just kept sending the junk anyway.
So like I said above, I set out to contact the companies directly who they were advertising for. I only need send one email to get it stopped. I contacted this Glossy Bingo and reminded them the can spam act states ' A. Each separate email in violation of the law is subject to penalties of up to $41,484, and more than one person may be held responsible for violations. For example, both the company whose product is promoted in the message and the company that originated the message may be legally responsible.

After being pestered for months, all it took was one email directly to one of the companies being advertised to stop it straight away.

.limehouse...JPG

Share this post


Link to post
Share on other sites
19 hours ago, RobiBue said:

Since mid-May I have been reporting spam originating from IP-range 58.14/16

May 18, 2018 - June 29, 2018 total of 3359 spam messages from that IP range! That's over 76 per day...

It looks like my reporting is working, as the spammer seems to be switching to 27.146/16 as I have already received 10 from there in the last 1.5 hour...

Unfortunately, Cloudflare is still hosting their spamvertised websites... and doesn't seem to give "a barrier constructed to hold back water"

A track is useful? IP hopping is "normal" more for DoS attacks through port 25, which is blocked by competent providers
 

Share this post


Link to post
Share on other sites

well, I believe I found my spammer(s)... probably the same scumbag unless they teamed up...

 

List of domain names registered by Michael Wallace

https://domainbigdata.com/nj/PMs8PeMWLXMFAfjPwmyV3g
 

List of domain names registered by Frank Marsicano

https://domainbigdata.com/nj/2NMIE802bt4WH2rc3SoTUA
 

List of domain names registered by Chris Patterson

https://domainbigdata.com/nj/rnPab-DpPIdNUYynMibFFw
 

List of domain names registered by Richard Hawking

https://domainbigdata.com/nj/GlBwSDCvDWjzlWpRAgo9Kg
 

List of domain names registered by Anton Lassen

https://domainbigdata.com/nj/vubKHIY--XkSbXo_sFyHPw
 

some reports with the 58.14/16 range:

https://www.spamcop.net/sc?id=z6471482675z858c71a05814a9763517674009c94768z
https://www.spamcop.net/sc?id=z6471482674z9ab0a9c820151d7ac9ce9a041686d4c6z
https://www.spamcop.net/sc?id=z6471482673zcd19939939e9d574cdb141b1b360f152z
https://www.spamcop.net/sc?id=z6471482672z08f29a0817817fdf745140d9fa2031baz
https://www.spamcop.net/sc?id=z6471482671z9f4ead4df33727978572d5e46ac87ad1z

(and there are over 3000 more of these)

and the new 27.146/16 spams:

https://www.spamcop.net/sc?id=z6471634192z1d8fd5aece82eb5feb80e4b6b19f6eb3z
https://www.spamcop.net/sc?id=z6471634194z7350adbd7dbeaedf80def1cb4631741dz
https://www.spamcop.net/sc?id=z6471634195zf18a0c1292ecbd3adb3a2a03e64e3fb6z
https://www.spamcop.net/sc?id=z6471634196zdc9be4ffc73a9c61325ef1a168149c9bz
https://www.spamcop.net/sc?id=z6471634197z3f7ef41d7685eb94ae14eaf91f4ef100z

This isn't a DoS attack, it is just a spammer at work hopping through ISPs that want to make a quick buck...

Share this post


Link to post
Share on other sites
Posted (edited)

I've had a look at some of those links on your abuse reports. The ones I've looked at all go to an unsubscribe landing page (which obviously isn't working) The look of it all does seem like the garbage I was getting though. What you need to do is actually go to the pages that are being spamvertised,. You need to contact the companies being advertised directly. It's obviously a waste of time you complaining to Cloudflare. Let them know they are being reported, and what the potential penalty consequences are for sending nuisance mail.

These products and offers being sent are from a 3rd party marketing company. They have direct contact with the marketing company (unlike you who are failing to reach them via spam reports) It will only take one company to ask them to stop sending you their product offers, and the spammer will take you off the mailing list, and it will stop all the other junk from the same marketing source being sent to you.

This Glossy Bingo was just one of the products I was being sent from my nuisance spammer. Finally fed up I went to their page, I found this contact email address and sent them a strongly worded email about their nuisance mail, and within 10 minutes I got a reply saying how sorry they were, and they would put a stop to it. It must have frightened them into action, they mailed me back twice over the next few days to make sure it had all stopped. I never had any junk again from that same source again.

._ad.thumb.JPG.a516fb1b639c0ded04f514e7299a4c0e.JPG

This is the can spam act jargon to give you some idea of the kind of thing you can put in a complaint.

