priruss Posted September 5, 2008 Share Posted September 5, 2008 I have been getting hammered with spam, as many as 20 per day, from the 67.159.193.* and 74.55.187.* netblocks for the past 90 days. These blocks belong to Forona Technologies, Swiftco, and are downstream from Yipes. I carefully report each and every one via Spamcop, but these netblocks never seem to end up on any kind of blocklist and the spam continues to flow. Am I spinning my wheels by reporting these netblocks? Are they protected or special somehow? Spamcop assures me that LARTs are being dispatched to abuse[at]yipes.com (forona's and swift's contact email addresses bounce). Is Spamcop simply dev nulling these reports? What can I do to put these spam complaints into the hands of somebody who can actually do something about the Forona/Swift/Yipes spam? Thanks for letting me rant. Link to comment Share on other sites More sharing options...
Farelf Posted September 5, 2008 Share Posted September 5, 2008 ...Thanks for letting me rant.Yet, if you give some more data, some useful insights may emerge. I suggest you provide some tracking links so 'we' can see what is actually happening with one or two actual IP addresses without too much guesswork and basic research. Generally it takes more than a few member reports to get an IP address on to the SCbl and, even when a number of other reporters are seeing the same spam, the senders may keep off the blocklist by rotating the addresses. It sounds like this could be the case with 'your' spam. Yes, it seems a little different from the 'run of the mill' spam churned out in huge numbers through botnets. If so, there may be other actions indicated that people 'here' might be able to suggest (and maybe more direct than SC reporting, maybe not). Just looking for the netblocks you name, in Worst /24 blocks based on total spam count (Stats pages) it is evident they're not appearing on the 'radar' as a major source. That's one datum. Link to comment Share on other sites More sharing options...
priruss Posted September 5, 2008 Author Share Posted September 5, 2008 Yet, if you give some more data, some useful insights may emerge. I suggest you provide some tracking links so 'we' can see what is actually happening with one or two actual IP addresses without too much guesswork and basic research. Thanks for the reply. Here are several tracking links for the Forona/Swift/Yipes spam. I had to let my mouse cool off because you only get 10 or so reports on each page, so I only went back a couple of weeks (but there are many more of these things, all within the IP ranges I mentioned in the OP). Today: http://www.spamcop.net/sc?id=z2219220239z4...e10106d570ba93z 67.159.193.66 http://www.spamcop.net/sc?id=z2219219557z8...e0ab6ad3226174z 67.159.193.119 September 1 http://www.spamcop.net/sc?id=z2205556976z0...292b89aba7b53fz 67.159.193.229 August 28 http://www.spamcop.net/sc?id=z2194538236zd...f82671c09d9255z 67.159.193.243 August 22 http://www.spamcop.net/sc?id=z2181187541z0...8e4308e43f3377z 67.159.203.150 August 16 http://www.spamcop.net/sc?id=z2159727747z4...be25e05bb4dee9z 67.159.193.228 I think you called it correctly that Forona/Swift/Yipes might be "snowshoe spamming" (rotating through the large number of IPs within their range) - there are a few exact IP number matches, but not that many. Generally it takes more than a few member reports to get an IP address on to the SCbl and, even when a number of other reporters are seeing the same spam, the senders may keep off the blocklist by rotating the addresses. It sounds like this could be the case with 'your' spam. Yes, it seems a little different from the 'run of the mill' spam churned out in huge numbers through botnets. If so, there may be other actions indicated that people 'here' might be able to suggest (and maybe more direct than SC reporting, maybe not). Just looking for the netblocks you name, in Worst /24 blocks based on total spam count (Stats pages) it is evident they're not appearing on the 'radar' as a major source. That's one datum. That information increases my pessimism that anything can be done about these unrepentant repeat spammers. I guess it IS just me, so shut up and eat your spam. Thanks again. Rant off. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted September 5, 2008 Share Posted September 5, 2008 I think you called it correctly that Forona/Swift/Yipes might be "snowshoe spamming" (rotating through the large number of IPs within their range) - there are a few exact IP number matches, but not that many. Seems like it... I looked at only the first IP you listed... only 10 reports over the last week and a very low (actually 0.0) SenderBase volume. In fact the whole range appears to have only a few that have as high as a 1.0 monthly volume (~10 messages seen). This type of scenario works around spamcop's strong point of catching active spam runs. This configuration would need another type of list. Link to comment Share on other sites More sharing options...
