Bogus Russian ISP's

[Geek]

Hi,

I've compiled a list of Russian "ISP's" that seems if spam is reported to them, will "autobotically" cause a flood of retaliation within a few minutes to an hour:

[at]tmb.ru

[at]mtu.ru

[at]rt.ru

[at]vt.ru

[at]komet.ru

[at]spbnit.ru

[at]dtd.ptn.ru

[at]ptn.ru

[at]telegraph.spb.ru

[at]migtel.ru

[at]permlink.ru

[at]atelperm.ru

New ones pop up daily.

I have found if I uncheck the boxes to them and only report to the host of the spamvertized site, no retaliation happens.

Maybe Spamcop can #devnull reports to these guys?

Cheers!

[Farelf]

I've compiled a list of Russian "ISP's" that seems if spam is reported to them, will "autobotically" cause a flood of retaliation within a few minutes to an hour: ... I have found if I uncheck the boxes to them and only report to the host of the spamvertized site, no retaliation happens.

This is unusual/interesting at several levels. You are reporting them 'unmunged' via SpamCop? And seeing rapid response from where - their domains or various/apparent botnet? You stop reporting and the deluge stops - can you link that to the specific domains, if so how? (except of course if the 'retaliatory' spam is coming from the domains in question in which case the answer is evident).

...Maybe Spamcop can #devnull reports to these guys?

Maybe, the Deputies will be better placed than any of us users to detect any patterns but the information sought may help them. I have checked the home pages of the domain addresses listed with LinkScanner and SiteAdvisor, none have an evident/known exploit, most of them have an "OK" from SiteAdvisor. I've looked at most of them in the SenderBase stats and can see no unusual activity. None of which means much, except to eliminate some lines of approach.

[Geek]

Hello,

This is unusual/interesting at several levels. You are reporting them 'unmunged' via SpamCop? And seeing rapid response from where - their domains or various/apparent botnet? You stop reporting and the deluge stops - can you link that to the specific domains, if so how? (except of course if the 'retaliatory' spam is coming from the domains in question in which case the answer is evident).

Yes, that is what happens. I parse the spam, it comes from one of the above. I send the report and anywhere from a few minutes to an hour later, I'll get one to five more from the same source.

Here's three more that do the same:

[at]surnet.ru

[at]online.kz

[at]rosprint.net

I have also noticed a "loop" pattern, in that the spam reported can also come from one of the above, then "travel down" a list and repeats (like stuff from vt.ru is reported, next one comes from rt.ru, third from mtu.ru, then the cycle repeats).

I have ran this experiment/test for about 5 days and it is extremely repeatable.

I have checked the home pages of the domain addresses listed with LinkScanner and SiteAdvisor, none have an evident/known exploit, most of them have an "OK" from SiteAdvisor. I've looked at most of them in the SenderBase stats and can see no unusual activity. None of which means much, except to eliminate some lines of approach.

They just showed up here. Maybe new? They don't seem to be running out of domains :-\

Cheers!

[Geek]

I've peen poking around WHOIS and perhaps the ISP's are legit and there's one heckuva Russian botnet-trojan that's been recently unleashed?

[Farelf]

I've peen poking around WHOIS and perhaps the ISP's are legit and there's one heckuva Russian botnet-trojan that's been recently unleashed?

Yes, I think they're legitimate and the behavior is not typical botnet (why would a botnet retaliate at all and why use the same address blocks from which to do it?). The unknowing hosts of zombied machines are hardly likely to attack the person who alerts them to the problem.

You haven't confirmed whether you are munging your reports (ie, if your address is "X" in the repprts you send). If not, you might try switching your user preference to this option and see what happens. In any event, please post a Tracking URL for a case which resulted in retaliation (you go back in your reporting history up to 90 days) and preferably one of the resulting/matching spams received in 'payback'.

[C2H5OH]

Yes, I think they're legitimate and the behavior is not typical botnet (why would a botnet retaliate at all and why use the same address blocks from which to do it?). The unknowing hosts of zombied machines are hardly likely to attack the person who alerts them to the problem.

