Gobs of spam via cogentco.com

[James Merrill]

I have received a quite large amount of spam that was not held by spamcop with abuse[at]cogentco.com as the proper reporting party. It has been going on for quite a while.

It seems to be the case that there are a lot of different cogentco "sub-customers" involved, but from what I've seen, there has been enough that their entire block could easily have been blacklisted.

I just looked into some of the messages I had to report manually (because they weren't held). One of them was one of 8 messages today; maybe this sender will get blocked before long. Another was from a block with reporting address abuse[at]esnet.com that "refuses spamcop reports" but if reported today, it would go to cogentco.com.

Is cogentco.com really doing enough anti-spam work that they deserve not to have all their clients blocked? Or have they threatened to sue or something?

[Jeff G.]

Additions to the SCBL are by individual IP Address, not by ISP or reporting address. For more info on the transgressions of Cogent and its customers, please see their listings at Spamhaus.

[Merlyn]

Or have they threatened to sue or something?

28622[/snapback]

What could they sue for?

[Jank1887]

What could they sue for?

28624[/snapback]

Spamcop's failure to withhold truthful information about their company and its practices...

[Merlyn]

What information????

What are you talking about???

[StevenUnderwood]

What information????

What are you talking about???

28628[/snapback]

Merlyn, it was a joke...translates to:

Spamcop's publishing truthful information about their company and its practices...

The original question was whether the IP's were not being listed because of a lawsuit, which is not true.

[Merlyn]

I just wanted to play

This is the lounge ..........

[James Merrill]

Additions to the SCBL are by individual IP Address, not by ISP or reporting address.  For more info on the transgressions of Cogent and its customers, please see their listings at Spamhaus.

28623[/snapback]

From what I see, it's almost as though Cogentco is complicit with the spammers. They seem to shuffle IP addresses and domain names around. Do people think they're really "in cahoots" (a true black hat) or are they just dealing with "clever" spammers as customers? For example, these excerpts from reports:

airsam.com [66.250.17.131]

airsam.com [66.250.17.193]

airsam.com [66.250.17.77]

airrs.com [66.250.17.164]

airlead.com [66.250.18.193]

airiv.com [66.250.17.138]

airera.com [66.250.18.123]

warmglobe.com [66.250.17.81]

wareglobe.com [66.250.18.182]

truckmatrix.com [66.250.17.147]

truckdreams.com [66.250.18.117]

truckdreams.com [66.250.18.162]

truckcoop.com [66.250.17.63]

talkycard.com [66.250.18.176]

stockmacro.com [66.250.17.141]

squarecash.com [66.250.18.126]

(all since 13May05) seem to be quite a pattern if cogentco.com isn't involved.

Oh well, on we go.

[Farelf]

Do people think they're really "in cahoots" (a true black hat) ...

28686[/snapback]

Yes James, I do. The Spamhaus record leaves little/no doubt. As for shuffling IP addresses - Senderbase at http://www.senderbase.org/?sb=1&searchBy=o...0Communications tells us they have 194,616 to play with of which they are using something like 525. We can look forward to much more.

[Wazoo]

From what I see, it's almost as though Cogentco is complicit with the spammers.  They seem to shuffle IP addresses and domain names around.  Do people think they're really "in cahoots" (a true black hat) or are they just dealing with "clever" spammers as customers?  For example, these excerpts from reports:

(all since 13May05) seem to be quite a pattern if cogentco.com isn't involved.

Oh well, on we go.

28686[/snapback]

You don't mention any other research that you may have done. Just a bit of a quick data look-up

Domain Name: stockmacro.com

Created on..............: 01 Apr 2005 23:53:34

Domain Name: warmglobe.com

Created on..............: 01 Apr 2005 23:53:39

Domain Name: truckdreams.com

Created on..............: 01 Apr 2005 23:53:37

Domain Name: airsam.com

Created on..............: 17 May 2005 07:57:22

Alll having the common data;

Registrant Info:

Ingenuity Sphere

Technical Contact

11501 Dublin Blvd

Dublin, CA 94568

US

Phone: +1.9255582794

Fax..: +.

Email: hostmaster[at]ingenuitysphere.com

Domain servers in listed order:

ns1.ingenuitysphere.com

ns2.ingenuitysphere.com

Again, I just looked up a few of your samples, but it appears to me that there's yet another party involved with the spew ..????

[James Merrill]

Again, I just looked up a few of your samples, but it appears to me that there's yet another party involved with the spew ..????

28697[/snapback]

I'd guess that's true; cogentco.com seems to be making it easier for their spammer customers to run their businesses unfettered by block lists by (apparently) moving domain names around among IP addresses on a regular basis. I'm not smart enough or persistent enough to be certain of this, but for example the IP 66.250.18.213 was used to send spam (to me) that said it was from airsnow.com, but airsnow.com is now 66.250.16.213 and 66.250.18.213 now produces this from SpamCop:

host 66.250.18.213 (getting name) no name

host 66.250.18.213 = m20.wareglobe.com (old cache)

Could a spammer get off a blocklist by saying "but I just got this IP yesterday; any older abuse by my predecessor isn't my fault"? Who knows. Sigh.