Q. What are the penalties for violating the CAN-spam Act?

A. Each separate email in violation of the law is subject to penalties of up to $41,484, and more than one person may be held responsible for violations. For example, both the company whose product is promoted in the message and the company that originated the message may be legally responsible. Email that makes misleading claims about products or services also may be subject to laws outlawing deceptive advertising, like Section 5 of the FTC Act. The CAN-spam Act has certain aggravated violations that may give rise to additional fines. The law provides for criminal penalties – including imprisonment – for:

  • accessing someone else’s computer to send spam without permission,
  • using false information to register for multiple email accounts or domain names,
  • relaying or retransmitting multiple spam messages through a computer to mislead others about the origin of the message,
  • harvesting email addresses or generating them through a dictionary attack (the practice of sending email to addresses made up of random letters and numbers in the hope of reaching valid ones), and
  • taking advantage of open relays or open proxies without permission.

    CAN-spam Act: A Compliance Guide for Business

 

Edited by mojorisin

Share this post


Link to post
Share on other sites

I don't even go to those pages.

3 main reasons:

  1. I don't care, it's spam.
  2. The links could contain viruses.
  3. The links are most likely coded so that the spammer knows that I received the spam, and by visiting it, he can prove to the spamvertised "client" that he should get paid for his efforts.

And a last, but not least reason: I didn't sign up for it, why should I unsubscribe anyway.

That's what the clue by four is for... if the provider's abuse desk gets flooded with abuse reports, eventually he'll get put in place.

I believe that my email address ended up in his/their list due to one or more of the data breaches of late...

IOW just another list where they can send their junk...

I have also been getting lots of unsubscribe confirmation requests which I handle just like spam, as I

  1. didn't unsubscribe, and
  2. if I did, why should I confirm that i am unsubscribing...

take another clue by four, spammer, I don't want your junk... abuse desk will hopefully clue you in :)

 

Share this post


Link to post
Share on other sites
Posted (edited)
11 minutes ago, RobiBue said:

That's why you'll continue to get their spam. I'd stop sending the abuse reports too if I were you. You're only wasting your time.

 

 

 

Edited by mojorisin

Share this post


Link to post
Share on other sites

Your abuse reports seem to be working cloudfare have removed link 404'ed

Share this post


Link to post
Share on other sites
13 hours ago, mojorisin said:

That's why you'll continue to get their spam. I'd stop sending the abuse reports too if I were you. You're only wasting your time.

see below ;)

5 hours ago, petzl said:

Your abuse reports seem to be working cloudfare have removed link 404'ed

and that's why I like to use the clue by four through the abuse desks :) and Spamcop is a very helpful tool (if they eventually would get through their heads that they need to fix the IPv6 part where it pertains to 6to4 addresses...)

Share this post


Link to post
Share on other sites
Posted (edited)
2 hours ago, RobiBue said:

see below ;)

and that's why I like to use the clue by four through the abuse desks :) and Spamcop is a very helpful tool (if they eventually would get through their heads that they need to fix the IPv6 part where it pertains to 6to4 addresses...)

That's all very well, but you aren't reaching the abuse desks and never will, because cloudflare ignore all abuse reports. That's why spammers use hosting companies like Cloudflare. They are a bullet proof haven for spammers.

cloudflare bulletproof spammer hosting

Edited by mojorisin

Share this post


Link to post
Share on other sites
18 hours ago, mojorisin said:

That's all very well, but you aren't reaching the abuse desks and never will, because cloudflare ignore all abuse reports. That's why spammers use hosting companies like Cloudflare. They are a bullet proof haven for spammers.

cloudflare bulletproof spammer hosting

Might depend on who at the abuse desk reacts to your report? 

Share this post


Link to post
Share on other sites

Well, it seemed to have worked, because I suddenly stopped receiving spam from them (12.08/2018 20:00:00 PDT)! YAYY!!!! Victory!!!

Alas, on the 28th I start getting the same garbage again, but now from a different IP address (although still in the Asia/Pacific area as the first 2)

This time it's spewing from 167.103/16.

Now here comes the hammer: the listing is named Coca-Cola Amatil, but the IP range was transferred from ARIN to APNIC.

