marc1 Posted April 27, 2010 Posted April 27, 2010 It seems that no one is getting these spam reports. Consequently, I keep getting spam from this IP. Any help/suggestions? Cached whois for 67.14.182.70 : admin[at]hostmetro.net Using abuse net on admin[at]hostmetro.net No abuse net record for hostmetro.net Using default postmaster contacts postmaster[at]hostmetro.net postmaster[at]hostmetro.net bounces (6 sent : 6 bounces)
SpamCop 98 Posted April 27, 2010 Posted April 27, 2010 Well now, that's one wonky little /19. The IP is pingable and reverses to pw70.people-who.com, but people-who.com is unreachable and the details of all the players are, of course, using privacy services for whois. The best advice is to keep reporting them until someone notices! UPDATE: I believe you should send a manual complaint to the abuse address shown here, attaching spam from hostmetro.net and perhaps adding hostmetro.net in the subject line. KCNAP seems to be who they get their connection from, although the BGP routes aren't advertised TTBOMK.
SpamCopAdmin Posted April 27, 2010 Posted April 27, 2010 I remapped "Postmaster" to go to admin[at]hostmetro.net, which appears to be accepting mail. - Don D'Minion - SpamCop Admin -
marc1 Posted May 1, 2010 Author Posted May 1, 2010 thanks for the update on the contact info. i have been using spamcop for many years. once i report to abuse to the correct contact, spam typically stops from that source. in this case, i keep getting spam from hostmetro. in fact, it has increased in the past few days. is it possible these reports are ending up in the wrong hands? maybe even in the hands of the spammers?
Wazoo Posted May 2, 2010 Posted May 2, 2010 in this case, i keep getting spam from hostmetro. in fact, it has increased in the past few days. is it possible these reports are ending up in the wrong hands? maybe even in the hands of the spammers? Looking at the tool provided at http://www.senderbase.org/senderbase_queries/main ... the Domain in question doesn't show much. However, as you are the one receiving the spam, you have the IP Addresses involved. Try looking a few of them up and see what things look like.
marc1 Posted May 6, 2010 Author Posted May 6, 2010 Looking at the tool provided at http://www.senderbase.org/senderbase_queries/main ... the Domain in question doesn't show much. However, as you are the one receiving the spam, you have the IP Addresses involved. Try looking a few of them up and see what things look like. It is interesting. They are pretty clean. 67.14.175.191 is another one that was used recently.
Farelf Posted May 6, 2010 Posted May 6, 2010 67.14.175.17 is another.Well, that is intersting - looks like all of 67.14.175.0/24 has the same rDNS (which is not kosher), SenderBase shows most addresses 'seen' have a similar up and down sending pattern ± ~400% which would make the whole thing a snowshoe operation or something indistinguishable from one. Terribly hard to nail in that case. AFAIK only spamhaus specifically looks out for these - see http://forum.spamcop.net/forums/index.php?showtopic=10622 - and evidently it takes a while before that facility on sbl.spamhaus.org lookups will trigger (and they have to 'see' submissions first). Not sure why the 'policy' blocks (including SORBS, notoriously) haven't picked up on sending from 'dynamic' address space but I guess they will, eventually (that's their purpose). SpamCop is never going to amass enough hits unless a spamtrap gets onto the distribution lists (which are possibly more tightly controlled than most). They send spam yet don't register on a single one of the 224 RBLs checked by http://multirbl.valli.org/dnsbl-lookup/ - I guess the only thing giving them away is their impossible 'cleanliness'. I have yet to see a regular address that is as untainted as any and all of those in the 67.14.175.0/24 seem to be. I guess the only thing from which comfort could be taken is that it must be costing an arm and a leg to run that operation, logically there is no way spam could pay for it and accordingly they should be quite alert to spam in their network. Or maybe the wages of sin are higher than we thought
marc1 Posted May 6, 2010 Author Posted May 6, 2010 Thanks for the reply. This is all new to me, so not sure I understand what can be done. It goes beyond, 67.14.175.* 67.14.174.7 and 67.14.182.70 are sending spam. 173.244.45.239 is also from the same source. Can I report this one level higher? Who is providing them access? It is unclear to me who is the bad guy here...Hostmetro?
Farelf Posted May 6, 2010 Posted May 6, 2010 ...Can I report this one level higher? Who is providing them access? It is unclear to me who is the bad guy here...Hostmetro?Upstreams are a bit of a mystery to me too but SpamCop 98 seems to have a handle on it and made a suggestion in the post linked which takes all of those 67.14.160.0/19 addresses (67.14.160.0 - 67.14.191.255) into account.
marc1 Posted May 6, 2010 Author Posted May 6, 2010 Upstreams are a bit of a mystery to me too but SpamCop 98 seems to have a handle on it and made a suggestion in the post linked which takes all of those 67.14.160.0/19 addresses (67.14.160.0 - 67.14.191.255) into account. Yes, indeed I missed SpamCop 98 suggestion. I have notified the upstream provider. Although it is unclear how SpamCop 98 got KCNAP as the upstream provider. I would like to notify the upstream of 173.244.45.239 as well. How can I do that?
Recommended Posts
Archived
This topic is now archived and is closed to further replies.