Jump to content

spam originating from volumedrive.com


Recommended Posts

I am wondering about what happens with all the reports I send in that reference "volumedrive.com" as the abuse reporting address. For some reason, the IPs reported (they jump around but all are in volumedrive.com's netblocks) don't make it onto SpamCop's own BL but they do show up occasionally on Barracuda and Spamhaus.

The spam is clearly originating from one spammer (they have a consistent "style") to their emails. We get about 2 - 4 day and who knows how many may get dumped via SpamAssassin at the server level. Yet this spammer is allowed to continue to operate by what appears to be a spam-friendly host.

Here's a recent example:

http://www.spamcop.net/sc?id=z5498280528zf...33c670f9b97310z

Link to comment
Share on other sites

199.19.110.232 hasn't met our listing criteria. Maybe soon.

I guess this particular host has been successful at keeping their spammer protected. It's the same spammer over and over. Just sending from different IPs within the volumedrive.com space.

Link to comment
Share on other sites

199.19.110.232 listed right now (but not far off ageing off again) so we can just now see from http://spamcop.net/w3m?action=checkblock&ip=199.19.110.232

"Other hosts in this "neighborhood" with spam reports

199.19.110.20 199.19.110.170 199.19.110.171 199.19.110.175 199.19.110.183 199.19.110.185 199.19.110.186 199.19.110.187 199.19.110.190 199.19.110.191 199.19.110.207 199.19.110.211 199.19.110.213 199.19.110.214 199.19.110.215 199.19.110.216 199.19.110.217 199.19.110.218 199.19.110.219 199.19.110.220 199.19.110.221 199.19.110.222 199.19.110.223 199.19.110.224 199.19.110.225 199.19.110.226 199.19.110.227 199.19.110.228 199.19.110.229 199.19.110.230 199.19.110.231 199.19.110.234 199.19.110.235 199.19.110.236 199.19.111.230"

I don't know that VolumeDrive (199.19.104.0 - 199.19.111.255 by ARIN) are necessarily complicit in the spam out of their network. Stupidity is very often the best explanation (Occam's razor). Or perhaps, to be charitable, the "language barrier" (administered from Turkey which seems passingly apposite).

Many of those above are in the CBL ("compromised" servers) - but not 199.19.110.232 yet - as can be seen when you look up 199.19.110.232 on http://www.senderbase.org/ and VolumeDrive's observed functional network IP addresses are also shown, 50 to a page. Then you can access comments for those shown by SenderBase as CBL listed, like

IP Address 199.19.110.220 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2013-05-01 13:00 GMT (+/- 30 minutes), approximately 10 hours, 30 minutes ago.

This IP is infected (or NATting for a computer that is infected) with a spam-sending infection. In other words, it's participating in a botnet. If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.

Seems spammers "simply" have control of their network - doesn't seem like a good business model to operate in such a way deliberately.
Link to comment
Share on other sites

Then you can access comments for those shown by SenderBase as CBL listed, likeSeems spammers "simply" have control of their network - doesn't seem like a good business model to operate in such a way deliberately.

Thanks Farelf! That's really helpful info.

Link to comment
Share on other sites

Have to point out that previous posts in this very topic indicate that the assertion "Reporting volumedrive spam has no effect." is factually incorrect - you mean, I think, that it doesn't have the effect you want it have and which you might like to discuss further to clarify.

As a starting point - a realistic aim for spam control is to keep it out of your Inbox. If it is already being classified as Junk/spam and diverted to the appropriate folder, that should be enough? If it is not doing that, additional handling will depend on your mail client and the filters/filtering methods available. What client are you thinking of and what are you wanting to achieve? You will need to deploy MailWasher or something like that to take advantage of the SCbl (bl.spamcop.net) on (for instance) a "residential" POP mail account though it will take more than the SCbl to keep that stuff out, especially if people stop reporting (but other lists can/might be added to catch more of it).

Apart from that, taking my main client (SeaMonkey) as an example, that allows the creation of new filters and one (or more) of those can be run either before or after "Junk Classification" and can (apparently) include the Received header and strings within that. I suppose the filter could be set to the condition "Includes" and to look for an IP address or part of one or anything else that might uniquely identify volumedrive servers and it would probably take many such filters for many partial IP addresses (for instance) to reliably include some of the (present) volumedrive range to either delete or divert to the Junk folder.

