According to Spamhaus Top 10 Network offenders on its Spamhaus Block List Advisory, an ISP called AS3352 TELEFONICA-DATA-ESPANA has the most SBLs on Spamhaus list as of January 17th, 2010. Based on Spamhaus‘ research, this ISP is considered the current “World’s Worst Network.” At time of this post, there are 95 SBLs belonging to Telefonica.es.
Spamhaus: The 10 Worst Spam Support ISPs
As at 17 January 2010 the ISPs with the poorest abuse control of spammers are:
Rank / SBL # ISP domain / ASN / URL
1. 95 telefonica.es AS3352 / http://www.telefonica.es/
2. 64 ovh.net AS16276 / http://ovh.net/
3. 59 telefonica.com.ar AS22185 / http://www.telefonica.com.ar/
4. 46 tiscali.it AS3257 / http://www.tiscali.it/
5. 44 xo.com AS2828 / http://www.xo.com/
6. 38 integratelecom.com AS7385 / http://integratelecom.com/
7. 38 charter.com AS20115 / http://www.charter.com/
8. 38 ono.com AS6739 / http://www.ono.es/
9. 35 verizon.com AS19262 / http://www.verizon.com/
10. 34 telecom.com.ar AS7303 / http://www.telecom.com.ar/
Many SBLs of telefonica.es (Telefonica de Espana, AS3352, netname: RIMA ) are /32 (1 IP address) blacklistings with lots of ROKSO Canadian Pharmacy listings. Many of the Telefonica.es SBLs were added from October to December 2009. ROKSO is a list compiled by Spamhaus of the worst spamming organizations. ROKSO stands for Registry of Known Spam Operatives.
While Second ranking OVH’s listings are /32 as well, not so many current SBLs are those of ROKSO spammers. OVH.net offers both dedicated and shared hosting; unfortunately, spammers are attracted to either one. OVH.net was noted as the Worst Offending ISP on this blog back in December 2009. The good news about OVH is that it appears the admins are working on riding its network of spammers. Telefonica.com.ar is in 3rd place with 59 SBLs has larger blocklistings, such as numerous /24 which are 256 IP addresses. The ROKSO spammer’s listings on tiscali.it is Fabio Petta – Jnternet.
One note about this top 10 list is the number of Spanish-speaking ISPs. For example: telefonica.es and ono.com / ono.es are located in Spain, while Argentina is represented by telefonica.com.ar and telecom.com.ar. Telefónica explains on its website that it is one of the largest telecommunications companies by market (Spain, Europe and Latin America).
The 2 other Euoropean-based ISPs are OVH of France and Tiscali.it in Italy. The 4 US-based providers on the Spamhaus Block List are: XO, Charter, Integra Telecom and Verizon. XO.com is a large Tier-2 NSP (network service provider), while Integra Telecom is a regional ISP in the midwest and western US states, and Charter is a regional ISP. Verizon (made up of Baby Bell companies) as an ISP is offered in most markets in the US. Verizon is also a leading wireless cell phone provider.
Spamhaus’ SBL ranking is based on Spamhaus own research of spam and so the list has its own limitations. Among the reasons: ISPs have to contact Spamhaus to get their SBLs removed, so the SBL list is a manual process, and not automated like CBL.
If a researcher wants to know more volumes of ISP spam emiters, one can use other online tools available such as Spamcop’s list by hostname/ IP. Though much smaller in scope than Spamcop, German Powerweb’s DNSBL.de has a top 20 providers list on its main page by spam volume based on the ASN (Autonomous System Number) which is used to identify a network by the Internet Protocol addresses authorities.
Filed under: blacklist, blocklist, cybercrime, malware, phishing, rogue networks, spam | Leave a Comment
Tags: rogue networks, spam, blocklist, spamhaus, ROKSO, SBL, blacklist, spamming, RBL, AS3257, blocklisting, AS16276, telefonica.es, xo.com, AS2828, tiscali.it, USA, Colombia, OVH.net, Argentina, France, telefonica.com.ar, Fabio Petta - Jnternet, AS3352, AS22185, Spain, Telefonica, network
In December 2009, Spamhaus added a new entry in its ROKSO database called Tactara. (ROKSO: Register of Known Spam Operations). A persistent spamming group is given this title when it is determined that the spamming operation has been removed (services terminated) from at least 3 ISPs. The first blogger to note this update of the Spamhaus ROKSO entry was Ed Falk of The Spam Diaries. Usually Spamhaus names such groups based on the identities the spammers have given themselves. Some ROKSO entries are under individual names while other ROKSO names are under company names the spammers have used in the past or present.
