Jump to content

Eonix.net helping spammers?


KNERD

Recommended Posts

For many months now, I had been getting ten or more spams from their network. I would report each and every one of them, and would see the ports would go to poc@eonix.net  or abuse@eonix.net. After about four months, and the spams still kept coming day after day despite reporting, I decided to  just go ahead and block the IP range from which the spams would come from.  That sure did stop eonix.net from sending anymore more; so I thought.

A week later more spams would start arriving from eonix.net, Looking, I see they are coming from a new block of IP addresses at a different location.

This has been repeating for a while now.

Another reason I am asking if eonix.net is helping spammers is because these spams were not coming from the same IP address, but the next IP address in numerical sequence. Ten or more spams, all coming from the next number up in an IP address? I mean come on now, they have to be helping, right?

Anyone know of their reputation?

 

 

Here is another thing. For a while I decided to add the Sorbs Blacklist.The reason is because after each report for spam from eonix.net, I would see the IP address is on Sorbs.  I have noticed it is easy to get listed on there and stay listed. So I add their blacklist, and guess what? The spam from eonix.net listed on Sorbs is still getting to my email server, but legit mail such as from PayPal is getting blocked by Sorbs! They in cahoots also?

Edited by KNERD
spell
Link to comment
Share on other sites

On 5/12/2020 at 8:04 AM, KNERD said:

A week later more spams would start arriving from eonix.net, Looking, I see they are coming from a new block of IP addresses at a different location.

Some ISP do this and then return the old block and poor folks might get a spammy block when they request a new range.  Years ago, I started blocking at the firewall level.  Then I started blocking using a SMTP blocking list.  Now I just use spamassassin and it makes the decision to block or not at the SMTP edge.

On 5/12/2020 at 8:04 AM, KNERD said:

The spam from eonix.net listed on Sorbs is still getting to my email server, but legit mail such as from PayPal is getting blocked by Sorbs!

This is the reason why I use spamassassin now is because clean emails can be on the block list and still be accepted, while spammy emails with the block lists it can tell the SMTP mailer to reject it.  Spamassassin also lets me do some custom parsing rules which can single out ISPs such as eonix (either via headers, message body, or just connecting host).

Link to comment
Share on other sites

  • 1 month later...

I guess I will need to look at spam Assassin.  Since I posted this, I have had to blocked three more Eonix data centers/IP block ranges (Even had something come in from SpamChimp). They are clearly spam friendly. Maybe time for a campaign to ARIN to have their IP addresses revoked? Do they even do that?

With the mass amount of reporting of Eonix I did through Spamcop, it seems it just does not have the clout it had in the past.

 

Thanks for the input.

Edited by KNERD
Link to comment
Share on other sites

  • 2 weeks later...
On 6/19/2020 at 10:03 AM, KNERD said:

I guess I will need to look at spam Assassin.

Either that or maybe see if your mail server supports special filtering rules.  Before I went to spamassassin, I was doing weird helo accept/deny rules as well as maintaining my own blocklist.

 

On 6/19/2020 at 10:03 AM, KNERD said:

Maybe time for a campaign to ARIN to have their IP addresses revoked? Do they even do that?

They can revoke the IP address for policy violations but that doesn't always stop the spammer.  The ISP's ISP should be checking that their customers are using valid ranges.  I had one in Europe that has assumed two class C networks without being assigned them.  It took a few months for them to stop using them.

Link to comment
Share on other sites

  • 3 weeks later...

I have been using Thunderbird email client. I have since discovered it is using Spamassassin.. It never did stop any of those coming from Eonix.net. Though I do see it is stopping some spam, as noted with the spam in the Junk folder. None of which has ever been from Eonix.net IP blocks.

 

On the other hand, I have seemed to of blocked all of Eonix.net as I have not gotten a single spam from them since my last posting.

 

Link to comment
Share on other sites

  • 5 weeks later...

As Eonix appears to welcome spammers, I'm a bit reluctant to report the offending spam to Spamcop.
Each piece of spam contains too many unique patterns, that render obfuscating useless and I risk being spammed more and more, or retialated.