Farelf Posted September 6, 2008 Share Posted September 6, 2008 Well that is all plain depressing. That is the old-style spam we all used to complain about and seemed unstoppabe due to low volumes, but why should there be trouble enforcing CAN-SPAМ non-compliance against the 'originators' (of the actual mails)? The cheesy domains are traceable to the registrars at least. Isn't that enough? I don't know. And those same email and web-hosting service providers are coming up time and again. For some reason I can't drag up the topic from http://zeta.cesmail.net/pipermail/old-spamcop-list/ but I note the subject of this net has arisen before - RandallW's post about mail and spamvertizement hosting and Mike Easter's reply From nobody at spamcop.net Sun Jun 4 01:02:40 2006 From: nobody at spamcop.net (RandallW) Date: Sun Jun 4 03:05:07 2006 Subject: [SpamCop-List] Yipes, Forona, and Swiftco Message-ID: <e5u0ib$3qi$1[at]news.spamcop.net> I receive a small daily splurge of spam from an affiliate of Consumerpromotioncenter.com; the SC parser determines that Yipes.com, Forona.com, and Swiftco.net host both the e-mail server and webspace where the spamvertised url is hosted. Any opinions on these companies' spam policies? ( One SC report I recently sent ): [url="http://www.spamcop.net/sc?id=z962880152zdb49d2168b8d19ae53246f5044d29c95z"]http://www.spamcop.net/sc?id=z962880152zdb...246f5044d29c95z[/url] From MikeE at ster.invalid Sun Jun 4 03:57:12 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jun 4 06:00:07 2006 Subject: [SpamCop-List] Re: Yipes, Forona, and Swiftco References: <e5u0ib$3qi$1[at]news.spamcop.net> Message-ID: <e5uapj$9i0$1[at]news.spamcop.net> RandallW wrote: > I receive a small daily splurge of spam from an affiliate of > Consumerpromotioncenter.com; the SC parser determines that Yipes.com, > Forona.com, and Swiftco.net host both the e-mail server and webspace > where the spamvertised url is hosted. > Any opinions on these companies' spam policies? spammer -- spamsource spamvertiser unresponsive spamhaused /22 > ( One SC report I recently sent ): > www.spamcop.net/sc?id=z962880152zdb49d2168b8d19ae53246f5044d29c95z source 204.15.231.227 no rDNS From: airline-surplus-online.com = MX 204.15.231.225 spamvertiser airline-surplus-online.com straightup unresponsive spammer/spamvertiser provider spamhaused all over the place whois -h whois.arin.net 204.15.231.227 ... SWIFT VENTURES Inc 204.15.224.0 - 204.15.231.255 OrgTechEmail: abuse[at]swiftco.net Forona Technologies, 204.15.230.0 - 204.15.231.255 OrgTechEmail: domains[at]forona.com Forona spamhaused as the /22 204.15.228.0/22 is listed on the Spamhaus Block List Ref: SBL41952 Spamhaus shows much evidence including spamcop's and also shows the forona/swift structure for this block and others, and shows that the AS36263 for forona has the upstream AS6517 YIPESCOM Spamhaus has numerous other listings for the swiftco/forona, 9 SBLs, including a ROKSO -- blocks of numerous sizes /22s, /23, /24s etc The abuse.net reg'd contacts are forona, swiftco, & yipes, which is how spamcop notifies for source and spamvertiser, so yipes is being informed of the unresponsiveness of their downstream -- Mike Easter kibitzer, not SC admin (found by Googling). Note they are/were ROKSO listed so, 'Vaster than empires, and more slow' the evidence against them builds but I guess there are worse to deal with first. But note the date of those NG items - Sunday 6 June 2006 f'Pete's sake! Well, alternative strategies have come and gone, many now think outside of the SC 'box', I'm just wondering whether others 'here' might have some suggestions? What about the KnujOn users, f'rinstance? Any point in reporting this stuff there? FTC reporting? Links at http://forum.spamcop.net/forums/index.php?showtopic=2238#ASS might suggest other avenues. Link to comment Share on other sites More sharing options...
Wazoo Posted September 6, 2008 Share Posted September 6, 2008 For some reason I can't drag up the topic from http://zeta.cesmail.net/pipermail/old-spamcop-list/ but I note the subject of this net has arisen before - RandallW's post about mail and spamvertizement hosting and Mike Easter's reply ..... (found by Googling). Off-Topic .. perhaps to be split out and moved if further discussion is needed. The same text/archive file exists on both the old and current servers. However, the zeta-server file has not been archived by Google. Perhaps adding http://zeta.cesmail.net/pipermail/old-spam...t/2006-June.txt here might help ???? No idea if it's a 'duplicate content' issue or simply that this path has not been crawled yet. How many other files/archives might be in the same state???? Once again, the request goes out for the www.spamcop.net help pages to be update and change the newsgroup archive links to the current location (the zeta server) .. When this happenes, the old/ancient archives on the 'news' server can be hidden/removed so this kind of stuff won't happen. (Of course, that also means that I'll have to find the time, energy, and desire to edit all those HTML files that were simply copied over from the old server to the new, in order to make the links point to the right place. Gads what a pain. Yeah, yeah, I know some of you are thinking that a bit of awk and sed would do the trick, but .... the actual problem is that some of those files no longer actually exist .. deleted to make space available on the 'disk full' hard-drive. I believe most of you know that I don't like doing things only as a partial fix.) In addition, having to note that June 2006 was the timeframe of the 'disk full' condition that stopped the newsgroup archiving. I'm having to assume that this (disk full condition) is why the threaded list of posts doesn't match the 'full text' listing for this month's/year's Archives. Not really sure how to fix that problem .. the last time I was 'smart' on this tool was a couple of years back, when I got it running on this server. Link to comment Share on other sites More sharing options...