I think you can see that the innocent question leads to lots of potential rabbit holes - some further specification/refinement might be fruitful. Frankly I wouldn't bother, just keep reporting even if it doesn't have any immediate effect (most would say SC reporting is largely "altruistic" due to the nature of the SCbl), but your needs are somewhat different of course.

Link to comment
Share on other sites

Let me reword: "Reporting volumedrive spam has no effect that I can notice."

Let me restate what I wrote: the spam from volumedrive is making it to my thunderbird client and I am already using spam filters. Using spamcop's SCbl is ineffective because these IP addresses are not on spamcop's block list. spamcop blocks one of volumedrive's IP addresses and then the spammer just moves to another IP address spamcop is not blocking.

And as I stated, I can not just ignore volumedrive spam because I am being overloaded. I need some method of filtering out all traffic from volumedrive that does not involve using spamcop's block list, because spamcop's block list is ineffective.

A reason why spamcop is ineffective is that if a spammer can find a spam friendly host, like volumedrive, he can keep sending spam for multiple years by just keep changing IP addresses under control of that host. (At least one IP address under the control of volumedrive has been on a block list for years.)

Link to comment
Share on other sites

Try filtering on Received lines and IP addresses within them. If that can be done in SeaMonkey it should also be possible in ThunderBird (but I don't know). Add Received, use Includes and specify the value 199.19. for instance with diversion to Junk folder. That is a greater IP address range than is allocated for volumedrive (199.19.104.0 - 199.19.111.255 by ARIN, as said) so you will need to watch for false positives. Once/if you are confident you could change to delete instead of divert. Otherwise substitute more filters for 199.19.104. , 199.19.105. through to 199.19.111. - and volumedrive may have additional ranges.

Or have a look at http://www.mailwasher.net/ - MailWasher Free. There will be members here who are users and may be able to advise specifically on filtering for that application and there is the MW forum (http://forum.firetrust.com/viewforum.php?f=50) with lots of tips to be found in topics already addressed.

I believe you can include DNSbl lookups within the MW filters (but are you already filtering by bl.spamcop.net somehow?) - anyway, look at a multi RBL checking site like http://multirbl.valli.org/dnsbl-lookup/ for volumedrive IP addresses to see if you can come up with a suitable suite of DNSbl/RBLs which might catch those in MailWasher. You can even continue to SC report through the MW system "for the greater good" (hey, this is a SC forum, you didn't expect to get away that easily, did you? :P )

But don't use the notorious MW "bounce" feature, not on e-mail addresses anyway. That will just make you a (kind of) spammer.

Link to comment
Share on other sites

But don't use the notorious MW "bounce" feature, not on e-mail addresses anyway. That will just make you a (kind of) spammer.

Nicely said. Pretty much the same thing can be said about a similar feature I once saw on the Incredimail client. It's one of those things which has a certain superficial appeal, but which shouldn't be used indiscriminately, if at all.

Link to comment
Share on other sites

Yeah Volumedrive keeps on spamming here too. Their IPs show in Barracuda but not in the SCBL.

199.19.110.222 - 5954885819, 5954885820

199.19.110.233 - 5954885846, 5954885847

199.19.110.218 - 5954886002, 5954886001

All of their IP's are botnet infected

http://cbl.abuseat.org/lookup.cgi?ip=199.19.110.222

see

http://www.senderbase.org/senderbase_queri...=199.19.110.222

Pay to submit your spam to spam[at]uce.gov. Note that all spam should be forwarded as an attachment. mention they are running a BOTNET! they must know it though? I even tried their webpage/ Might pay to go to registrar to deactivate account as they are deliberately running BOTNET's

Domain Name: VOLUMEDRIVE.COM

Registrar: NETWORK SOLUTIONS, LLC.

Whois Server: whois.networksolutions.com

Referral URL: http://www.networksolutions.com/en_US/

Name Server: DNS3.VOLUMEDRIVE.COM

Name Server: DNS4.VOLUMEDRIVE.COM

Status: clientTransferProhibited

Updated Date: 31-oct-2011

Creation Date: 06-jan-2006

Expiration Date: 06-jan-2014

Years ago I had a good Windows program that automated complaints to registrars

http://www.complainterator.com/

INCLUDE THE SpamCop TRACKING URL your reporting ID's can only be seen by you

http://forum.spamcop.net/scwik/TrackingURL

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...