Jump to content

Cannot resolve link & unstoppable spam


Sven Golly
 Share

Recommended Posts

Here are two example tracking URLs:

spam from windmillshosting.com 1

spam from windmillshosting.com 2

This spam source is proving particularly troublesome -- I'm getting probably 10-20/day from this one source. Based on how I read the source IP, 69.1.230.69, the block belongs to arbinet.net and upstream from there, Level3. (Someone please check me.) Arbinet.net has not responded to any direct messages and now their abuse[at]arbinet.net has started "auto-blocking" my attached forwards of windmillshosting.com spam

The spammer uses a whole series of odd domains like squareresist.com, honeydescend.com, etc. for these links. However, they never get parsed out by Spamcop. It looks like there's a weird character in the link that may be causing the parser to choke??

Any advice on how to deal with this spammer is greatly appreciated too. Thanks. And if I've done something stupid in my posting of this here, feel free to jump all over me. :)

Link to comment
Share on other sites

Any advice on how to deal with this spammer is greatly appreciated too. Thanks. And if I've done something stupid in my posting of this here, feel free to jump all over me. :)

You can try support[at]windmillhosting.com (from their website) and ask they get a working abuse address?

SenderBase suggest/indicate they may have a compromised computer

Link to comment
Share on other sites

Yes, ARIN whois says Abuse Email: abuse[at]arbinet.net and SC reports to windmillshosting.com (apparently on over-ride) which appears to be the spammer. SenderBase seems to think the address block belongs to Quickenet - http://www.senderbase.org/senderbase_queri...ing=69.1.230.69

The latter of your trackers showed an unfinished report when I looked. You need to either report or cancel.

The parser really gets a workout on those things, they take forever to come up. There seems to be a hex 10 in some of those links. I can't see that in the text but the parser finds/generates it (or some scripting/coding does) so yes, that could be a problem for the parser. Anyway the websites resolve to windmillshosting.com as well (for hosting)

Link to comment
Share on other sites

This spam source is proving particularly troublesome -- I'm getting probably 10-20/day from this one source. Based on how I read the source IP, 69.1.230.69, the block belongs to arbinet.net and upstream from there, Level3. (Someone please check me.)

Yes, and 69.1.230.71 per your links. Their provider is Arbinet.net.

Arbinet.net has not responded to any direct messages and now their abuse[at]arbinet.net has started "auto-blocking" my attached forwards of windmillshosting.com spam

The known IP#s to send mail within 69.1.230.0/24 overwhelmingly have a SenderBase reputation score of "Poor."

I think it's pretty clear that windmillshosting.com is associated with spammers and you'll never get satisfaction by sending them an abuse report. Their domain is currently protected by a privacy service in the Grand Cayman Islands, and I couldn't find a single listing/review of them as an ISP/hoster. This page at ASPEWS listed previous blocks used by them, as well as an address, at the bottom of the page.

The spammer uses a whole series of odd domains like squareresist.com, honeydescend.com, etc. for these links. However, they never get parsed out by Spamcop. It looks like there's a weird character in the link that may be causing the parser to choke?

Usually a spamvertized link is not hosted with the same party, but in this case they are: squareresist.com = 67.218.215.17 and honeydescend.com = 69.1.230.118. The parser is choking because the DNS is so poor (and spammers like it that way, because then sc can't look them up). It is easy to find the owners of those domains though, just google |whois domain.tld| for the link to domaintools.com.

Any advice on how to deal with this spammer is greatly appreciated too. Thanks.

Keep reporting, this kind of SenderBase rep is the first step toward blocking.

Link to comment
Share on other sites

OK thanks all. What I think I'll do is put abuse[at]arbinet.net and abuse[at]level3.net into the public reporting options and deselect the postmaster[at]windmillshosting.com for the reporting. Then when these spams get reported, I'll just send them to arbinet / level3 since tilting at windmills is no doubt hopeless. (Unless someone thinks there's a good reason to continue reporting to them.)

Link to comment
Share on other sites

... What I think I'll do is put abuse[at]arbinet.net and abuse[at]level3.net into the public reporting options and deselect the postmaster[at]windmillshosting.com for the reporting. Then when these spams get reported, I'll just send them to arbinet / level3 since tilting at windmills is no doubt hopeless. ...
OK try that but, if you would, please confirm the reporting system actually lets you deselect the 'prime' reporting address. I just have a vague feeling it doesn't (or didn't, once upon a time). If it insists that windmillshosting.com be included you might try contacting SC Admin (Don) at service[at]admin.spamcop.net and ask him to consider reverting to the arbinet.net address indicated by ARIN. Can't have that fine windmills pun go to waste. :D

Anyway, it would be good to know whether or not you can deselect windmillshosting.

Link to comment
Share on other sites

Anyway, it would be good to know whether or not you can deselect windmillshosting.
Yes I can deselect windmillshosting. Perhaps as long as at least one reporting method is selected?? Anyway I also opened a KnujOn account and will be including them in the cc: list.

You can try support[at]windmillhosting.com (from their website) and ask they get a working abuse address?

SenderBase suggest/indicate they may have a compromised computer

It is pretty clear from the line of business that "windmillshosting.com" is in that they are the spammers. No compromised computer. Their weird domain names like "birthrecline.com" resolve to UpperClassAdvertising.com and there is no actual physical contact information for the "company" at all. In fact their Privacy policy doesn't list a physical address either.
Link to comment
Share on other sites

SpamCop admins have changed the abuse address for windmillshosting.com to arbinet.net which is the upstream. No effect on spam so far and I'm continuing with reports to Level3 (arbinet's upstream) and to KnujOn. Arbinet "seems" like a legit company but if this is their response, they're nothing but scum.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...