Jump to content

Best way to with persistent spammers and pink ISPs (Nuvox)


acdha
 Share

Recommended Posts

I've been receiving spam from a Nuvox.net customer for several years. I've never received a response from Nuvox's abuse department and - more interestingly - they've never been added to the SpamCop blacklist, despite the fact that this is blatant spam sent directly from their network:

Received: from mhi-inc.com (unknown [66.148.201.62])

by mx.example.edu (Postfix) with ESMTP id BFCD474113

for <me[at]example.edu>; Wed, 2 May 2007 05:49:44 -0700 (PDT)

Received: from BM2 [10.0.0.20]

by mhi-inc.com [10.0.0.2]

with SMTP (MDaemon.PRO.v5.0.4.R)

for <me[at]example.edu>; Tue, 01 May 2007 18:06:11 -0400

I'm apparently not alone in receiving their spam:

http://www.highprogrammer.com/alan/spammer...al-mhi-mxi.html

http://zippy.physics.niu.edu/

http://www.trustedsource.org/query.php?q=66.148.201.62

This leads to two questions:

1) What's the best way to make sure they end up on the BL?

2) Is there a good way to motivate rogue ISPs like Nuvox who are apparently unconcerned about spam from their customers? I've filed reports with the upstreams at various times and the only change is that they appear to have stopped using above.net (all other spam before and after came through gblx.net).

Link to comment
Share on other sites

1) What's the best way to make sure they end up on the BL?

Let's start the answer there by pointing out just how hard everyone has tried to hide that data ....

Wiki - What is the SpamCop Blocking List (SCBL)?

SpamCop FAQ links at the top of this page

SpamCop Blocking List Service

How do I configure my mailserver to reject mail based on the blocklist?

What is on the list?

^^^^^^^^^^^^

Original FAQ - SpamCop Blocking List information

How do I configure my mailserver to reject mail based on the blocklist?

How can I use the blocklist without mailserver configuration?

What is the SpamCop Blocking List (SCBL)?

^^^^^^^^^^^^^^^^^^^^^^^^^^^

The bad/reported traffic from the IP address in question has to meet the formula involved for a listing / de-listing

Note: there are many other BLs in use, all with different rules, requirements .. the SpamCopDNSBL is unique

2) Is there a good way to motivate rogue ISPs like Nuvox who are apparently unconcerned about spam from their customers? I've filed reports with the upstreams at various times and the only change is that they appear to have stopped using above.net (all other spam before and after came through gblx.net).

Honesty .. if there was an 'effective' way that had 100% positive results, wouldn't you guess that the issue would have been resolved years ago?

Reality ... check the tons of other Topics around here with numerous ways to make you complaints mean something, other tools available for various other actions, be it other complaints, additional filtering/handling of incoming e-mail, etc.

Link to comment
Share on other sites

The SCBL is a blunt tool when dealing with this sort of situation.

Report on IP address: 66.148.201.62

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.7 27042%

Last 30 days 3.5 1541%

Average 2.3

Other information about this IP address

Sender Category: -

Network Owner: NuVox Communications

Domain: mhi-inc.com

Date of first message seen from this address: 2007-03-22

CIDR range: 66.148.192.0/19

# of domains controlled by this network owner: 2843

No address list shown since no email was detected from mhi-inc.com.

So, the spew on that IP address is effectively shielded by the great size of NuVox [can only assume that little of it hits other SC reporters else the Deputies really should be looking at the reputation score part of the listing equation in this instance]. mhi-inc.com doesn't have its own registered abuse address. You've tried upstream, maybe you should try downstream? DNS Report for mhi-inc.com confirms a valid abuse[at]mhi-inc.com address1 (but not, of course, confirming that anyone looks at such mail). Looking at NuVox, where the abuse reports currently go:
Report on network owner: NuVox Communications

Volume Statistics for this Network Owner

Magnitude Vol Change vs. Average

Last day 6.8 -72%

Last 30 days 6.8 -70%

Average 7.3

Which totally masks what is happening at the lower level. So - different tools for different purposes (to paraphrase Wazoo). A list of spam databases at http://www.dnsstuff.com/tools/ip4r.ch?ip=66.148.201.62 shows just 2 with that IP address listed - one of which is also shown in the first SenderBase lookup, above, and which has the IP repeatedly sinbinned for relaying.

1Actually, I think there are problems with that address, maybe it just diverts to abuse[at]mhi-inc.com, but try that one instead. They may not have the access to do anything directly (and again they may not even see anything sent there) but they seem perfectly straight and probably concerned about their bandwidth and reputation. Other than that, maybe try the contact form on their website

Edited by Farelf
Link to comment
Share on other sites

Let's start the answer there by pointing out just how hard everyone has tried to hide that data ....