Where is Tactara located?
Spamhaus indicates this Tactara operation is out of Wyoming in the United States. These groups have set up shell companies in Wyoming, Nevada, and some other US states. Another name Tactara has used is Webzero when it created its company name in Wyoming in 2006. Tactara has engaged in various forms of snowshoe spamming, which is spamming from many IPs and netblocks in order to evade blacklists. As typical with snowshoe spamming operations, Tactara has used many anonymized domains for spam emitting, spamvertizing and nameservers. Based on the ARIN Allocations from 11/2009 in the ROKSO listing, the Tactara group has operated out of colocated data centers in the area of Los Angeles, California. Tactara’s website says its offices are in Los Angeles.
Below is a partial ARIN record of Tactara that was active as of December 2009. Note the ASN is: AS18687 which is listed under MPower Communications.
CustName: Tactara Address: 550 S Hope St. Suite 2825 City: LOS ANGELES StateProv: CA PostalCode: 90017 Country: US RegDate: 2009-09-11 Updated: 2009-09-11NetRange: 208.57.149.224 - 208.57.149.231 CIDR: 208.57.149.224/29 OriginAS: AS18687 NetName: TACTARA NetHandle: NET-208-57-149-224-1 Parent: NET-208-57-0-0-1 NetType: Reassigned Comment: RegDate: 2009-09-11 Updated: 2009-09-11 RTechHandle: ZM147-ARIN RTechName: MPOWER COMMUNICATIONS CORP RTechPhone: +1-702-310-4578 RTechEmail: ip-mgmt@mpowercom.net OrgAbuseHandle: MIAA-ARIN OrgAbuseName: Mpower IP Abuse Administrator OrgAbusePhone: +1-877-642-4375 OrgAbuseEmail: ip-abuse@mpowercom.net OrgTechHandle: MITA-ARIN OrgTechName: Mpower IP Technical Administrator OrgTechPhone: +1-702-310-4578 OrgTechEmail: ip-mgmt@mpowercom.net # ARIN WHOIS database, last updated 2009-12-11 20:
According to Spamhaus, this group pretends to be ISP brokers and lease out space to customer mostly in /24 blocks in leasing from colocation providers. The addresses of these numerous shell companies are usually drop mail boxes at UPS stores located in Wyoming or Delaware. Most of the IPs within these blocks of Tactara then have a landing page with a simple unsubscribe page on them.
Snowshoe and Spamhaus CSS
In October 2009, Spamhaus recently launched its CSS service to ferret out snoeshow spamming operations in an automated manner. So as Spamhaus has mentioned specifically in its recent blog entry from 12/09, many ISPs are taking immediate action due to the SBLs by terminating snowshoe spamming accounts.
Tactara and a Patent
As already noted by Spam Diaries, Tactara LLC even applied for a patent for its particular type of snowshoe spamming. On its website, Tactara also makes an apparent false claim to be a member of MAAWG (Messaging Anti-Abuse Working Group).
Filed under: blacklist, blocklist, cybercrime, registrars, rogue networks, spam | Leave a Comment
Tags: anonymous WHOIS, AS18687, ASN, colo, colocated, inboxrevenge, Los Angeles, MAAWG, MPower, patent, redirects, registrars, ROKSO, SBL, shell, snowshoe, spam, spamhaus, spamming, spamvertizing, tactara, The Spam Diaries, Traffix, USA, Webzero, Wyoming
Since around August 2009 or so, French provider OVH.net (AS16276) has been the top offender by current SBLs on Spamhaus.
Here is a screenshot of that list on Spamhaus as of December 5th, 2009.
Also, note. The list below as of 12/5/09.
1. ovh.net AS16276 = 77 SBLs
2. telefonica.es AS3352 = 59 SBLs
3. xo.com AS2828 = 48 SBLs
4. tiscali.it AS3257 = 43 SBLs
5. mzima.net AS46562 = 38 SBLs
6. internap.com AS11855 = 37 SBLs
7. telefonica.com.ar AS22927 = 37 SBLs
8. ttnet.net.tr AS9121 = 34 SBLs
9. ono.com as6739 = 33 SBLs
10. interbusiness.it = 29 SBLs
Filed under: blacklist, blocklist, phishing, rogue networks, spam | Leave a Comment
Tags: AS16276, AS2828, AS3257, AS46562, AS7315, block list, blocklist, mzima.net, rogue network, SBL, spam, spamblock, spamhaus, spamming, telefonica.es, tiscali.it, xo.com
InBoxRevenge Under Attack Again
This is the third attack on the InBoxRevenge antispam forums within one month. The first DDoS attack which was posted below was on October 28, 2009.
