dmspac Posted April 2, 2015 Share Posted April 2, 2015 Hello: I don't know lots about networks, and here is my problem: Since February I am receiving tons of spam. The messages have a link like: http://zzzzz.standida.com/c.php?aid=xxx&lid=yyyy where x,y,z are message specific numbers (zzzzz seems to identify the target email). The link redirects to another link like http://xtremehealthfit.com/jajbua71u/WWWW/?e=mail[at]something.com&s=XXXXXX And finally, it takes to an offending site (porn, scam, dating....) Spamers are using lots of different domains, but they all point to an IP in AS36263. The most used IP is 126.96.36.199. But other addresses are used, and seems hackers control several entire subnetworks in this AS; since all IPs are in netblocks asigned to "Forona": Subnet 188.8.131.52/20 184.108.40.206 220.127.116.11 Proxy route for FORONA by MZIMASubnet 18.104.22.168/20 22.214.171.124 126.96.36.199 Forona Technologies Subnet 188.8.131.52/20 184.108.40.206 220.127.116.11 Proxy route for forona technologies by mzimaSubnet 18.104.22.168/20 22.214.171.124 126.96.36.199 Forona Technologies Subnet 188.8.131.52/20 184.108.40.206 220.127.116.11 Forona technologies [Full info here: http://ipinfo.io/AS36263] Now, if you check routing tables for this AS you will find sometihing like: show ip bgp 18.104.22.168 3277 39710 9002 3356 3361 36263 286 3356 3361 36263 7018 2828 3361 36263 Which means that all routes have to pass through AS3361 before reaching the "backbone" Now, if you make a trace you will find that the last hops look like this: (Info from http://ipduh.com/ip/traceroute/) 22.214.171.124 126.96.36.199 AS3356 (Level3 com) [*] [*] [*] [*] [*] [*]unused-216-168-56-242.forest.net. 188.8.131.52 AS11739184.108.40.206 220.127.116.11 AS36263 I expected to find AS3361 between AS3356 and AS36263, but I found AS11739 (registered to Digital Forest, dfcolo.com), which according to ipinfo.io does not have IP addresses. However, AS3361 does have IP addresses, and AS3361 is registered to Spectrum Networks / Digital Fortress (dfcolo.com, which also is listed in AS36263) So we have here a zombie network, used for SPAMING. And looks exactly like the case of "McColo" (Sounds like DFColo!! ) which involved grave cybercrime (See https://en.wikipedia.org/wiki/Brian_Krebs ) As I stated, I am not a network expert. I would like to ask your help for ending with this posible cybercrime. I sent information to ICANN / ARIN but seems I was ignored. Maybe I could contact Brian Krebs, but I would like to have other options. Do you think it would work contacting level3.com? Thanks. Link to comment Share on other sites More sharing options...
This topic is now archived and is closed to further replies.