You haven't confirmed whether you are munging your reports (ie, if your address is "X" in the repprts you send). If not, you might try switching your user preference to this option and see what happens. In any event, please post a Tracking URL for a case which resulted in retaliation (you go back in your reporting history up to 90 days) and preferably one of the resulting/matching spams received in 'payback'.

This is a very intriguing thread. I too have suffered floods of russian "undeliverable bounce" spam - from those same domains amongst others. My SpamCop reports are always sent munged (xxxx as domain) but that doesn't prevent sender address harvesting from encrypted email body of course. What had changed for me was that I'd started sending reports via Coldrain too. I thought that their "unsubscribe me" option might have been what triggered the reponses. I've since turned that option off in Coldrain's control panel. For the past week I have also set my ISP's email server to drop all DSN emails (to stop the flood to my inbox). I'll try re-enabling them to see whether the flood has now abated. (Except my ISP's email service is down - again - at the moment).

[Farelf]

This is a very intriguing thread. I too have suffered floods of russian "undeliverable bounce" spam - from those same domains amongst others. ...

Thanks C₂H₅OH - certainly seems a bit out of the ordinary and supporting observations are most welcome.

[Geek]

Ok, I'm having problems replying... posts end up out of order, then disappear

Here's the jist of what it was

Todays batch of "origins":

[at]telros.net

[at]ru.net

[at]ptc.spbu.ru

[at]iwan.ru

[at]mtu-intel.ru

[at]post.mos.ru

[at]mos.ru

[at]tel.ru

[at]ncc.primorye.ru

[at]prim.dsv.ru

[at]su29.ru

[at]iasnet.ru

[at]ccl.ru

Normally I get 5-10 spams/day. Since these Russian's showed up, I've been getting 40+, growing at about 5 per day. Still a far cry from the 4,000/wk I used to get before I started reporting...

I'm keeping track of case numbers, as suggested now.

Are their THAT many providers in Russia?

[Wazoo]

Ok, I'm having problems replying... posts end up out of order, then disappear

If you are talking about this Forum, I need a better explanation. No one has (yet) moved this Topic or any posts. If you do not provide a Tracking URL (or a few of them) sometime soon, this will be moved to the Lounge.

Here's the jist of what it was

Todays batch of "origins":

[at]telros.net

[at]ru.net

[at]ptc.spbu.ru

<snip>

I am actually still a bit lost on your story. "Origin" of spam is normally the IP Address of the server involved, but you seem to be listing partial e-mail addresses. Looking at some of the data from your initial posts, Domains were seen that (allegedly) dated back to 1997 (one that I recall looking up) A couple that I looked up had no 'abuse' address, and the identified addresses left me wondering a bit .. my preferences would have been to do a CC: to an upstream in a manual report. What no one here yet knows is just what addresses you are seeing (and unselecting you say) for whatever spam you're submitting for parsing. Again, waiting for some Tracking URLs to provide some actual data to talk about.

Normally I get 5-10 spams/day. Since these Russian's showed up, I've been getting 40+, growing at about 5 per day. Still a far cry from the 4,000/wk I used to get before I started reporting...

Not sure what that's actually supposed to mean, as referenced against your Topic starting post.

The newsgroup archive/list is being 'attacked' by crap that is written in "charset=ISO-2022-JP" .. using alleged .jp e-mail addresses, but the actual source IP Addresses are from all around the world. One Yahoo account sees a lot of .pl garbage. On and on ....

I'm still looking for something beyond the accusations made thus far, noting that several questions asked thus far haven't been answered either.

[Farelf]

Ok, I'm having problems replying... posts end up out of order, then disappear

I had something like that once (or twice) - turned out to be my firewall objecting to something in the topic/thread. Solution was to allow exception for the forum server (or turn that blocking firewall function off temporarily). Don't see anything "here" that would trigger such action but there will be a cause (even 'operator error', which is almost undiagnosable from this side). Stay with it because there's not enough to figure out what's happening on either front yet - ref

If you are talking about this Forum, I need a better explanation. No one has (yet) moved this Topic or any posts. If you do not provide a Tracking URL (or a few of them) sometime soon, this will be moved to the Lounge.

Which will be fair indication we see nothing that we think could be laid before the Deputies yet in terms of your original posting, if in fact there is something requiring their action, which is what you were requesting. We're just trying to help with that.