Since about 10:45 Eastern Time on Monday, November 16th, 2009, IBR’s forums are once again offline.
We will give you more details as they become available. It seems that spammers are definitely still very angry with the content posted on IBR.
We will continue to spread information online via various twitter accounts, blogs, and other websites about collecting information which leads to shutting down illegal spammer operations. Attacks such as this one and others do not stop our efforts as we continue to report spamming operations.
As a reminder, check out our other websites online for updates:
Twitter: http://twitter.com/inboxrevenge
Other blogs:
http://garwarner.blogspot.com/
http://inboxrevenge.blogspot.com
http://inboxrevenge.spaces.live.com
Wiki:
Please note: that SiL also has his two blogs, which also accept moderated comments:
http://ikillspammers.blogspot.com
Filed under: blacklist, blocklist, cybercrime, malware, phishing, rogue networks, scareware, spam, trojan, virus | 1 Comment
Tags: attack, blacklist, botnet, cybercrime, DDoS, Denial of Service Attack, IBR, Inbound DOS, inboxrevenge, offline, spam, spammers, Syn Flood, website outage
Italian banking site phishing URL spoofing CartaSi is live on compromised host: phone.codmanacademy.org – IP: 69.38.149.93 which is on AS19406 (Towerstream.com).
Munged URL:
hxxp://phone.codmanacademy.org/home/polycom/.redirecting.titolari.cartasi.it.portal.server.pt.acceso.reg.recupero.gateway.nome.utente.o.password.se.hai.dimenticato/
URL was already reported to Netcraft and Phishtank.
Filed under: blacklist, cybercrime, malware, phishing, spam | Leave a Comment
Tags: banking spoof, phishing, spam
As of October 31st, 2009, the attackers were DDoSing InBoxRevenge website again. This is where the IBR anti-spam forum is hosted, though the content is definitely offline at this time.
Early morning 11/1/09 it was reported by @themarkgiles Twitter user that IBR was under a flood attack from 750 bot IPs at a rate of 50/second. Source IP countries: TH (Thailand), IN (India), BD (Bangladesh), RU (Russia), BR (Brazil), PH (the Philippines), etc.
The spammers are hitting the IBR website with IPs that are compromised and under control of a botnet. Obviously some spammer is not happy with the reporting we do of cybercriminal activities.
We will continue to post more information as it comes available.
UPDATE on 11/1/09
Taken from the most recent IBR Blogspot entry:
Good news — DDoS attacks not over
Members may have noticed another recent outage for several hours. It was another confirmed DDoS, via a method called “syn flood.” In the past, these sorts of attacks have gone on for weeks. We just roll with it.
Why is it good news? It lets us know our efforts are worthwhile, because making internet crime less profitable is exactly what we’re trying to accomplish. If we weren’t making criminals want to attack us, we’d have to wonder what we were doing wrong. We never expect to achieve the amazing level of spammer ire that Blue Security suffered in its famous 2006 attack, but then we aren’t planning to try to keep the site on line during the attacks. We just fall back to the alternate methods of spreading information. If our attackers would like to try to simultaneously take down Google, Microsoft, Twitter, WordPress, and all the other sites we’ve established a presence on, they’ll get themselves a lot more law enforcement attention than they’re currently planning on.
Comments are open for this blog, though they have to be approved by a moderator. And if you have a comment that seems to merit its own “thread,” we can repaste it as a blog post that can get its own comments.
Remember that SiL also has his two blogs, which also accept moderated comments:
http://ikillspammers.blogspot.com
http://spamitmustfall.blogspot.com
And we have our other sites for announcements:
http://twitter.com/inboxrevenge
http://inboxrevenge.webs.com
http://inboxrevenge.blogspot.com
http://spamtrackers.org
http://inboxrevenge.spaces.live.com
As always, the best response to retaliation is to continue to do the reporting you were doing before — but to do more of it. At the time of this post update, the IBR website loads as a 403 error as of 18:00 GMT on 11/1/09.
Filed under: blacklist, blocklist, cybercrime, malware, rogue networks, spam, trojan, virus | Leave a Comment
Tags: anti-spam, blacklist, blocklist, botnet, DDoS, Denial of Service, IBR, Inbound attack, inboxrevenge, InBoxRevenge DDoS, InBoxrevenge.com, IP, spam, spammers, Syn Flood
InBoxRevenge.com Under DDoS
Inboxrevenge.com, the little forum that creates big headaches for internet criminals, is under another distributed denial of service (DDoS) attack. That means hundreds or thousands of zombie computers — computers like yours that have been infected by malware and put under the control of criminals — are all trying to access the site simultaneously. Websites can only handle a certain amount of traffic, so having so many requests going on continuously shuts out legitimate visitors.