Spamcop and Spamhaus both fail regularly to block all those spams.

I end up blocking their CIDR one by one as they are offending.

I just want to automate it now...

Link to comment
Share on other sites

10 hours ago, fritz2cat said:

As Eonix appears to welcome spammers, I'm a bit reluctant to report the offending spam to Spamcop.
Each piece of spam contains too many unique patterns, that render obfuscating useless and I risk being spammed more and more, or retialated.

Spamcop and Spamhaus both fail regularly to block all those spams.

I end up blocking their CIDR one by one as they are offending.

I just want to automate it now...

As always a SpamCop tracking URL would help?

Link to comment
Share on other sites

16 hours ago, fritz2cat said:

I end up blocking their CIDR one by one as they are offending.

I just want to automate it now...

I automated this using cron scri_pt and a firewall.  The problem I saw is the scri_pt happened to catch some legitimate emails and blocked those hosts until it was too late for me to get them back.  (There is a grey area of false positives and false negatives where something will be missed and legitimate stuff will be caught.  This is why I prefer filtering the emails rather than straight blocking.)

Link to comment
Share on other sites

5 hours ago, petzl said:

Only staff might be able to access that link. I are just a SpamCop member.

fritz2cat, The link you gave seems to be only accessible by you or SpamCop deputies.  However, you can find an accessible link with munged information if you click on that link and then click on "Parse".  That page should have your Tracking URL near the top.  (As a side note, if you view that while logged out, you should see the munged information on it.)

Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net

Link to comment
Share on other sites

9 hours ago, petzl said:

Only staff might be able to access that link. I are just a SpamCop member.

 

3 hours ago, gnarlymarley said:

fritz2cat, The link you gave seems to be only accessible by you or SpamCop deputies.  However, you can find an accessible link with munged information if you click on that link and then click on "Parse".  That page should have your Tracking URL near the top.  (As a side note, if you view that while logged out, you should see the munged information on it.)

Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net

Hello, I discover that my e-mail address is intact in the very first "Received" line from the bottom (I missed it when I munged some information by hand) in the following line

Received: by mail.wefightgiants.com id h7vek40001g6 for <x>; Fri, 21 Aug 2020 10:29:25 -0400 (envelope-from <barbara_howard-me=mydomain.com@wefightgiants.com>)

So I will not disclose the link to a public area. May be next time. Currently I block them at the perimeter with a CIDR blocklist so I have no material to report.

Thank you for your help.

Link to comment
Share on other sites

  • 4 months later...

I arrived here after Googling "eonix.net spam". Normally when my domain receives spam I look into the headers to get the originating IP address, look it up in ARIN, send an email to the ISP email address listed in ARIN with full details of the spam email, and shortly there after the ISP shuts down the spammer causing the spam stops. I have to monitor my spam emails because occasionally spamassassin incorrectly flags an good email as spam.

And then Eonix started spamming me with about 200 / day, and that's a lot of spam to wade thru. Well, technically, Eonix is the parent of the spammer. For example the IP address 104.206.77.193  lists sales@nextacebiz.com .  Attempts to convert "nextacebiz.com" to an IP address fail. There are several other spammers of Eonix that ended up being dead ends, but ARIN for IP address 50.3.175.20 lists support@bestwebhosting.com, https://www.bestwebhostinghub.com/ is a live website (IP address 104.21.86.72 hosted by cloudflare.com) but is basically trash except a link at the top takes you to https://www.cloudways.com/en/?id=693788  (IP address 151.139.128.11 which is owned by stackpath.com), and on and on this goes...

So here's the thing, http://eonix.net/ displays a webpage that says the domain has expired (there's a link to renew it http://enom.help/renew-faq) so you can't even view Acceptable Use Policy webpage. 

