sehh Posted May 8, 2014 Share Posted May 8, 2014 Hello, Over the past several months, we've received thousands of spam, originating from IP addresses owned by a provider called SingleHop, which in turn advertise sites hosted by another provider called Blacklotus. What we found interesting, is that once we block their IP network range, a few months later they change to another network, again owned by SingleHop. SpamCop as well, seems not to have them blacklisted (at least not their current range of IP's, which is 108.178.0.0/18). SpamCop sends reports to abuse[at]singlehop.com and to abuse[at]blacklotus.net, but of course that makes no difference. Does the above imply that these two "businesses" are in bed together, or owned by the same person(s)? Since any spam sent from SingleHop always points to Blacklotus sites. Link to comment Share on other sites More sharing options...
Farelf Posted May 9, 2014 Share Posted May 9, 2014 Hi sehh, Don't see any obvious evidence of connection between singlehop.com and blacklotus.net other than, if you're seeing it, client-provider - but blacklotus,net is 'interesting'. They have a substantial network of their own (192.184.8.0/21) yet their mail exchange is through Google provision - aspmx.l.google.com, aspmx2.googlemail.com, alt1.aspmx.l.google.com and alt2.aspmx.l.google.com and now you're saying their actual 'marketing campaigns' are going through singlehop.com? You really need to provide a Tracking URL or two so people can see what you're seeing. Seems like they're just trying every which way to keep their mission-sensitive network operations sanitised from their marketing. That ought to be telling them something, so you're right, they already know they're spamming. But as to whether or not your reports do any good? The SURBL takes feed from SC and you should check to see if those websites are being included in the SURBL. Just keep reporting is my advice. Maybe you can incorporate the SURBL into your filtering if those websites are cropping up there. Divert and report. Steve Link to comment Share on other sites More sharing options...
Sven Golly Posted May 10, 2014 Share Posted May 10, 2014 I'm seeing the same spam here -- singlehop / black lotus. I also saw a crossover spam from serverhub.com that was spamvertising a black lotus site. Right now 75% of my spam is from serverhub.com but they STILL haven't made it to the SpamCop's own RBL. Which is why I'm getting more and more disappointed with SpamCop. Link to comment Share on other sites More sharing options...
turetzsr Posted May 20, 2014 Share Posted May 20, 2014 <snip> Right now 75% of my spam is from serverhub.com but they STILL haven't made it to the SpamCop's own RBL. Which is why I'm getting more and more disappointed with SpamCop. ...Well, you might have reason to be if SpamCop determined whether to place servers of domains on the blacklist in the way it seems that you're suggesting; it doesn't: see the SpamCop FAQ article labeled "What is on the list?" for more detail, especially the section labeled "How the SCBL Works" and, for even more technical detail, the section labeled "SCBL Rules." Link to comment Share on other sites More sharing options...
astroguard Posted September 22, 2014 Share Posted September 22, 2014 More than 90% of the spam I've received over the past two months contains links from a Blacklotus server, for example this morning: Finding links in message body Resolving link obfuscation http://end.fastcarsavings.com http://reservenow.fastcarsavings.com Host reservenow.fastcarsavings.com (checking ip) = 192.31.186.4 Resolves to 192.31.186.4 Cached whois for 192.31.186.4 : noc[at]blacklotus.net routeid: 72768102 192.31.184.0 - 192.31.187.255 to: noc[at]blacklotus.net ... and this is just one of about a dozen. [edit] thanks for data but live links broken - please don't do the spammers jobs for them Link to comment Share on other sites More sharing options...
gdeputy Posted October 8, 2014 Share Posted October 8, 2014 Is there any filtering tools / plugins that can parse urls like spamcop and allow server admins to block/score emails based on the hosting of the urls? 90% of the spam i'm seeing contains links hosted by blacklotus, and i'd like to be able to use that criteria. Link to comment Share on other sites More sharing options...
msealey Posted October 9, 2014 Share Posted October 9, 2014 Most of the spam I get comes from Black Lotus - and/or its 'customers'. Reporting to abuse[at]blacklotus.net isn't stemming the flood at all; if anything, it's getting worse. Anyone any experience, ideas or suggestions, please? They're surely not a legitimate company, are they? TIA! Link to comment Share on other sites More sharing options...
