Jump to content

Blocking lists ... etc.


Petr

Recommended Posts

Posted

Several times I have noticed recently that notoriously spamming ZBYD Technology has bounces on weekend at bbn.cn (not surprising), however their IP 210.14.128.112 per Spamcop Statistics shows "not listed" in any of BL. I wonder why - ZBYD is very known for being extremely spam-friendly.

Posted

Perhaps they don't spam on the weekend either? the scbl is an automatic list. If there is no spam coming from an IP address, the IP address ages off. It also depends on reports from reporters and spam traps, not reputation. That's why most server admins use it in conjunction with other lists that do list on reputation.

Miss Betsy

Posted
Several times I have noticed recently that notoriously spamming ZBYD Technology has bounces on weekend at bbn.cn (not surprising), however their IP 210.14.128.112 per Spamcop Statistics shows "not listed" in any of BL. I wonder why - ZBYD is very known for being extremely spam-friendly.

Unless I am mistaken, these folks do not use this ZBYD address for sending spam. This is the behavior that triggers an SBCL listing. Simply hosting websites doesn't do it (for SpamCop, anyway). LIke most spammers, the folks who use the ZBYD hosting use a completely different set of addresses (likely a botnet) for distributing their mail.

-- rick

Posted
Unless I am mistaken, these folks do not use this ZBYD address for sending spam. This is the behavior that triggers an SBCL listing. Simply hosting websites doesn't do it (for SpamCop, anyway). LIke most spammers, the folks who use the ZBYD hosting use a completely different set of addresses (likely a botnet) for distributing their mail.

Well ... funny is if I run 210.14.128.112 via APNIC, it shows it is Zbyd's registered IP address. Certainly the spammer is not using their e-mail address / they are hiding beyond fake e-mails for sure, but using their network. Or I am missing the point somewhere :-)

Posted
...Well ... funny is if I run 210.14.128.112 via APNIC, it shows it is Zbyd's registered IP address. Certainly the spammer is not using their e-mail address / they are hiding beyond fake e-mails for sure, but using their network. Or I am missing the point somewhere :-)
They are certainly reputed to spam from their own network but, as you have seen, there is little actual evidence of it.

If you use http://www.senderbase.org/senderbase_queri...ology+Co.%2CLtd you will see 37 of their IP addresses used to send messages, as detected by SenderBase (Lord knows what their total volume might be), including your quite busy 210.14.128.112. Yet only Spamhaus consistently lists them. There's a solitary SORBS listing in there right now, against 210.14.128.10, relating to a single instance of spam receipt.

Check the hall of shame - http://www.spamcop.net/w3m?action=hoshame#domsum - you won't find them. Look for their 210.14.128.0/24 through http://www.spamcop.net/spamstats.shtml on either total volume or spam ratio and you won't find it.

Conclusion - their own addresses show a considerable volume but very little of it is reacted to as spam. If they are spammers then they use other addresses (perhaps a botnet) as has been suggested. If they are spammers then spam is clearly not the whole story of their internet activity. SpamHaus will undoubtedly have some interesting reading on their supposed/observed activities.

But they have to spam SC users or SC spamtraps in some volume1, using their own IP addresses before they get listed on the SCbl.

1Though noting the SenderBase reputation is "Poor" for some of their IPs which ones should, accordingly, list on the SpamCop Blocking List fairly easily.

Posted
Well ... funny is if I run 210.14.128.112 via APNIC, it shows it is Zbyd's registered IP address. Certainly the spammer is not using their e-mail address / they are hiding beyond fake e-mails for sure, but using their network. Or I am missing the point somewhere :-)
I am afraid you have misunderstood my post. You are also laboring under the assumption that ZBYD are the spammers. It is far more likely that ZBYD is simply one of the services used by this very active spam gang. It is not necessary for spammers (nor anyone else) to send their mail from the same services they use to host their websites.

This outfit is very typical of many in that the websites are set up on one block with a complaisant or corrupt provider (ZBYD in this case), while the mail is sent from somewhere else (usually a diffuse and untraceable botnet). It's done this way on purpose, I suspect that the spammers do not want to "poison" their web hosting block since it is hard to replace once lost. If the mailing is done correctly, then most complaints against the hosting service can be avoided or shunted aside.

I have received hundreds of messages recently that fit this pattern (botnet distributed mail promoting links in ZBYD net block, mainly for penis pills).

-- rick

Posted
I am afraid you have misunderstood my post. You are also laboring under the assumption that ZBYD are the spammers. It is far more likely that ZBYD is simply one of the services used by this very active spam gang. It is not necessary for spammers (nor anyone else) to send their mail from the same services they use to host their websites.

This outfit is very typical of many in that the websites are set up on one block with a complaisant or corrupt provider (ZBYD in this case), while the mail is sent from somewhere else (usually a diffuse and untraceable botnet). It's done this way on purpose, I suspect that the spammers do not want to "poison" their web hosting block since it is hard to replace once lost. If the mailing is done correctly, then most complaints against the hosting service can be avoided or shunted aside.

I have received hundreds of messages recently that fit this pattern (botnet distributed mail promoting links in ZBYD net block, mainly for penis pills).

Right, Rick. This seems exactly the case. By the way, I've checked your web and my sincere compliments. This is such an information resource I've not seen so far on the net.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...