Jump to content

Forona/Swift/Yipes spam - Are They Somehow Special?


priruss
 Share

Recommended Posts

I have been getting hammered with spam, as many as 20 per day, from the 67.159.193.* and 74.55.187.* netblocks for the past 90 days. These blocks belong to Forona Technologies, Swiftco, and are downstream from Yipes. I carefully report each and every one via Spamcop, but these netblocks never seem to end up on any kind of blocklist and the spam continues to flow.

Am I spinning my wheels by reporting these netblocks? Are they protected or special somehow? Spamcop assures me that LARTs are being dispatched to abuse[at]yipes.com (forona's and swift's contact email addresses bounce). Is Spamcop simply dev nulling these reports? What can I do to put these spam complaints into the hands of somebody who can actually do something about the Forona/Swift/Yipes spam?

Thanks for letting me rant.

Link to comment
Share on other sites

...Thanks for letting me rant.
Yet, if you give some more data, some useful insights may emerge. I suggest you provide some tracking links so 'we' can see what is actually happening with one or two actual IP addresses without too much guesswork and basic research.

Generally it takes more than a few member reports to get an IP address on to the SCbl and, even when a number of other reporters are seeing the same spam, the senders may keep off the blocklist by rotating the addresses. It sounds like this could be the case with 'your' spam. Yes, it seems a little different from the 'run of the mill' spam churned out in huge numbers through botnets. If so, there may be other actions indicated that people 'here' might be able to suggest (and maybe more direct than SC reporting, maybe not).

Just looking for the netblocks you name, in Worst /24 blocks based on total spam count (Stats pages) it is evident they're not appearing on the 'radar' as a major source. That's one datum.

Link to comment
Share on other sites

Yet, if you give some more data, some useful insights may emerge. I suggest you provide some tracking links so 'we' can see what is actually happening with one or two actual IP addresses without too much guesswork and basic research.

Thanks for the reply. Here are several tracking links for the Forona/Swift/Yipes spam. I had to let my mouse cool off because you only get 10 or so reports on each page, so I only went back a couple of weeks (but there are many more of these things, all within the IP ranges I mentioned in the OP).

Today:

http://www.spamcop.net/sc?id=z2219220239z4...e10106d570ba93z

67.159.193.66

http://www.spamcop.net/sc?id=z2219219557z8...e0ab6ad3226174z

67.159.193.119

September 1

http://www.spamcop.net/sc?id=z2205556976z0...292b89aba7b53fz

67.159.193.229

August 28

http://www.spamcop.net/sc?id=z2194538236zd...f82671c09d9255z

67.159.193.243

August 22

http://www.spamcop.net/sc?id=z2181187541z0...8e4308e43f3377z

67.159.203.150

August 16

http://www.spamcop.net/sc?id=z2159727747z4...be25e05bb4dee9z

67.159.193.228

I think you called it correctly that Forona/Swift/Yipes might be "snowshoe spamming" (rotating through the large number of IPs within their range) - there are a few exact IP number matches, but not that many.

Generally it takes more than a few member reports to get an IP address on to the SCbl and, even when a number of other reporters are seeing the same spam, the senders may keep off the blocklist by rotating the addresses. It sounds like this could be the case with 'your' spam. Yes, it seems a little different from the 'run of the mill' spam churned out in huge numbers through botnets. If so, there may be other actions indicated that people 'here' might be able to suggest (and maybe more direct than SC reporting, maybe not).

Just looking for the netblocks you name, in Worst /24 blocks based on total spam count (Stats pages) it is evident they're not appearing on the 'radar' as a major source. That's one datum.

That information increases my pessimism that anything can be done about these unrepentant repeat spammers. I guess it IS just me, so shut up and eat your spam.

Thanks again. Rant off.

Link to comment
Share on other sites

I think you called it correctly that Forona/Swift/Yipes might be "snowshoe spamming" (rotating through the large number of IPs within their range) - there are a few exact IP number matches, but not that many.

Seems like it... I looked at only the first IP you listed... only 10 reports over the last week and a very low (actually 0.0) SenderBase volume. In fact the whole range appears to have only a few that have as high as a 1.0 monthly volume (~10 messages seen). This type of scenario works around spamcop's strong point of catching active spam runs. This configuration would need another type of list.