What is the SpamCop Blocking List (SCBL)?

^^^^^^^^^^^^^^^^^^^^^^^^^^^

The bad/reported traffic from the IP address in question has to meet the formula involved for a listing / de-listing

I had actually read that - but it doesn't answer the question I actually asked: what might account for the BL failing in this specific case with repeated spam from the same netblock, frequently even the same IP? I've been using Spamcop for something like 8 years by now - normally reported IPs get listed quickly; in this case they've never been listed despite years of spamming from the same unresponsive ISP.

Farelf's response was nice both for not assuming that I was a completely idiot and confirming that there really isn't much to do with a small-scale, targeted spam operation.

Honesty .. if there was an 'effective' way that had 100% positive results, wouldn't you guess that the issue would have been resolved years ago?

Interestingly, actually reading my post might confirm that I didn't ask for a 100% effective approach or tips on filtering my email. I was interested in learning whether there was a better strategy for contacting Nuvox, given that volume makes it harder for complaints about small-scale spammers to stand out from the torrent of abuse reports most ISPs receive.

So, the spew on that IP address is effectively shielded by the great size of NuVox [can only assume that little of it hits other SC reporters else the Deputies really should be looking at the reputation score part of the listing equation in this instance]. mhi-inc.com doesn't have its own registered abuse address. You've tried upstream, maybe you should try downstream?

Thanks - I have sent various replies to MHI's contacts (both the ones listed on their website and the address used to send spam) and never received a response, so I'm just going to leave them in my personal blacklist since they're far too small scale for any legal strategy.

Link to comment
Share on other sites

I had actually read that - but it doesn't answer the question I actually asked: what might account for the BL failing in this specific case with repeated spam from the same netblock, frequently even the same IP? I've been using Spamcop for something like 8 years by now - normally reported IPs get listed quickly; in this case they've never been listed despite years of spamming from the same unresponsive ISP.

On the referenced pages are descriptions of a formula involved. Three primary variables are identified, e-mail traffic 'seen' .... reported spam/spamtrap hits ... and the IP address ..... the nebulous variable of 'reputation points' is included in the description.

http://www.senderbase.org/search?searchBy=...g=66.148.201.62

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 0.0 ..... -100%

Last 30 days .. 3.5 ..... 1588%

Average ........ 2.3

Let's ignore the 'last day = zero' issue for right now, rather looking at the flow when it was in real spew mode.

SenderBase's "Magnitude" Explained suggests that a magnitude of 3.5 is approximately 8,000 e-mails a day.

Report History: the last 90 days

------------------------------------------------------
Submitted: Wednesday, May 02, 2007 11:36:17 AM -0500:
Robust Hot Air Tools
2271080165 ( http://www.bayzi.com/ ) To: abuse[at]crystaltech.com
2271080148 ( http://www.bayzi.com/ ) To: abuse-nonverbose[at]qwest.net
2271080122 ( http://www.mhi-inc.com/ ) To: spamcop[at]nuvox.net
2271080119 ( 66.148.201.62 ) To: spamcop[at]nuvox.net
-----------------------------------------------------
Submitted: Friday, April 20, 2007 12:26:06 PM -0500:
MHI Microheaters
2254625661 ( http://www.buyrefractory.com/CPStorefrontend24/... ) To: abuse[at]crystaltech.com
2254625660 ( http://www.buyrefractory.com/CPStorefrontend24/... ) To: abuse-nonverbose[at]qwest.net
2254625659 ( http://www.mhi-inc.com/ ) To: spamcop[at]nuvox.net
2254625658 ( 66.148.201.62 ) To: spamcop[at]nuvox.net
--------------------------------------------------------
Submitted: Tuesday, March 27, 2007 6:41:33 PM -0500:
High Temperature Lab Furnaces
2218142295 ( http://www.buyrefractory.com/CPStorefrontend24/... ) To: abuse[at]crystaltech.com
2218142294 ( http://www.buyrefractory.com/CPStorefrontend24/... ) To: abuse-nonverbose[at]qwest.net
2218142292 ( http://www.mhi-inc.com/ ) To: spamcop[at]nuvox.net
2218142291 ( 66.148.201.62 ) To: spamcop[at]nuvox.net

Would you care to try to do the math and make the result translate into meeting a "listed" condition?

One reported spam a month as leveraged against 8,000 e-mails a day?

Farelf's response was nice both for not assuming that I was a completely idiot and confirming that there really isn't much to do with a small-scale, targeted spam operation.

I made no assumptions when I posted my first reply. The response to that referenced FAQ data does tend to lead to some judgements though ...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...