[Geek]

I had something like that once (or twice) - turned out to be my firewall objecting to something in the topic/thread.

Yes, I discovered it was on my end. I restarted my browser and all was OK

Stay with it because there's not enough to figure out what's happening on either front yet - refWhich will be fair indication we see nothing that we think could be laid before the Deputies yet in terms of your original posting, if in fact there is something requiring their action, which is what you were requesting. We're just trying to help with that.

OK, I'm logging the report ID's sent and keeping track of any other patterns that seem to appear, like reporting then getting more spam.

I'm not even sure yet of what's happening, just thought I'd throw it all out into the open to see if anyone else may have found something similar (which there seems to be one person).

I should have put (?) after the post topic. I admit I've phased things horribly

Hi Wazoo,

I am actually still a bit lost on your story. "Origin" of spam is normally the IP Address of the server involved, but you seem to be listing partial e-mail addresses.

These are the domains to where the reports would be sent to.

I'm still looking for something beyond the accusations made thus far, noting that several questions asked thus far haven't been answered either.

Sorry about that, as I explained to Farelf above, I've worded things badly. Will do better.

The newsgroup archive/list is being 'attacked' by crap that is written in "charset=ISO-2022-JP" .. using alleged .jp e-mail addresses, but the actual source IP Addresses are from all around the world. One Yahoo account sees a lot of .pl garbage. On and on ....

There's tons of those on the alt.binaries groups right now

Using the killfile is useless since the "originator" alsways seems random >.<

Cheers guys!

[Geek]

Just to update...

They've been fairly quiet other than a couple of repeat offenders the last couple days and it looks like the Trustee's are on the job, as some have been tossed into /dev/null.

This is good, since the file I was using with all my notes got corrupted

If no one has objections, maybe this can be tagged "Resolved" ?

Cheers!

[axxx007]

I have received a lot of spam in the last few months from these Russion ISP's to my hotmail account. A lot of this spam has been a spam where the spammer has inserted my email address in the headers to make it appear that I have sent spam out to myself.

There is a thread in the lounge on this a few pages back that covers this problem a bit, titled :" My email address in senders properties " ....maybe that will give you some information as well.

Most of the spam I am getting going through these Russian ISP's now is pharmacy spam.

[C2H5OH]

SNIP

For the past week I have also set my ISP's email server to drop all DSN emails (to stop the flood to my inbox). I'll try re-enabling them to see whether the flood has now abated. (Except my ISP's email service is down - again - at the moment).

Re-enabled DSNs midday Saturday. Just one or two undeliverable notifications on Sunday, then overnight Sunday-Monday received 198 misdirected bounces, most from Russia or its satellites. I am still opted out of the unsubscribe option with Coldrain.

For comparison/interest, here are the 105 unique source domains from those 198 bounces...

54.ru

aaanet.ru

adamant.net

agava.com

agava.net

alkar.net

astel.net

atnet.ru

avtlg.ru

bashnet.ru

caravan.ru

chereda.net

ci.ukrpack.net

colocall.net

comstar.net.ua

comtat.ru

corbina.net

ctcs.ru

dinet.ru

donbass.net

elcom.ru

elpskov.ru

eltel.net

farlep.net

fmcg.ru

freenet.com.ua

globus-telecom.com

harvestr.ru

hc.ru

inc.ru

incoma.ru

infobox.ru

infos.ru

infosport.ru

irlink.ru

irs.ru

itn.ru

kgts.ru

kharkiv.net

kis.ru

kraslan.ru

ktk.ru

lep.lg.ua

liga.net

lsv.kiev.ua

lyceum.usu.ru

makdak.ru

manpower.ru

mark-itt.net

masterhost.ru

mastertel.ru

metrocom.ru

mfist.usi.ru

miee.ru

msu.ru

mtu.ru

nbi.com.ua

netup.ru

nornik.ru

parkline.ru

pbank.dp.ua

pcn.net.ua

peterstar.net

playfon.ru

ptt.spb.ru

radio-msu.net

ras.ru

rbc.ru

redcom.net

rgs.ru

rls.ru

rosnet.ru

rosprint.net

rtcomm.ru

run.net

rusonyx.ru

s42.dcn-asu.ru

samara.net

samtelecom.ru

scat-7.ru

sci.lebedev.ru

snc.ru

solaris.ru

sovam.com

sovintel.ru

spb.edu

ssft.net

stacktelecom.ru

sunet.ru

svwh.net

techno.spb.ru

televic-cs.ru

tsinet.ru

tula.net

uar.net

ukr-com.net

unets.ru

unibel.by

united.net.ua

utk.ru

vado.ru

volia.net

vtt.net

westcall.netadmnsk.ru

wsnet.ru

If only they were all REAL providers and had read;

