James Merrill Posted May 27, 2005 Share Posted May 27, 2005 I have received a quite large amount of spam that was not held by spamcop with abuse[at]cogentco.com as the proper reporting party. It has been going on for quite a while. It seems to be the case that there are a lot of different cogentco "sub-customers" involved, but from what I've seen, there has been enough that their entire block could easily have been blacklisted. I just looked into some of the messages I had to report manually (because they weren't held). One of them was one of 8 messages today; maybe this sender will get blocked before long. Another was from a block with reporting address abuse[at]esnet.com that "refuses spamcop reports" but if reported today, it would go to cogentco.com. Is cogentco.com really doing enough anti-spam work that they deserve not to have all their clients blocked? Or have they threatened to sue or something? Link to comment Share on other sites More sharing options...
Jeff G. Posted May 27, 2005 Share Posted May 27, 2005 Additions to the SCBL are by individual IP Address, not by ISP or reporting address. For more info on the transgressions of Cogent and its customers, please see their listings at Spamhaus. Link to comment Share on other sites More sharing options...
Merlyn Posted May 27, 2005 Share Posted May 27, 2005 Or have they threatened to sue or something? 28622[/snapback] What could they sue for? Link to comment Share on other sites More sharing options...
Jank1887 Posted May 27, 2005 Share Posted May 27, 2005 What could they sue for?28624[/snapback] Spamcop's failure to withhold truthful information about their company and its practices... Link to comment Share on other sites More sharing options...
Merlyn Posted May 27, 2005 Share Posted May 27, 2005 What information???? What are you talking about??? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted May 27, 2005 Share Posted May 27, 2005 What information???? What are you talking about??? 28628[/snapback] Merlyn, it was a joke...translates to: Spamcop's publishing truthful information about their company and its practices... The original question was whether the IP's were not being listed because of a lawsuit, which is not true. Link to comment Share on other sites More sharing options...
Merlyn Posted May 28, 2005 Share Posted May 28, 2005 I just wanted to play This is the lounge .......... Link to comment Share on other sites More sharing options...
James Merrill Posted May 30, 2005 Author Share Posted May 30, 2005 Additions to the SCBL are by individual IP Address, not by ISP or reporting address. For more info on the transgressions of Cogent and its customers, please see their listings at Spamhaus. 28623[/snapback] From what I see, it's almost as though Cogentco is complicit with the spammers. They seem to shuffle IP addresses and domain names around. Do people think they're really "in cahoots" (a true black hat) or are they just dealing with "clever" spammers as customers? For example, these excerpts from reports: airsam.com [66.250.17.131] airsam.com [66.250.17.193] airsam.com [66.250.17.77] airrs.com [66.250.17.164] airlead.com [66.250.18.193] airiv.com [66.250.17.138] airera.com [66.250.18.123] warmglobe.com [66.250.17.81] wareglobe.com [66.250.18.182] truckmatrix.com [66.250.17.147] truckdreams.com [66.250.18.117] truckdreams.com [66.250.18.162] truckcoop.com [66.250.17.63] talkycard.com [66.250.18.176] stockmacro.com [66.250.17.141] squarecash.com [66.250.18.126] (all since 13May05) seem to be quite a pattern if cogentco.com isn't involved. Oh well, on we go. Link to comment Share on other sites More sharing options...
Farelf Posted May 31, 2005 Share Posted May 31, 2005 Do people think they're really "in cahoots" (a true black hat) ... 28686[/snapback] Yes James, I do. The Spamhaus record leaves little/no doubt. As for shuffling IP addresses - Senderbase at http://www.senderbase.org/?sb=1&searchBy=o...0Communications tells us they have 194,616 to play with of which they are using something like 525. We can look forward to much more. Link to comment Share on other sites More sharing options...
Wazoo Posted May 31, 2005 Share Posted May 31, 2005 From what I see, it's almost as though Cogentco is complicit with the spammers. They seem to shuffle IP addresses and domain names around. Do people think they're really "in cahoots" (a true black hat) or are they just dealing with "clever" spammers as customers? For example, these excerpts from reports: (all since 13May05) seem to be quite a pattern if cogentco.com isn't involved. Oh well, on we go. 28686[/snapback] You don't mention any other research that you may have done. Just a bit of a quick data look-up Domain Name: stockmacro.com Created on..............: 01 Apr 2005 23:53:34 Domain Name: warmglobe.com Created on..............: 01 Apr 2005 23:53:39 Domain Name: truckdreams.com Created on..............: 01 Apr 2005 23:53:37 Domain Name: airsam.com Created on..............: 17 May 2005 07:57:22 Alll having the common data; Registrant Info: Ingenuity Sphere Technical Contact 11501 Dublin Blvd Dublin, CA 94568 US Phone: +1.9255582794 Fax..: +. Email: hostmaster[at]ingenuitysphere.com Domain servers in listed order: ns1.ingenuitysphere.com ns2.ingenuitysphere.com Again, I just looked up a few of your samples, but it appears to me that there's yet another party involved with the spew ..???? Link to comment Share on other sites More sharing options...
James Merrill Posted May 31, 2005 Author Share Posted May 31, 2005 Again, I just looked up a few of your samples, but it appears to me that there's yet another party involved with the spew ..???? 28697[/snapback] I'd guess that's true; cogentco.com seems to be making it easier for their spammer customers to run their businesses unfettered by block lists by (apparently) moving domain names around among IP addresses on a regular basis. I'm not smart enough or persistent enough to be certain of this, but for example the IP 66.250.18.213 was used to send spam (to me) that said it was from airsnow.com, but airsnow.com is now 66.250.16.213 and 66.250.18.213 now produces this from SpamCop: host 66.250.18.213 (getting name) no name host 66.250.18.213 = m20.wareglobe.com (old cache) Could a spammer get off a blocklist by saying "but I just got this IP yesterday; any older abuse by my predecessor isn't my fault"? Who knows. Sigh. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.