Scanalytics says this about Eonix Corporation "We consider Eonix Corporation to be a potentially very high fraud risk ISP" (https://scamalytics.com/ip/isp/eonix-corporation)

Google Reviews gives them 1.4 stars out of 5 https://www.google.com/search?sxsrf=ALeKk03yY9W0qEhrRrDk-rzpv3YIr2bfaQ%3A1610924649519&amp;source=hp&amp;ei=acIEYNSFHIu4tQalpqzoBA&amp;q=Eonix+Communications+Inc&amp;oq=Eonix+Communications+Inc#

Now for some good news - Google also lead me to this Better Business Bureau webpage https://www.bbb.org/us/nv/henderson/profile/commercial-products-wholesale-and-distributor/eonix-corporation-1086-73919/complaints and it lists ====>  http://support.serverhub.com (and they do have a can-spam webpage https://www.serverhub.com/policies/can-spam-act). Additionally digging shows that Eonix Corporation has trademarks for Serverhub and Vpsnow (https://www.corporationwiki.com/p/2cyb1e/eonix-corporation)

The website https://www.serverhub.com/ is at IP address 104.26.10.20 and ARIN says it belongs to Cloudflair https://search.arin.net/rdap/?query=104.26.10.20  I'll try sending an email ARIN lists, but I'm not optimistic.

Yes, one possibility is to wade thru 200 spam emails a day and just "take it". But, there has to be some other avenue to persue - FCC? FBI? Any suggestions?  I did find that ARIN has a way to Report Whois Inaccuracy and I'll be using it to report that Eonix's contact info is invalid.

 

Link to comment
Share on other sites

1 hour ago, bretmaverick999 said:

So here's the thing, http://eonix.net/ displays a webpage that says the domain has expired (there's a link to renew it http://enom.help/renew-faq) so you can't even view Acceptable Use Policy webpage. 

Yeah, the domain expired on 1/14.  Spammers like these domains since the registrars don't have a temporary SPF or DMARC record.  Effectively it gives the spammers free reign of the domain.

1 hour ago, bretmaverick999 said:

Yes, one possibility is to wade thru 200 spam emails a day and just "take it". But, there has to be some other avenue to persue - FCC? FBI? Any suggestions?  I did find that ARIN has a way to Report Whois Inaccuracy and I'll be using it to report that Eonix's contact info is invalid.

If it is only an IP or two and you have the ability to block them, I would suggest you put a block on there for a few days.  One thing you can also do is to use a BGP looking glass and head to the upstream provider with your abuse logs.  The bigger ISPs are usually good at fixing the problem with the smaller customer ISPs.

Link to comment
Share on other sites

On 1/17/2021 at 7:13 PM, bretmaverick999 said:

So here's the thing, http://eonix.net/ displays a webpage that says the domain has expired (there's a link to renew it http://enom.help/renew-faq) so you can't even view Acceptable Use Policy webpage.

 

The odd thing is, whois is reporting the domain does not expire until 2022:

 

Quote

Updated Date: 2021-01-15T10:03:58Z
Creation Date: 2011-01-14T17:47:29Z
 Registry Expiry Date: 2022-01-14T17:47:29Z

Looks like it was renewed on the 15th of this month.  The fact that the domain is being redirected to enom site, tells me the registrar probably renewed on their behalf. It is my understanding that registrars can do domain registration/renewal and not get charged up to 30 days, thus can cancel the registration. I learned about that after accidentally running running into accusations about GoDaddy stealing domain names when using their domain search/registry tool. If you waited too long to click BUY, the domain would be gone, and registered through GoDaddy, and already up for sale for a much higher price.

 

I guess we can check back in February to see what happens. If it is available, I will certainly snatch it up to try to put them out of business for a while.

 

On 1/17/2021 at 8:45 PM, gnarlymarley said:

f it is only an IP or two and you have the ability to block them, I would suggest you put a block on there for a few days.  One thing you can also do is to use a BGP looking glass and head to the upstream provider with your abuse logs.  The bigger ISPs are usually good at fixing the problem with the smaller customer ISPs.

For enoix, it needs a perma ban. After blocking all of eonix IP ranges, just today, I finally got a new batch of spam. Not directly from eonix, but layerhost. I know it is the same spammer because they have some URLs being hosted on eonix IP addresses.

