Sven Golly Posted April 30, 2014 Posted April 30, 2014 Not sure why SpamCop doesn't just DevNull everything going to [at]serverhub.com. Nothing over the last month has even remotely slowed down the amount of spam I get through them. http://www.spamcop.net/sc?id=z5885335158z1...b926158ec7d300z Quote
turetzsr Posted April 30, 2014 Posted April 30, 2014 ...That wouldn't necessarily be a reason to devnull. They seem to do that mostly when reports to the abuse address bounce or when the admin asks them to not send reports. Quote
Sven Golly Posted April 30, 2014 Author Posted April 30, 2014 ...That wouldn't necessarily be a reason to devnull. They seem to do that mostly when reports to the abuse address bounce or when the admin asks them to not send reports. My comment was semi-tongue-in-cheek. ;-) I suspect serverhub.com devnulls SpamCop reports. Just in the last hour I got 2 more spams originating from serverhub.com. Quote
Sven Golly Posted May 8, 2014 Author Posted May 8, 2014 (edited) serverhub's IP space is still sending major amounts of spam. Some 60 reports later and they STILL don't even show up on SpamCop's own RBL! I'm really beginning to think SpamCop itself is becoming irrelevant. Edited May 8, 2014 by Sven Golly Quote
turetzsr Posted May 8, 2014 Posted May 8, 2014 ...But the absolute volume of spam is not used in SpamCop's algorithm that determines whether an IP address is included in the SCBL -- see SpamCop FAQ article labeled "What is on the list?" Quote
Farelf Posted May 9, 2014 Posted May 9, 2014 (edited) Yes, http://www.spamcop.net/fom-serve/cache/297.html shows how it works in general, reputation points help approximate a ham:spam ratio determination which in turn helps ensure a few bad eggs don't drag down any massive, mostly non-spamming assets to the great detriment of the innocent public. You can then look at data presentations from the SC Stats pages to put your 'problem' networks in context. Regarding the instance of 107.158.214.212 - from http://www.spamcop.net/spamstats.shtml thence http://www.spamcop.net/w3m?action=map;mask...ratio;sort=spam we can see that 107.158.214.0/24 doesn't get a look in for spam ratio (/200) and is ranked down at 47/200 in spam count - http://www.spamcop.net/w3m?action=map;net=...35;sort=spamcnt Current metrics: 107.158.214.0/24 No.s Total email volume 1314 Total spam reports 39789 spam reports vs. email volume 30.28 Number of hosts sending email 90 Number of hosts reported for spam 76 Hosts reported vs. hosts sending 0.73 Average volume per host sending 14.6 There are presently three servers from that 107.158.214.0/24 allocation listed in the SCbl according to http://www.senderbase.org/senderbase_queri....158.214.0%2F24 No doubt if more people were reporting there would be more of them (so don't despair, certainly keep reporting them yourself) but, as you can see for 107.158.214.212 in that display, the network operations for that service spread the load (that specific IP address is currently having a bit of a holiday). An unkind observer might say they 'snowshoe' a little. [edit - fixed links etc.) Edited May 9, 2014 by Farelf Quote
Sven Golly Posted May 10, 2014 Author Posted May 10, 2014 Well it would seem to me that because serverhub has setup a special abuse address just for Spamcop (spamcop[at]serverhub.com) and since they allow this spammer to continue (we get about 10 - 20 per day on one address alone), the special spamcop address is simply being ignored. So assuming there's a special arrangement for between SC and Serverhub to support that address, why does SC continue to do so? All it looks like to me is a way for them to monitor how much spam they can crank out before running afoul of the SCBL. Am I missing something? These are all sample Serverhub spams reported to SC. I don't report every single one I get. http://www.spamcop.net/mcgi?action=gettrac...rtid=6129851586 http://www.spamcop.net/mcgi?action=gettrac...rtid=6129851514 http://www.spamcop.net/mcgi?action=gettrac...rtid=6129851673 http://www.spamcop.net/mcgi?action=gettrac...rtid=6129851511 http://www.spamcop.net/mcgi?action=gettrac...rtid=6129851508 http://www.spamcop.net/mcgi?action=gettrac...rtid=6129851507 http://www.spamcop.net/mcgi?action=gettrac...rtid=6129632531 <- Black Lotus + Serverhub http://www.spamcop.net/mcgi?action=gettrac...rtid=6129632544 <- Black Lotus + Serverhub Quote
Farelf Posted May 11, 2014 Posted May 11, 2014 ...So assuming there's a special arrangement for between SC and Serverhub to support that address, why does SC continue to do so? All it looks like to me is a way for them to monitor how much spam they can crank out before running afoul of the SCBL. Am I missing something?... Yes, certainly looks like your initial 'tongue-in-cheek' supposition might not have been far off the mark. 'Follow the money,' as they say, that might be all there is to it, a profitable commercial arrangement for both parties. And illegal in terms of the current US legislation, one imagines, if the service provider is aware of 'marketing' by the client in contravention of the anti-spam provisions (which point might be a touch hard to prove). Those are NOT Tracking URLs by the way - but I'm sure Don will be interested in them. Clearly there is no 'list-washing' going on, which would be the principal SC concern, I suppose, but maybe there's some other form of 'gaming' going on to carefully monitor the (apparent) snowshoe operation, as you suggest. All-in-all, some thin lines involved and many thanks for highlighting the situation! If they're cunning enough to snowshoe without tripping the dedicated component of the Spamhaus SBL (http://www.spamhaus.org/css/) then they're certainly a problem for the internet community. No single RBL or anti-spam tool can ever catch all spam. Quote
