Jump to content

Same Email body from 15 different countries?


johnstac
 Share

Recommended Posts

I am getting spam from someone trying to push their stock picks down my throat. Daily I will get 20-40 spam emails with the same content on each email but the ip is coming from different countries. Poland, China, Russia, USA, France, Germany, Greece and several others. How can this happen? How can one person have access to so many ip networks and is it a futile battle? Can it ever be controlled? I have been diligently working to report each spam and block each ip range through my server firewall but I have seen no decrease in the amount of spam. Particularly from this one individual. Do I keep on trying? Is there any way that these guys can fake the ip number?

Link to comment
Share on other sites

What they are using are usually virus infected machines which they have control of. They send out a single command with the data they want sent and this army of infected PC's start sending the message.

Hoping it's okay to post this header. While your theory of multiple computers makes sense, would you mind looking at this header and seeing if anything pops out that may indicate that the ip here really isn't the ip that it's being sent from?

....on second thought, if I post the header, then my email will be exposed to everyone as well.......sigh....I just can't believe that someone could have so much control across the globe.....I'd rather believe that the ip is being spoofed or something

Link to comment
Share on other sites

It is very nearly impossible to spoof IPs, though not entirely so. Almost every backbone provider across the planet checks all traffic getting on and off of their networks to make sure that the IP address fall within the ranges allocated to those providers. Also, the vast majority of last mile ISPs do this same kind of on-ramp filtering.

On the other hand, there are literally millions of computers around the globe infected with various viruses that give their creators varying levels of control over them. Anything from being a straight out open proxy to being a SMTP spam engine.

Do a quick search on "botnet" and "zombie computers" in Google, you should get about a million hits with good information.

Link to comment
Share on other sites

What I had been doing was getting the ip from SpamCop and then entering that ip in a tool that would give me the entire network range. Then I was entering that range into my server firewall. Sounds though by what you are saying, it would be unlikely that a spammer would have control over an entire ip range.

Nevertheless, someone gave me a excellent resource http://www.ipdeny.com/ipblocks/ that gives the ip ranges of all countries. And it's free. I am now not going to waste any more time entering them line by line. I am just going to ban smtp on the countries that are offending the most. There does seem to be about 10 countries that most of the spam originates from. Since those countries have no bearing on my business, I am going to take them out.

I just had an email come through and ran it through spamcop. I took the ip and ran it through another tool and it says that the ip is invalid. Here is the spamcop file:

http://www.spamcop.net/sc?id=z1151258541z5...b9cf1da92daed1z

Let me know what you think?

Link to comment
Share on other sites

What I had been doing was getting the ip from SpamCop and then entering that ip in a tool that would give me the entire network range.

...

I just had an email come through and ran it through spamcop. I took the ip and ran it through another tool and it says that the ip is invalid. Here is the spamcop file:

First, I don't know what tool you are using to determine network ranges. Are the ranges intended to show all the IP's owned by the same group? Or are you simply getting the class A, B, or C for whatever IP you are looking at?

With a large enough mask, 192.117.18.60 would end up in the same range as 192.168.x.x which is set aside for private networks and is invalid on the internet. I can certainly ping and tracert to that IP address from my location so it is valid.

As far as spoofing IP addresses to send email, that is practically impossible because SMTP is 2 way communication. If machine A is spoofing machine B's address trying to contact machine C, machine C would be replying back to machine B during the process and not get the correct response, closing the session.

Link to comment
Share on other sites

...I took the ip and ran it through another tool and it says that the ip is invalid. ...
Depends what you mean by that. What tool? Certainly there is some variability in the results for abuse reporting of IP address 192.117.18.60. This is not unusual when the "regular" address is unresponsive but I don't know about this case - the "Routing" newsgroup was originally set up for reporters to help out the Deputies in what over-rides might be justified and it seems to still work that way. I think the reporting is a separate issue to whether "the IP is invalid".

Reporting leads that I see

whois for 192.117.18.60 currently says (twice) abuse[at]012.net.il and "For abuse issues, email abuse.net.il"

abuse.net says abuse[at]012.net.il (for 012.net.il)

SpamCop currently says Cached whois for 192.117.18.60 : abuse[at]attglobal.net admin[at]att.net.il hostmaster[at]att.net.il

Using abuse net on abuse[at]attglobal.net

abuse net attglobal.net = abuse[at]attglobal.net, abuse[at]att.net

Using abuse net on admin[at]att.net.il

abuse net att.net.il = postmaster[at]att.net.il, hank[at]att.net.il, admin[at]att.net.il

Using best contacts postmaster[at]att.net.il hank[at]att.net.il abuse[at]attglobal.net admin[at]att.net.il abuse[at]att.net

SenderBase says

Network Owner Golden Lines International Communication Services

Domain 012.net.il

Another 24 domains are associated with the network owner.

403 Network Owners use 012.net.il hostnames - and notes "further assignment" (10308 addresses in 012.net.il used to send email)

I guess only a Deputy would know whether the SC nomination is kosher. And maybe one or two folk in the "Routing" newsgroup.

