Jump to content
KNERD

Eonix.net helping spammers?

Recommended Posts

Posted (edited)

For many months now, I had been getting ten or more spams from their network. I would report each and every one of them, and would see the ports would go to poc@eonix.net  or abuse@eonix.net. After about four months, and the spams still kept coming day after day despite reporting, I decided to  just go ahead and block the IP range from which the spams would come from.  That sure did stop eonix.net from sending anymore more; so I thought.

A week later more spams would start arriving from eonix.net, Looking, I see they are coming from a new block of IP addresses at a different location.

This has been repeating for a while now.

Another reason I am asking if eonix.net is helping spammers is because these spams were not coming from the same IP address, but the next IP address in numerical sequence. Ten or more spams, all coming from the next number up in an IP address? I mean come on now, they have to be helping, right?

Anyone know of their reputation?

 

 

Here is another thing. For a while I decided to add the Sorbs Blacklist.The reason is because after each report for spam from eonix.net, I would see the IP address is on Sorbs.  I have noticed it is easy to get listed on there and stay listed. So I add their blacklist, and guess what? The spam from eonix.net listed on Sorbs is still getting to my email server, but legit mail such as from PayPal is getting blocked by Sorbs! They in cahoots also?

Edited by KNERD
spell

Share this post


Link to post
Share on other sites
On 5/12/2020 at 8:04 AM, KNERD said:

A week later more spams would start arriving from eonix.net, Looking, I see they are coming from a new block of IP addresses at a different location.

Some ISP do this and then return the old block and poor folks might get a spammy block when they request a new range.  Years ago, I started blocking at the firewall level.  Then I started blocking using a SMTP blocking list.  Now I just use spamassassin and it makes the decision to block or not at the SMTP edge.

On 5/12/2020 at 8:04 AM, KNERD said:

The spam from eonix.net listed on Sorbs is still getting to my email server, but legit mail such as from PayPal is getting blocked by Sorbs!

This is the reason why I use spamassassin now is because clean emails can be on the block list and still be accepted, while spammy emails with the block lists it can tell the SMTP mailer to reject it.  Spamassassin also lets me do some custom parsing rules which can single out ISPs such as eonix (either via headers, message body, or just connecting host).

Share this post


Link to post
Share on other sites
Posted (edited)

I guess I will need to look at spam Assassin.  Since I posted this, I have had to blocked three more Eonix data centers/IP block ranges (Even had something come in from SpamChimp). They are clearly spam friendly. Maybe time for a campaign to ARIN to have their IP addresses revoked? Do they even do that?

With the mass amount of reporting of Eonix I did through Spamcop, it seems it just does not have the clout it had in the past.

 

Thanks for the input.

Edited by KNERD

Share this post


Link to post
Share on other sites
On 6/19/2020 at 10:03 AM, KNERD said:

I guess I will need to look at spam Assassin.

Either that or maybe see if your mail server supports special filtering rules.  Before I went to spamassassin, I was doing weird helo accept/deny rules as well as maintaining my own blocklist.

 

On 6/19/2020 at 10:03 AM, KNERD said:

Maybe time for a campaign to ARIN to have their IP addresses revoked? Do they even do that?

They can revoke the IP address for policy violations but that doesn't always stop the spammer.  The ISP's ISP should be checking that their customers are using valid ranges.  I had one in Europe that has assumed two class C networks without being assigned them.  It took a few months for them to stop using them.

Share this post


Link to post
Share on other sites

I have been using Thunderbird email client. I have since discovered it is using Spamassassin.. It never did stop any of those coming from Eonix.net. Though I do see it is stopping some spam, as noted with the spam in the Junk folder. None of which has ever been from Eonix.net IP blocks.

 

On the other hand, I have seemed to of blocked all of Eonix.net as I have not gotten a single spam from them since my last posting.

 

Share this post


Link to post
Share on other sites

As Eonix appears to welcome spammers, I'm a bit reluctant to report the offending spam to Spamcop.
Each piece of spam contains too many unique patterns, that render obfuscating useless and I risk being spammed more and more, or retialated.

Spamcop and Spamhaus both fail regularly to block all those spams.

I end up blocking their CIDR one by one as they are offending.

I just want to automate it now...

Share this post


Link to post
Share on other sites
10 hours ago, fritz2cat said:

As Eonix appears to welcome spammers, I'm a bit reluctant to report the offending spam to Spamcop.
Each piece of spam contains too many unique patterns, that render obfuscating useless and I risk being spammed more and more, or retialated.

Spamcop and Spamhaus both fail regularly to block all those spams.

I end up blocking their CIDR one by one as they are offending.

I just want to automate it now...

As always a SpamCop tracking URL would help?

Share this post


Link to post
Share on other sites
5 hours ago, petzl said:

As always a SpamCop tracking URL would help?

Hi Petzl, As I said above, I am reluctant posting identifiable data when the hosting company may be suspected to be a member of the spam gang.

Here is one report: 7079043030

Kind regards

Share this post


Link to post
Share on other sites
16 hours ago, fritz2cat said:

I end up blocking their CIDR one by one as they are offending.

I just want to automate it now...

I automated this using cron scri_pt and a firewall.  The problem I saw is the scri_pt happened to catch some legitimate emails and blocked those hosts until it was too late for me to get them back.  (There is a grey area of false positives and false negatives where something will be missed and legitimate stuff will be caught.  This is why I prefer filtering the emails rather than straight blocking.)

Share this post


Link to post
Share on other sites
15 hours ago, fritz2cat said:

Here is one report: 7079043030

Only staff might be able to access that link. I are just a SpamCop member.

Share this post


Link to post
Share on other sites
5 hours ago, petzl said:

Only staff might be able to access that link. I are just a SpamCop member.

fritz2cat, The link you gave seems to be only accessible by you or SpamCop deputies.  However, you can find an accessible link with munged information if you click on that link and then click on "Parse".  That page should have your Tracking URL near the top.  (As a side note, if you view that while logged out, you should see the munged information on it.)

Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net

Share this post


Link to post
Share on other sites
9 hours ago, petzl said:

Only staff might be able to access that link. I are just a SpamCop member.

 

3 hours ago, gnarlymarley said:

fritz2cat, The link you gave seems to be only accessible by you or SpamCop deputies.  However, you can find an accessible link with munged information if you click on that link and then click on "Parse".  That page should have your Tracking URL near the top.  (As a side note, if you view that while logged out, you should see the munged information on it.)

Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net

Hello, I discover that my e-mail address is intact in the very first "Received" line from the bottom (I missed it when I munged some information by hand) in the following line

Received: by mail.wefightgiants.com id h7vek40001g6 for <x>; Fri, 21 Aug 2020 10:29:25 -0400 (envelope-from <barbara_howard-me=mydomain.com@wefightgiants.com>)

So I will not disclose the link to a public area. May be next time. Currently I block them at the perimeter with a CIDR blocklist so I have no material to report.

Thank you for your help.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×