Sven Golly Posted May 12, 2014 Author Posted May 12, 2014 Yeah I didn't save the tracking URLs for those -- so I just went to Recent Reports to snag what I could. Would be nice if SC presented the tracking URL in Recent Reports. Anyway here are two of today's serverhub.com spams by tracking URL. http://www.spamcop.net/sc?id=z5888418267z5...1b97b6d3fc9bbbz http://www.spamcop.net/sc?id=z5888418191z6...11bde60310273bz These spams are just goofy with weird keywords. I don't know if they are to get past spam filters or if they are a form of reverse tracking. Report the spam and they know you did because they see what was reported and can track it back to the reporter / recipient. All serverhub.com spam gets copied to spam[at]uce.gov and knujon. Quote
Farelf Posted May 12, 2014 Posted May 12, 2014 Yeah I didn't save the tracking URLs for those -- so I just went to Recent Reports to snag what I could. Would be nice if SC presented the tracking URL in Recent Reports. Anyway here are two of today's serverhub.com spams by tracking URL.Nice is our middle name: FAQ Entry: Getting a Tracking URL from a Report ID But don't worry about retrieving - SC staff can use the Report IDs you provided earlier, if they want to investigate. ... These spams are just goofy with weird keywords. I don't know if they are to get past spam filters or if they are a form of reverse tracking. Report the spam and they know you did because they see what was reported and can track it back to the reporter / recipient. All serverhub.com spam gets copied to spam[at]uce.gov and knujon. Yes, unusually pointless-seeming but one imagines it has some point, since it is presumably costing "Rendering Partner" or someone something to send it. Anyway thanks for the alert - maybe someone 'here' can shed some light and maybe it will interest SC too. This really looks like a snowshoe operation to me, very low volume detected by SenderScore but SenderBase seems to be seeing short intense bursts of activity - about as high as volumes for individual servers ever get (5.1 and 5.3 magnitude for those last two IP addresses) which is a liability on the resources of the internet and on the patience of its users, if all of it is spam (or even one tenth of it). Curious ... Quote
Sven Golly Posted May 12, 2014 Author Posted May 12, 2014 Thanks for the info on getting the tracking link. I had never noticed the "Parse" link at the top. The FAQ is kind of arcane in many ways. I have dealt with whoever is behind the serverhub spam in the past since I recognize the writing / subject line style and what they usually promote. The spammer is active for anywhere from 1 month to as long as a year, eventually gets shut down, then starts all over again from a new spam-friendly ISP. Serverhub is going on 3 months now I think. Quote
Sven Golly Posted May 12, 2014 Author Posted May 12, 2014 And here's a relatively rare serverhub.com spam that links to a site HOSTED by serverhub. Usually the links go elsewhere. http://www.spamcop.net/sc?id=z5888647343zf...2e24c8e93d1b92z Quote
SpamCopAdmin Posted May 12, 2014 Posted May 12, 2014 We're not going to stop sending reports to spamcop[at]serverhub.com. We've sent 184,926 reports to that address since it was created in March of 2013. - Don D'Minion - SpamCop Admin - - Service[at]Admin.SpamCop.net - Quote
Sven Golly Posted May 13, 2014 Author Posted May 13, 2014 We're not going to stop sending reports to spamcop[at]serverhub.com. We've sent 184,926 reports to that address since it was created in March of 2013. - Don D'Minion - SpamCop Admin - - Service[at]Admin.SpamCop.net - Has it accomplished anything other than make it "look like" an ISP might be doing something? Quote
lisati Posted May 13, 2014 Posted May 13, 2014 Has it accomplished anything other than make it "look like" an ISP might be doing something? If nothing else, continuing to report emails with a serverhub.com connection will help keep them in sight of the processes which feed the SCBL. Quote
Farelf Posted May 13, 2014 Posted May 13, 2014 Yep, and denies them wriggle room should they subsequently try to profess ignorance, should the question ever arise with any enforcement agency. Quote
Sven Golly Posted May 13, 2014 Author Posted May 13, 2014 Yep, and denies them wriggle room should they subsequently try to profess ignorance, should the question ever arise with any enforcement agency. Interesting logic I guess. But they still never make it onto the SCBL. They are good at the snowshoe tapdance. Quote
djporter Posted May 13, 2014 Posted May 13, 2014 Shouldn't we also cc to "support[at]serverhub.com? That is where their spam Policy asks for reports to be made: "If you have additional questions regarding this policy or wish to report this type of activity with included headers to us please feel free to contact us(support[at]serverhub.com)." Quote
spinner Posted January 24, 2015 Posted January 24, 2015 I've just received a dozen emails from serverhub along the lines - ==================================================== This email concerns your recent ticket: [spamCop (http://clickhere.dedicatdd.com/rt/bxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx to the site! (1446) As part of our commitment to improving your customer support experience, we would like to know how you think we are doing.Please take a moment to complete a short survey consisting of just a few multiple-choice questions. ================================================== I was strongly tempted to report them as spam but I suspect it might be "report denial justification" technique. Quote
Sven Golly Posted December 5, 2020 Author Posted December 5, 2020 WARNING: NECRO POST REVIVAL Just when you thought it was safe to go in the water, the ServerHub spam support machine has cranked back up again. I continue to report them via SpamCop (some are such bad spam that the reports get flagged as outgoing spam by my mail provider). They continue to auto-reply with BS that makes it sound like they are doing something. But they aren't. Example: SpamCop.net Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.