Link to comment
Share on other sites

First, let me say that I am very new to this so I don't begin to think that I have the experience you guys do. I began using spamcop not so much for the reporting aspect but for the ip clarification. I had to sit there for some time evaluating the header. Now I can have spamcop do it in a fraction of the time. I do report the spam as well but I also take that ip and go to http://software77.net/cgi-bin/ip-country/geo-ip.pl

Once there, I put the ip in that second box down on the right called Ip Address - Octets/Numeric. After I submit it, it will provide the country, starting and ending ip addresses of that network and the CIDR block. I realize that in most cases the CIDR block is going to be the entire internet ip range of the internet provider. Truthfully, I just don't have the time to mess with individual ips. If the offending ip came from outside of the USA, I will likely ban the entire range. Inside the USA, I have just been banning the specific ip. Again, that was until today, when I decided to ban entire countries to port 25.

I have a great deal of respect for you guys. How you can do this day in and day out is beyond me. I have only been working on this a short time and am already highly frustrated, hence the banning of countries.

Link to comment
Share on other sites

This only seems to barely touch anything resembling an issue with the Reporting system, so was almost ready to move this to the Lounge. However, the last few posts did bring up a Reporting issue ...

johnstac says that a server is involved and access to that server/firewall is available. Not stated was what tools may be in use, what OS, etc. So I'll also point out that the use of various BLs wasn't mentioned either. There are numerous BLs out that there that in fact focus on country of origin, most of those are kept up to date ... thing being that someone else is doing a lot of the work you are attempting to do, one IP address at a time ... use one of those BLs and it's done a country at a time ...

The issue of zombie/botnet crap has been pointed out already. Not noted (as not being seen) is that you posted with an IP address associated with one of the most problematic ISPs in the U.S. associated with compromised computers on their network. The humour involved with complaints to their Abuse department being rejected because the (last recalled number) 1.67Gig InBox was "full" just can't be appreciated enough by those of us tryng to work that side of the street. This has happened more than once, I might add ....

Results seen in your example Tracking URL .... when I pulled it up, I did not see anything about an "invalid IP" ... However, I did see the same data questioned for reporting addresses;

Tracking message source: 192.117.18.60:

Routing details for 192.117.18.60

[refresh/show] Cached whois for 192.117.18.60 : abuse[at]attglobal.net admin[at]att.net.il hostmaster[at]att.net.il

Using abuse net on abuse[at]attglobal.net

abuse net attglobal.net = abuse[at]attglobal.net, abuse[at]att.net

Using abuse net on admin[at]att.net.il

abuse net att.net.il = postmaster[at]att.net.il, hank[at]att.net.il, admin[at]att.net.il

Using best contacts postmaster[at]att.net.il hank[at]att.net.il abuse[at]attglobal.net admin[at]att.net.il abuse[at]att.net

clicked on routing detail to see where those results came from;

Reports routes for 192.117.18.60:

routeid:9138519 192.117.0.0 - 192.117.63.255 to:admin[at]att.net.il

Administrator found from whois records

routeid:9138520 192.117.0.0 - 192.117.63.255 to:hostmaster[at]att.net.il

Administrator found from whois records

routeid:9138521 192.117.0.0 - 192.117.63.255 to:abuse[at]attglobal.net

Administrator found from whois records

Nothing there about any override actions taken ...

For giggles, then hit the Refresh button ....

Removing old cache entries.

Tracking details

Display data:

"whois 192.117.18.60[at]whois.arin.net" (Getting contact from whois.arin.net )

Redirect to ripe

Display data:

"whois 192.117.18.60[at]whois.ripe.net" (Getting contact from whois.ripe.net)

Abuse address in remarks/descr field: abuse[at]012.net.il

whois.ripe.net found abuse contacts for 192.117.18.60 = abuse[at]012.net.il

whois: 192.117.18.0 - 192.117.18.255 = abuse[at]012.net.il

Routing details for 192.117.18.60

Using abuse net on abuse[at]012.net.il

abuse net 012.net.il = abuse[at]012.net.il

Using best contacts abuse[at]012.net.il

go back and re-trigger the Parse via your Tracking URL;

Parse results now show;

Tracking message source: 192.117.18.60:

Routing details for 192.117.18.60

[refresh/show] Cached whois for 192.117.18.60 : abuse[at]012.net.il

Using abuse net on abuse[at]012.net.il

abuse net 012.net.il = abuse[at]012.net.il

Using best contacts abuse[at]012.net.il

Message is 3 hours old

192.117.18.60 not listed in dnsbl.njabl.org

192.117.18.60 not listed in dnsbl.njabl.org

192.117.18.60 not listed in cbl.abuseat.org

192.117.18.60 not listed in dnsbl.sorbs.net

192.117.18.60 not listed in relays.ordb.org.

192.117.18.60 not listed in accredit.habeas.com

192.117.18.60 not listed in plus.bondedsender.org

192.117.18.60 not listed in iadb.isipp.com

making the dialog a bit lower seem very strange now;

Reports regarding this spam have already been sent:

Re: 192.117.18.60 (Administrator of network where email originates)

Reportid: 2043069251 To: abuse[at]att.net

Reportid: 2043069318 To: admin[at]att.net.il

Reportid: 2043069374 To: abuse[at]attglobal.net

Reportid: 2043069442 To: hank[at]att.net.il

Reportid: 2043069488 To: postmaster[at]att.net.il

Reportid: 2043069539 To: spamcop[at]imaphost.com

So, results apparently based on a bad set of cached data ..... thus taking 'us' back to the need for human supervivion over the process of selecting targets for these reports .... and unfortunately, in cases like this, knowing enough to at least suspect that something isn't quite right about the results.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...