Devilwolf Posted December 16, 2008 Share Posted December 16, 2008 I've found that a lot of their spam seems to get nailed by filters. Almost all the email in my yahoo webmail spam folder is from Forona - all the basic chicken bone stuff Viagra, $500 Gift Cards, etc. They seem to be marketing to the last few million people who don't have any spam filters. Link to comment Share on other sites More sharing options...
theUg Posted March 23, 2009 Share Posted March 23, 2009 I get quite a few spam through them as well. Forona.com has an actual website, but the phone number given (1-866 number) gets to the automatic response system, which gives extension numbers to sales, support, etc., except support extension “doesn’t existâ€, and sales gets you to the rep’s voice mail, but the “message box is fullâ€. So I don’t think it’s a legit ISP even. Link to comment Share on other sites More sharing options...
Farelf Posted March 23, 2009 Share Posted March 23, 2009 ...I don't think it's a legit ISP even.Interesting. Network owner Forona Technologies has a lot of IP addresses, hosts a lot of domains - but without even the pretense of sales or support to the public? E-mail addresses (support, abuse, etc.) are valid but whether or not they are operated ...? Well, their SC reports are disabled and even the Chinese have parts of their network blacklisted. Presumably their registrar, Enom, is not interested in the goings-on; ARIN, the State of Washington and the FTC likewise. Remarkable how blatant the breaches of service agreements and the actual laws can be without timely response from the aggrieved regulators and authorities. Guess they're all busy doing something important . Link to comment Share on other sites More sharing options...
A.J.Mechelynck Posted April 28, 2009 Share Posted April 28, 2009 abuse#forona.com[at]devnull.spamcop.net abuse#swiftco.net[at]devnull.spamcop.net abuse[at]yipes.com In recent times (I'm talking a month or two) I've been seeing the above reporting addresses on a substantial percentage of my spam. They are always together (usually as both the "origin" of spam and the only "spamvertised link"), and spam coming out of there never corresponds to any known open relay. Anyone else seen them? -- Admins: I have a kind of hunch that this thread would fit better in some other forum than the Lounge, but I cannot decide which one. If you can, go ahead and move it. Link to comment Share on other sites More sharing options...
Farelf Posted April 29, 2009 Share Posted April 29, 2009 ...Admins: I have a kind of hunch that this thread would fit better in some other forum than the Lounge, but I cannot decide which one. If you can, go ahead and move it.Hi Tony - perhaps the "Reporting Help" forum but I'm thinking this one might take advantage of the previous discussions, merging your new topic within the Lounge accordingly.abuse#forona.com[at]devnull.spamcop.net abuse#swiftco.net[at]devnull.spamcop.net abuse[at]yipes.com In recent times (I'm talking a month or two) I've been seeing the above reporting addresses on a substantial percentage of my spam. They are always together (usually as both the "origin" of spam and the only "spamvertised link"), and spam coming out of there never corresponds to any known open relay. Anyone else seen them? To bring the query to the 'top of the stack'. Link to comment Share on other sites More sharing options...
Miss Betsy Posted April 29, 2009 Share Posted April 29, 2009 How did they convince Global Crossing and Hurricane Electric to shut down McColo? Seems as though whoever did the convincing should now turn to Yipes and have them shut down Forona. According to wikipedia article it was Brian Krebs who turned the tide though it was well known for quite some time. I don't know very much about the costs of bandwidth, etc. but it seems to me that someone legitimate would lose a lot of money if 85% of email traffic disappeared - not to mention all the anti-spam products being sold. When is public opinion going to tip the scales so that those who can clean up a lot of the spam mess will do so? Considering that it was someone from the Washington Post who tipped the balance with McColo, that seems to be the only thing that works. Miss Betsy Link to comment Share on other sites More sharing options...
A.J.Mechelynck Posted April 30, 2009 Share Posted April 30, 2009 AFAICT, slightly more than half of my spam comes from Swiftco, Forona & Yipes. Looks like they're indeed the latest "black hat kid on the block" and that I'm indeed not alone in being seriously bothered by this new source of spam. Let's hope that we'll see some action faster than for Korean spam ;-) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.