SpamCop demonstrates this in a weird way:

https://www.spamcop.net/sc?id=z6482664977z1149d3dfe903230031db2f70e94df5b2z  (TRACKING URL)

 

https://www.spamcop.net/sc?action=rcache;ip=167.103.35.178  (the [refresh/show] link) for 167.103.nnn.nnn

https://www.spamcop.net/sc?action=showcmd;cmd=whois 167.103.35.178%40whois.arin.net

https://www.spamcop.net/sc?action=showroute;ip=167.103.35.178;typecodes=17:

Reports routes for 167.103.35.178:
routeid: 77437349 167.103.0.0 - 167.103.255.255 to: search-apnic-not-arin@apnic.net
Administrator found from whois records

and then, in the parse:

I refuse to bother search-apnic-not-arin@apnic.net.
Using search-apnic-not-arin#apnic.net@devnull.spamcop.net for statistical tracking.
Using last resort contacts search-apnic-not-arin#apnic.net@devnull.spamcop.net

SpamCop doesn't look for the APNIC side (which wouldn't matter much because the data is currently invalid either way) but there should be a way for spamcop to follow the trail here to APNIC too...

...but I digress...
During that time, the IP range wasn't (and still isn't) under CCAMATIL's control, and some slimeball ISP is using this transfer period to the spammer's advantage.

whoever this slimeball IPS and their pet spammer are, they are criminals and should be stopped.

I would love to know how to see the real current CIDR holder for 167.103/16 and how these slimeballs can steal unused IP ranges.

If anybody has any ideas, please let me know.

I am currently in touch with Coca-Cola Amatil's Group Security Lead - Threat & Vulnerability Management.

The Security Lead's reply to my inquiry:

" I've taken an extensive look at our data lake and other log repositories. I also consulted with our networking & infrastructure team and we've arrived at the conclusion we aren't actually public using these address. There was a time when 167.103.0.0/16 wasn't under our ownership (during the transition from ARIN to APNIC) and from what I've been made aware of it's currently in a "assignment" state with APNIC. It appears these actors have taken advantages of this and same how have gotten their ISP to allow them to use those addresses. Unfortunately I don't have an answer to how these actors have done this. "

then he continues:

"We are currently filing out an application with APNIC to take full ownership of these addresses. We will then see what we can do with the assistance of APNIC to contact the ISP to stop this from happening. In parallel once we have proper ownership we will update the notify address accordingly."

He is going to keep me in the loop with further developments on their side.

 

Share this post


Link to post
Share on other sites
7 hours ago, RobiBue said:

info [AT] cert. gov. au  and  consumer_information [AT] ccamatil .  com
They have no abuse contact but a Australian IP belongs to CocaCola
167.103.35.178
https://www.spamhaus.org/sbl/query/SBL247801
 

compromised/forged web and or email accounts
If Microsoft Windows Defender is available to you, use it
Scan for Malware! 
THEN
Change log-on to a more secure password-Phrase! 


>

 

Share this post


Link to post
Share on other sites
13 hours ago, petzl said:

info [AT] cert. gov. au  and  consumer_information [AT] ccamatil .  com
They have no abuse contact but a Australian IP belongs to CocaCola
167.103.35.178
https://www.spamhaus.org/sbl/query/SBL247801
 


compromised/forged web and or email accounts
If Microsoft Windows Defender is available to you, use it
Scan for Malware! 
THEN
Change log-on to a more secure password-Phrase! 


>

 

Thank you Petzl, very informative! I passed the spamhaus.org info on to the cybersecurity guy at Coca-Cola, since they are in the process on getting those IP addresses back, they ought to know what is required to have the range cleared from the SBL...

btw, what do you mean with the quote below the SBL link? I don't get the connection...

Share this post


Link to post
Share on other sites
10 hours ago, RobiBue said:

btw, what do you mean with the quote below the SBL link? I don't get the connection...

Just the blurb I copy and paste into reports, seemed to me a compromised computer.
  I did not know that CocaCola  no longer owned that IP but as it's not on spamtrap addresses makes me wonder if that IP has not scraped email addresses from it?

You though had it nailed by being in touch with CocaCola. It has already been disabled?

Edited by petzl

Share this post


Link to post
Share on other sites

when I read the SBL listing, I noticed that it has been listed since 2015:

Ref: SBL247801
167.103.0.0/16 is listed on the Spamhaus Block List (SBL)
2015-02-18 21:50:49 GMT | APNIC

The way I understand it, CCAMATIL used to have that range under ARIN's umbrella, or even under InterNIC's, but then ARIN transferred the range to APNIC, probably while CCAMATIL wasn't physically using it. I am also asking APNIC if there is a way to physically find out who is using those address ranges, and maybe APNIC could impose severe punishments to ISPs or Number Registrars who abuse or allow abuse for addresses in limbo or under "assignment".

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×