Frankly, we were wondering what took them so long. We’ve been through this before. We’ve got lots of backup means for forum admins and mods to communicate with each other and with the other members. We are prepared to just let the site be off line while these guys spend their money attacking. We’ll just chill and spend the extra time reporting their domains and bots. The difference is they don’t get to read about it.
What the rest of our members can do is take extra time reporting. Report your spam emails to spamcop.net, so more of their IPs are blocklisted and more of their bots are disinfected. Fire up Complainterator and report domains and their nameservers to registrars. We are not some discrete target that can be shut down with a DDoS. We are our members, all over the world, and we’re in it for the long term.
Check out our other websites online for updates:
http://twitter.com/inboxrevenge
http://inboxrevenge.webs.com
http://inboxrevenge.blogspot.com
http://spamtrackers.org
http://inboxrevenge.spaces.live.com
Filed under: blacklist, cybercrime, rogue networks, spam, virus | Leave a Comment
Tags: attack, botnet, cyberattack, DDoS, Denial of Service, IBR, Inbound, InBoxrevenge.com, IP, spam, spammers
According to Spamcop’s Top 200 targets of spam reports, many of China Telecom’s IPs are top spam senders. Andrzej Filip posts these stats in a daily basis on the Usenet newsgroup: NANAE (news.admin.net-abuse.email), as noted here. I am posting a bit of his post below, but not the entire entry:
Top 200 targets of spamcop.net spam reports
For *the week* ending Sun Oct 11 07:04:14 2009 UTC
- —————————————————-
Total spamcop.net spam reports volume: 149533216
Top200 share of all spamcop.net spam reports: 1.36% (2035629/149533216)
The worst country: 39.5% CN [CHINA]
The worst ASN: 19.0% AS4134 (CN)
The worst prefix: 16.0% 125.104.0.0/13 (CN AS4134)
The worst IP: 125.110.99.59 (CN AS4134 125.104.0.0/13)*Top 5 IP Adresses (The Dirtiest Dozen)*
#IP;ASN;prefix;spamcop.net spam reports;age;duration;Country
#reverse DNS1 125.110.99.59 AS4134 125.104.0.0/13 80833 3.4 d 4.0 d CN
2 125.110.99.211 AS4134 125.104.0.0/13 80358 3.4 d 4.0 d CN
3 125.110.114.61 AS4134 125.104.0.0/13 56616 3.4 d 3.9 d CN
4 125.110.102.112 AS4134 125.104.0.0/13 55744 3.0 h 3.1 d CN
5 125.110.99.152 AS4134 125.104.0.0/13 45731 3.4 d 3.9 d CN
As you see above, this netblock owner is a very large spam origin offender and has been for quite some time (spamming several years now). The top 5 spamming IPs are within the 125.104.0.0/13 range.
The WHOIS information on this China Telecom is:
inetnum: 125.110.0.0 - 125.110.255.255 netname: CHINANET-ZJ-WZ country: CN descr: CHINANET-ZJ Wenzhou node network descr: Zhejiang Telecom admin-c: CZ4-AP tech-c: CW27-AP status: ALLOCATED NON-PORTABLE changed: auto-dbm@dcb.hz.zj.cn 20061031 mnt-by: MAINT-CHINANET-ZJ mnt-lower: MAINT-CN-CHINANET-ZJ-WZ source: APNIC role: CHINANET ZHEJIANG address: No.378 Yan'an Road,Hangzhou,Zhejiang.310006 country: CN phone: +86-571-87080702 fax-no: +86-571-87027816 e-mail: antispam@dcb.hz.zj.cn trouble: send spam reports to antispam@dcb.hz.zj.cn trouble: and abuse reports to antispam@dcb.hz.zj.cn trouble: Please include detailed information and times in UTC admin-c: CZ61-AP tech-c: CZ61-AP nic-hdl: CZ4-AP remarks: http://www.zjtelecom.com.cn mnt-by: MAINT-CHINANET-ZJ changed: hjh@dcb.hz.zj.cn 20050914 source: APNIC role: CHINANET-ZJ Wenzhou address: No.2-1 Huancheng Road(East),Wenzhou,Zhejiang.325000 country: CN phone: +86-577-88818629 fax-no: +86-577-88818635 e-mail: anti_spam@wz.zj.cn trouble: send spam reports to anti_spam@wz.zj.cn trouble: and abuse reports to anti_spam@wz.zj.cn trouble: Please include detailed information and times in UTC admin-c: CH117-AP tech-c: CH117-AP nic-hdl: CW27-AP mnt-by: MAINT-CHINANET-ZJ changed: master@dcb.hz.zj.cn 20031204 source: APNIC
According to FixedOrbit, this provider AS4134 has over 70 million IP addresses, so it is definitely one of the largest of all internet networks. The CIDR report on AS4134 shows us its IP ranges, quite a few listed. At the Internet Storm Center, where users can voluntarily submit log files from their firewalls, AS4134 has a lot of malicious activity reported.