Link to comment
Share on other sites

Well that is all plain depressing. That is the old-style spam we all used to complain about and seemed unstoppabe due to low volumes, but why should there be trouble enforcing CAN-SPAМ non-compliance against the 'originators' (of the actual mails)? The cheesy domains are traceable to the registrars at least. Isn't that enough? I don't know. And those same email and web-hosting service providers are coming up time and again. For some reason I can't drag up the topic from http://zeta.cesmail.net/pipermail/old-spamcop-list/ but I note the subject of this net has arisen before - RandallW's post about mail and spamvertizement hosting and Mike Easter's reply

From nobody at spamcop.net  Sun Jun  4 01:02:40 2006
From: nobody at spamcop.net (RandallW)
Date: Sun Jun  4 03:05:07 2006
Subject: [SpamCop-List] Yipes, Forona, and Swiftco
Message-ID: <e5u0ib$3qi$1[at]news.spamcop.net>

I receive a small daily splurge of spam from an affiliate of 
Consumerpromotioncenter.com; the SC parser determines that Yipes.com, 
Forona.com, and Swiftco.net host both the e-mail server and webspace where 
the spamvertised url is hosted.
Any opinions on these companies' spam policies?

( One SC report I recently sent ):

[url="http://www.spamcop.net/sc?id=z962880152zdb49d2168b8d19ae53246f5044d29c95z"]http://www.spamcop.net/sc?id=z962880152zdb...246f5044d29c95z[/url] 


From MikeE at ster.invalid  Sun Jun  4 03:57:12 2006
From: MikeE at ster.invalid (Mike Easter)
Date: Sun Jun  4 06:00:07 2006
Subject: [SpamCop-List] Re: Yipes, Forona, and Swiftco
References: <e5u0ib$3qi$1[at]news.spamcop.net>
Message-ID: <e5uapj$9i0$1[at]news.spamcop.net>

RandallW wrote:
> I receive a small daily splurge of spam from an affiliate of
> Consumerpromotioncenter.com; the SC parser determines that Yipes.com,
> Forona.com, and Swiftco.net host both the e-mail server and webspace
> where the spamvertised url is hosted.
> Any opinions on these companies' spam policies?

spammer -- spamsource spamvertiser unresponsive spamhaused /22

> ( One SC report I recently sent ):
>
www.spamcop.net/sc?id=z962880152zdb49d2168b8d19ae53246f5044d29c95z

source 204.15.231.227 no rDNS
From: airline-surplus-online.com = MX 204.15.231.225
spamvertiser airline-surplus-online.com
straightup unresponsive spammer/spamvertiser
provider spamhaused all over the place

whois -h whois.arin.net 204.15.231.227 ...
SWIFT VENTURES Inc   204.15.224.0 - 204.15.231.255
   OrgTechEmail:  abuse[at]swiftco.net
Forona Technologies,  204.15.230.0 - 204.15.231.255
   OrgTechEmail:  domains[at]forona.com

Forona spamhaused as the /22
204.15.228.0/22 is listed on the Spamhaus Block List
Ref: SBL41952

Spamhaus shows much evidence including spamcop's and also shows the
forona/swift structure for this block and others, and shows that the
AS36263 for forona has the upstream AS6517 YIPESCOM    Spamhaus has
numerous other listings for the swiftco/forona, 9 SBLs, including a
ROKSO -- blocks of numerous sizes /22s, /23, /24s etc

The abuse.net reg'd contacts are forona, swiftco, & yipes, which is how
spamcop notifies for source and spamvertiser, so yipes is being informed
of the unresponsiveness of their downstream


-- 
Mike Easter
kibitzer, not SC admin

(found by Googling). Note they are/were ROKSO listed so, 'Vaster than empires, and more slow' the evidence against them builds but I guess there are worse to deal with first. But note the date of those NG items - Sunday 6 June 2006 f'Pete's sake!

Well, alternative strategies have come and gone, many now think outside of the SC 'box', I'm just wondering whether others 'here' might have some suggestions? What about the KnujOn users, f'rinstance? Any point in reporting this stuff there? FTC reporting? Links at http://forum.spamcop.net/forums/index.php?showtopic=2238#ASS might suggest other avenues.

Edited by Farelf
Link to comment
Share on other sites

For some reason I can't drag up the topic from http://zeta.cesmail.net/pipermail/old-spamcop-list/ but I note the subject of this net has arisen before - RandallW's post about mail and spamvertizement hosting and Mike Easter's reply ..... (found by Googling).

Off-Topic .. perhaps to be split out and moved if further discussion is needed.

The same text/archive file exists on both the old and current servers. However, the zeta-server file has not been archived by Google. Perhaps adding http://zeta.cesmail.net/pipermail/old-spam...t/2006-June.txt here might help ???? No idea if it's a 'duplicate content' issue or simply that this path has not been crawled yet. How many other files/archives might be in the same state????