Very few small businesses host their own email servers, and tend to reply on companies like Google and Microsoft for that.

If anyone hosts their own email server, and is worried about blocking important email from coming in. There are guides online which show you how to block IP addresses and how you can put in a custom rejection message which will appear in their email client inbox.

 

Edited by KNERD
Link to comment
Share on other sites

On 1/17/2021 at 7:45 PM, gnarlymarley said:

Yeah, the domain expired on 1/14.

On Jan 17 I alerted ARIN that all email addresses they have listed for Eonix weren't accepting emails. They replied with a confirmation number and said they would look into it. As Knerd reported eonix.net started working on the 20th so I'm now betting ARIN won't do anything. We'll see...

Eonix owns IP address range 50.2.0.0 - 50.3.255.255. Within it is 50.3.175.* and they belong to BestWebHosting.com.  The spam emails I'm receiving are from that IP address range. So, with eonix.net working again I thought I would send one of my "You are hosting a spammer" emails to the email address "support@bestwebhosting.com" and CC "net-abuse@einix.net" and the following happened:

  • The email to bestwebhosting.com caused me to receive a "mail deliver failure" with this "The account or domain may not exist, they may be blacklisted, or missing the proper dns entries."  Yes, I alerted ARIN to this and they say they are looking into it.
  • A minute later I received an email from "support@serverhub.com" saying they would reply shortly and that I could view our conversation at their Help Center and gave a link with a ticket #. Clicking the link lead me to a login screen so I clicked on the link to create a new account, filled it in, and then I was able to see the ticket #. It contains my email with all the info. This could get interesting, or could just be another rat hole

In the mean time I've set up a cPanel Global Email Filter for all Eonix IP address ranges so I'm no longer having to wade thru those spam email.  The Better Business Bureau has several recent complains outstanding against Eonix. I'll be informing the BBB that eonix.net lacks an Acceptable Use webpage and thus is free to allow spamming. Hopefully if they get enough complains we can drop their A- rating...

 

 

Link to comment
Share on other sites

I think all these belong to Eonix. They are entries in my email server blacklist.

 

104.140.0.0/16
104.140.84.0/23
104.148.28.0/24
104.206.117.32/27
104.206.96.0/22
104.223.153.0/24
170.130.0.0/16
191.101.128.0/21
23.228.64.0/18
23.231.0.0/17
50.2.0.0/15
50.2.188.0/22
50.2.212.0/22

 

Link to comment
Share on other sites

I see different abused addresses on your list such as eonix, layerhost and heficed.

104.140.0.0/16 net-admin@eonix.net
104.140.84.0/23 net-admin@eonix.net
104.148.28.0/24 abusenoc@layerhost.com
104.206.117.32/27 net-admin@eonix.net
104.206.96.0/22 net-admin@eonix.net
104.223.153.0/24 abusenoc@layerhost.com
170.130.0.0/16 net-admin@eonix.net
191.101.128.0/21 abuse@heficed.com
23.228.64.0/18 abusenoc@layerhost.com
23.231.0.0/17 net-admin@eonix.net
50.2.0.0/15 net-admin@eonix.net
50.2.188.0/22 net-admin@eonix.net
50.2.212.0/22 net-admin@eonix.net

Link to comment
Share on other sites

8 hours ago, gnarlymarley said:

I see different abused addresses on your list such as eonix, layerhost and heficed.

104.140.0.0/16 net-admin@eonix.net
104.140.84.0/23 net-admin@eonix.net
104.148.28.0/24 abusenoc@layerhost.com
104.206.117.32/27 net-admin@eonix.net
104.206.96.0/22 net-admin@eonix.net
104.223.153.0/24 abusenoc@layerhost.com
170.130.0.0/16 net-admin@eonix.net
191.101.128.0/21 abuse@heficed.com
23.228.64.0/18 abusenoc@layerhost.com
23.231.0.0/17 net-admin@eonix.net
50.2.0.0/15 net-admin@eonix.net
50.2.188.0/22 net-admin@eonix.net
50.2.212.0/22 net-admin@eonix.net

Layerhost is a brand of Eonix. I am not sure about heficed.com. I must of been getting a lot of spam from them to block. Seems to be from Brazil

 

 

Link to comment
Share on other sites

17 hours ago, KNERD said:

Layerhost is a brand of Eonix. I am not sure about heficed.com. I must of been getting a lot of spam from them to block. Seems to be from Brazil

Correction - On  http://eonix.net/ it lists that their brands are  http://infinitie.net/ and http://serverhub.com/ 

As for Layerhost it appears to be an unrelated company, but just as spammer friendly. 