Another blog worth reading about the “Spam Crisis in China” is that of Gary Warner’s.
Filed under: spam | Leave a Comment
Tags: 125.104.0.0/13, AS4134, blacklisted, blocklisted, China Telecom, CHINANET-BACKBONE, CN, IP, ISC, spam, Spam Crisis in China, Spamcop
Rogue Network Rankings – GigeNET
This website called FIRE (FInding RoguE Networks) tracks rogue networks based on malware such as phishing, botnet activity and exploited servers. At the time of this post on September 19th, 2009, the Canadian-based provider AS23522 IPNAP-ES – GigeNET. was the top offender on MaliciousNetworks.org. One can also track this host using Google’s Safe Browsing Diagnostic page on AS23522. Further research can also show that on the Malware IRC Network activity chart that this provider, IPNAP shows up quite frequently for hosting IRC bots.
Filed under: blocklist, cybercrime, malware, phishing, rogue networks, trojan | Leave a Comment
Tags: AS23522, ASN, botnets, FIRE, GigeNET, IPNAP, malware, phishing, rogue networks
On September 6th, 2009, Spamhaus blocked a /16 which is 65,536 IPs (1 Class B) on its SBL. This listing is filed under SBL68517. The IP range that is being blocked is 132.240.0.0/16. One can view the ASN information of 132.240.0.0 at robtex. According to robtex, the upstream for this range is AS3257 which is Tinet (formerly Tiscali). There are 3 current SBLs related to this large blocking: SBL68517, SBL78348 ( 207.86.112.0/21 of XO.com ) and SBL78350 ( 38.97.224.0/24 of Cogentco).
If one is rusty on subnetting (how many IPs after a / listing), one can check the CIDR entry on the wiki. Having over 65,000 IPs blocked by Spamhaus is generally a big deal to ISPs and webhosts. Spamhaus in its diligent research of the worst spam ogranisations has determined that this IP range which is owned by Oracle (AS794) is hijacked. Spamhaus classifies such activitiy under ROKSO as Zombies. Nearly all Spamhaus’ ROKSO (Register of Known Spam Operations) entries are names of companies, people or something similar which are known to engage in large scale spamming activities. Spamhaus lists such groups on its ROKSO lists if the spamming operations have been terminated with at least 3 different ISPs. Zombies (the activity of hijacking networks of IP ranges) gets its own entry.
The problem of zombies (hijacked netblocks) appears to be an issue in fighting spam and blocking various rogue networks. Spamhaus updates a list of DROP (Don’t Route or Peer) networks (hijacked netblocks or zombies) on its website for network administrators to use to block unwanted traffic to their networks, firewalls or webservers.
It would seem that the Regional Internet Registries (RIRs which are LACNIC, ARIN, RIPE, AfriNIC, and APNIC ) would be more protactive in preventing hijacking from happening in the first place. The RIRs allocate the IPs to different organizations, mainly to ISPs and large corporations. Perhaps IANA (Internet Assigned Numbers Authority) which is oversees the allocations of IP addresses should take some action as well in minimizing the stealing of netblocks on the Internet by spammers. But then again, one who watches the issue of fraudulent domain name purchases knows that ICANN is not taking direct action that often in minimizing falsified domains purchased by spammers often using stolen credit cards. These fraudulent domains are then used in many spamming activities including fast flux DNS on botnets.
Filed under: blocklist, cybercrime, malware, phishing, registrars, rogue networks, spam, trojan, virus | Leave a Comment
Tags: AfriNIC, APNIC, arin, blacklist, blocklist, CIDR, cogentco, firewalls, hijacked, IP, LACNIC, netblock, Oracle, RIPE, RIR, ROKSO, SBL, spam, spamhaus, XO, zombies
Search