Once again, the request goes out for the www.spamcop.net help pages to be update and change the newsgroup archive links to the current location (the zeta server) .. When this happenes, the old/ancient archives on the 'news' server can be hidden/removed so this kind of stuff won't happen. (Of course, that also means that I'll have to find the time, energy, and desire to edit all those HTML files that were simply copied over from the old server to the new, in order to make the links point to the right place. Gads what a pain. Yeah, yeah, I know some of you are thinking that a bit of awk and sed would do the trick, but .... the actual problem is that some of those files no longer actually exist .. deleted to make space available on the 'disk full' hard-drive. I believe most of you know that I don't like doing things only as a partial fix.)

In addition, having to note that June 2006 was the timeframe of the 'disk full' condition that stopped the newsgroup archiving. I'm having to assume that this (disk full condition) is why the threaded list of posts doesn't match the 'full text' listing for this month's/year's Archives. Not really sure how to fix that problem .. the last time I was 'smart' on this tool was a couple of years back, when I got it running on this server.

Link to comment
Share on other sites

  • 3 months later...

I've found that a lot of their spam seems to get nailed by filters. Almost all the email in my yahoo webmail spam folder is from Forona - all the basic chicken bone stuff Viagra, $500 Gift Cards, etc. They seem to be marketing to the last few million people who don't have any spam filters.

Link to comment
Share on other sites

  • 3 months later...

I get quite a few spam through them as well. Forona.com has an actual website, but the phone number given (1-866 number) gets to the automatic response system, which gives extension numbers to sales, support, etc., except support extension “doesn’t existâ€, and sales gets you to the rep’s voice mail, but the “message box is fullâ€. So I don’t think it’s a legit ISP even.

Link to comment
Share on other sites

...I don't think it's a legit ISP even.
Interesting. Network owner Forona Technologies has a lot of IP addresses, hosts a lot of domains - but without even the pretense of sales or support to the public? E-mail addresses (support, abuse, etc.) are valid but whether or not they are operated ...? Well, their SC reports are disabled and even the Chinese have parts of their network blacklisted. Presumably their registrar, Enom, is not interested in the goings-on; ARIN, the State of Washington and the FTC likewise. Remarkable how blatant the breaches of service agreements and the actual laws can be without timely response from the aggrieved regulators and authorities. Guess they're all busy doing something important ;) .
Link to comment
Share on other sites

  • 1 month later...

abuse#forona.com[at]devnull.spamcop.net

abuse#swiftco.net[at]devnull.spamcop.net

abuse[at]yipes.com

In recent times (I'm talking a month or two) I've been seeing the above reporting addresses on a substantial percentage of my spam. They are always together (usually as both the "origin" of spam and the only "spamvertised link"), and spam coming out of there never corresponds to any known open relay.

Anyone else seen them?

--

Admins: I have a kind of hunch that this thread would fit better in some other forum than the Lounge, but I cannot decide which one. If you can, go ahead and move it.

Link to comment
Share on other sites

...Admins: I have a kind of hunch that this thread would fit better in some other forum than the Lounge, but I cannot decide which one. If you can, go ahead and move it.
Hi Tony - perhaps the "Reporting Help" forum but I'm thinking this one might take advantage of the previous discussions, merging your new topic within the Lounge accordingly.
abuse#forona.com[at]devnull.spamcop.net

abuse#swiftco.net[at]devnull.spamcop.net

abuse[at]yipes.com

In recent times (I'm talking a month or two) I've been seeing the above reporting addresses on a substantial percentage of my spam. They are always together (usually as both the "origin" of spam and the only "spamvertised link"), and spam coming out of there never corresponds to any known open relay.

Anyone else seen them?

To bring the query to the 'top of the stack'.
Link to comment
Share on other sites

How did they convince Global Crossing and Hurricane Electric to shut down McColo? Seems as though whoever did the convincing should now turn to Yipes and have them shut down Forona.

According to wikipedia article it was Brian Krebs who turned the tide though it was well known for quite some time.

I don't know very much about the costs of bandwidth, etc. but it seems to me that someone legitimate would lose a lot of money if 85% of email traffic disappeared - not to mention all the anti-spam products being sold. When is public opinion going to tip the scales so that those who can clean up a lot of the spam mess will do so? Considering that it was someone from the Washington Post who tipped the balance with McColo, that seems to be the only thing that works.

Miss Betsy

Link to comment
Share on other sites

AFAICT, slightly more than half of my spam comes from Swiftco, Forona & Yipes. Looks like they're indeed the latest "black hat kid on the block" and that I'm indeed not alone in being seriously bothered by this new source of spam. Let's hope that we'll see some action faster than for Korean spam ;-)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...