 

On 1/24/2021 at 6:02 PM, bretmaverick999 said:

Eonix owns IP address range 50.2.0.0 - 50.3.255.255. Within it is 50.3.175.* and they belong to BestWebHosting.com.  The spam emails I'm receiving are from that IP address range. So, with eonix.net working again I thought I would send one of my "You are hosting a spammer" emails to the email address "support@bestwebhosting.com" and CC "net-abuse@einix.net" and the following happened:

  • The email to bestwebhosting.com caused me to receive a "mail deliver failure" with this "The account or domain may not exist, they may be blacklisted, or missing the proper dns entries."  Yes, I alerted ARIN to this and they say they are looking into it.
  • A minute later I received an email from "support@serverhub.com" saying they would reply shortly and that I could view our conversation at their Help Center and gave a link with a ticket #. Clicking the link lead me to a login screen so I clicked on the link to create a new account, filled it in, and then I was able to see the ticket #. It contains my email with all the info. This could get interesting, or could just be another rat hole

Today I got word that Serverhub ticket # 81058 had been "completed". When I logged into my Serverhub account (I'm not paying for anything from them, this is a free account) the ticket contains a post saying "Hi,   We would like to inform you that this issue has been resolved.   If there any other reports found, Please forwards them to us and We will be happy to help.    Best Regards, Ahmed Allam"    

Since being notified that the ticket had been completed I haven't seen any emails from IP address range 50.3.175.*.  Unfortunately I started receiving spam from IP address range 50.3.152.2 - 50.3.152.10.   Hence I send another email alerting them of these spam emails and I see that they have opened ticket # 82927. Stay tuned....

 

Link to comment
Share on other sites

2 hours ago, bretmaverick999 said:

Correction - On  http://eonix.net/ it lists that their brands are  http://infinitie.net/ and http://serverhub.com/ 

As for Layerhost it appears to be an unrelated company, but just as spammer friendly. 

Thanks for that corrected information. I guess Layerhost must of spammed me a lot and did nothing after a lot of spam reports  for me to block them.

 

I do wonder why you are not getting any more spam from that Ip range. It does make me thing they did a list washing where they just make sure your email address (or server) is not getting spam anymore to stop your complaints. Meanwhile probably still continue to spam,.

Link to comment
Share on other sites

Eonix, Layerhost and it's related businesses have been the third biggest sources of spam on my hosted domains. #1 with a bullet is Google. #2 is AWS. Reporting to AWS is next to useless. I noted from another post that Google has stopped accepting SpamCop reports. I'll have to see if that's the case on my end.

Link to comment
Share on other sites

Yeah, since I been blocking all of their IP ranges, it been quiet here from Eonix, and Layerhost. I guess I need to update my reject message as it is not very informative on why the message is being rejected.

 

It been a few months since I got something from Google, but when I did a report, it was sent to abuse@gmail, or something like that. When was the last time you sent a report to Goolag?

For AWS, yeah, they never do anything about that, so you just have to block their entire IP range. Though on a note, it's been a couple of years since I moved my emails server to a dedicated physical machine with a hosting provider for super cheap. I did not add AWS on this newer email server, and have gotten no spam from AWS at all.

 

Edited by KNERD
Link to comment
Share on other sites

  • 3 months later...

I'd love it if someone could show me a spamassassin rule that would block this Eonix traffic.

I'm getting a constant drip of these things over the past few weeks.  Spamcop reporting doesn't seem to slow them.

Dave.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...