http://members.spamcop.net/fom-serve/cache/329.html

sigh..

[Farelf]

I have received a lot of spam in the last few months from these Russion ISP's to my hotmail account. A lot of this spam has been a spam where the spammer has inserted my email address in the headers to make it appear that I have sent spam out to myself. ...

Yes, well that's a bit of a catch 22 if you want to send munged reports - "From:" addresses don't get munged (last I knew), even if it is your address. That certainly would be a "neat" way to tag reports if these people were playing those games.

Re-enabled DSNs midday Saturday. Just one or two undeliverable notifications on Sunday, then overnight Sunday-Monday received 198 misdirected bounces, most from Russia or its satellites. I am still opted out of the unsubscribe option with Coldrain. ...If only they were all REAL providers and had read; [edit - switched from members to www for those not logged in]

http://www.spamcop.net/fom-serve/cache/329.html ...

I checked a few of those 105 at random. They may be clueless but they look real enough to me. I'm inclining now to view it all as chronic cluelessness in fact - it seems to explain all that has been said in this topic to date. Maybe that FAQ should get translated into Russian - in the meantime, misdirected bounces are reportable and the more that are reported, the more likely the offending ISPs are to 'get a clue'.

[Merlyn]

If you have your own server block the following IP's

http://www.blackholes.us/zones/country/russia.txt

[Geek]

If you have your own server block the following IP's

http://www.blackholes.us/zones/country/russia.txt

Thanks!

I don't run my own server, but I do know someone who does and is being overrun. Hopefully he'll find the link useful

[Geek]

CRIPES!!!!

I spoke too soon

I sent spam report 2506194430 to "iva[at]mgsn-invest.ru" (now if that isn't a fishy address, I don't know what is) and I got a days allotment of spam in about 20 minutes

Is it possible the jibberish at the bottom contains a code representing my addy (like some Chinese spam URL strings do), because how on earth did the "retalliation" happen?

[Wazoo]

I sent spam report 2506194430 to "iva[at]mgsn-invest.ru" (now if that isn't a fishy address, I don't know what is) and I got a days allotment of spam in about 20 minutes

SpamCop FAQ "here" links at the very top of the page

Jump/scroll down to the section;

Parsing Problems / Issues

How Do I Show Full / Technical Details in a Parse?

"Header incomplete, aborting." and "No source IP address found, cannot proceed."

Causes of "Would send" and "If reported today, reports would be sent to:" messages

SpamCop said "No reports filed." What does it mean?

Steps taken by the parser, general overview

The Link Analysis Process

SpamCop reporting of spamvertized sites - some philosophy

Getting a Tracking URL from a Report ID

^^^^^^^^^^^^^^^^^^^^^^^^^^

Follow this link ....

[Pinebear]

I'm going to add to this discussion. For the past several months, I have been receiving tons of spam in cyrillic.

I use Mailwasher and have been reporting those not already on the SpamCop RBL to both SpamCop and Knujon. The daily quantity seemed to be ever rising.

I then came across this thread a couple weeks ago and decided to stop reporting the SPAMs in cyrillic to SpamCop. Almost immediately, the volume dramatically decreased. In fact, around the middle of last week I was ready to report my experience as part of this thread. But then, about two days ago, I was again bombed with dozens of SPAMs in cyrillic.

I now suspect that some of the ones that are in English, are also being reported to the various *.ru contacts, mainly mtu/spbnit/ptn.ru, which has resulted in this ongoing plethora of spam with virtually 100% have something do do with penile enhancement.

No real proof, just my observation of what I am seeing.