turetzsr Posted October 9, 2014 Share Posted October 9, 2014 Hi, Mark,  Â     Â Please see the conversation above (note to others: Mark raised this as a separate topic and I merged it here). Link to comment Share on other sites More sharing options...
msealey Posted October 9, 2014 Share Posted October 9, 2014 Thanks, Steve, Yes. Is there any point, though, in continuing to report BlackLotus? I've filed three reports with local and state D/A's… Link to comment Share on other sites More sharing options...
turetzsr Posted October 9, 2014 Share Posted October 9, 2014 <snip> Is there any point, though, in continuing to report BlackLotus? <snip>  Â     Â The general answer that we here give to such questions (with respect to reporting to SpamCop) is: yes, please continue if you are so inclined, as it feeds the statistics that SpamCop uses to decide whether to list an IP address from which the spam is coming in its blacklist, which is used by many ISPs and e-mail admins to block or filter suspected spam. Link to comment Share on other sites More sharing options...
msealey Posted October 9, 2014 Share Posted October 9, 2014 Steve, That makes good sense. I am certainly so inclined. My reservation comes from the probably erroneous sense that spam from Black Lotus has increased since I started to report. Given than SC munges my address, that's just not possible, is it? Link to comment Share on other sites More sharing options...
turetzsr Posted October 9, 2014 Share Posted October 9, 2014 <snip> My reservation comes from the probably erroneous sense that spam from Black Lotus has increased since I started to report. Given than SC munges my address, that's just not possible, is it?  Â     Â Well, no, SC tries to munge your address everywhere it can "see" it but some claim that it doesn't always succeed and there are also other ways for spammers to tell to whom they sent a particular message if whoever reads the SpamCop report forwards it to (or is) the spammer. On the other hand, spammers probably have better things to do than to carefully inspect all two or three SpamCop spam reports they might receive in a year and add the reporter's e-mail address to some list that doesn't already have your e-mail address on it for use by other spammers who go through Black Lotus (the spammer already has your address, after all!). <g> Link to comment Share on other sites More sharing options...
msealey Posted October 13, 2014 Share Posted October 13, 2014 Thanks, Steve! Since I don't expect to understand the way spammers work and think even if I live to be 100 (why they do what they do and how they can possibly make a living, let alone make any money), I assume… revenge Link to comment Share on other sites More sharing options...
turetzsr Posted October 13, 2014 Share Posted October 13, 2014  Â     Â My guess would be that your e-mail address somehow found its way onto a spammer's list and has since been propagated to other spammers or a batch of different Black Lotus machines that have been captured by a spammer and your address is on the spammer's list multiple times. If it's UCE, it could even be a single spammer selling "get rich quick sending e-mails" kits to the naive. Link to comment Share on other sites More sharing options...
msealey Posted October 13, 2014 Share Posted October 13, 2014 Thanks again, Steve! I've now taken it up with the state and local BBB and state (CA) D/A. Worth ten minutes of my time, I suppose. Good luck! Link to comment Share on other sites More sharing options...
msealey Posted October 15, 2014 Share Posted October 15, 2014 black lotus seems to have transformed themselves into namecheaphosting now. Is there a known connection: the muck is the same only the headers have been changed to protect the criminals :-( Link to comment Share on other sites More sharing options...
msealey Posted November 6, 2014 Share Posted November 6, 2014 For a few weeks in September, 90% of the spam I was receiving came to promote spamvertised sites hosted by blacklotus. All reported. It suddenly stopped. A few days later I started to receive floods of similar-looking material for spamvertised sites hosted by namecheap/namecheaphosting. Also all reported. Continued. Am I right in concluding (from the below) that namecheap's upstream provider is blacklotus, please? If so, what are the implications (and what can I do about it)? nslookup namecheap.com Name: namecheap.com Address: 199.59.161.100 then this whois query returns: Net Range 199.59.160.0 - 199.59.167.255 CIDR 199.59.160.0/21 Name BLACK-LOTUS-COMMUNICATIONS Thanks! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.