Rogue Networks and Spamhaus

12Jun09

Some more recent Twitters on @InBoxRevenge

AS35415 / 194.187.96.0/22 WEBAZILLA? ExtendedHost .com – spam, scam, cybercrime hosting SBL Spamhaus SBL60306 http://bit.ly/gQZQo #blocklist

AS42775 / 91.209.48.0/27 CAMEA-NET Canadian Pharmacy ROKSO upstream AS3267/RUNNET SBL Spamhaus SBL76405 http://bit.ly/Ulo6Z #blocklist

These 2 networks blocklisted by Spamhaus on 6/11/09 above could easily be called rogue, because they are infested with websites up to no good. Both of these networks in the Spamhaus SBL lists are filled with bad clients. It is possible that the entire network supports cybercrime or it is a large infestation with some smaller innocent clients. I tend to think in this case that it is the former. After doing diligent research, some of us spam investigators typically call such netblocks “rogue networks.” The second SBL, Camea.net appears to be Russian-based.

I am guessing Webazilla.com (a Netherlands-based webhosting provider) appears to be within that netblock (194.187.96.0/22) based on my own research which is independent to that of Spamhaus’. To see some current malware websites withink the Webazilla block, check out Google’s Safe Browsing for the AS35415 of Webazilla. One can also see more malware domains within this network on Webazilla at the Malware Domain List. The contents of the Spamhaus listing are focusing more on Extendedhost.com. Here is Extendedhosts’ information on the CIDR report as referenced by Spamhaus in the SBL. It is not recommended to view these websites in a browser unless you are certain you know how to protect yourself.

For now we are watching to see how long these SBLs remain active. These 2 SBLs which are blocking large numbers of IP addresses were both posted by Spamhaus volunteers on 6/11/09. Lots of malicious activity is originating from these IPs, which is why Spamhaus listed the IPs.

Look at the IP ranges: 194.187.96.0/22 and 91.209.48.0/27. Note the slash after the netblocks listed above: a /22 is 1022 IPs and a /27 is much smaller at 30 IPs. The first one, SBL60306, is listed with RIPE because Spamhaus is not exactly sure which network is assigned that IP range. With over a thousand hosts blocked, I wonder how long either of them will stay blocked.

The second listing above by Spamhaus (SBL76405) is associated with Canadian Pharmacy a spam group that is one of the most profilic in the volume of spam that it sends. One can read more about Canadian Pharmacy on the Spamwiki. Canadian Pharmacy likes to run its websites on a Linux webserver running nginx. Taken from Spamhaus’ listing SBL76405

* Connected to 91.209.48.17
: GET /privacy.php HTTP/1.1
: Host: my-order-status.info

: HTTP/1.1 200 OK
: Server: nginx/0.6.34
: [title]Support Center[/title]
: … to set up a Canadian Pharmacy account.

Spamhaus’ information is primarily used by ISPs and mail server admins. If the host is proactive and has a policy against internet abuse, it will try to get itself delisted from Spamhaus. Often the provider has to terminate the client in its entirety and not move it to another portion of its network.

If you are not aware, Spamhaus also has profiles of the largest known spamming groups under its ROKSO (Register of Known Spam Operations ) database. There is a lot of research done by the Spamhaus volunteers in order to build these profiles. Many of the spam operations originate from different countries, just as their activity takes place online in different places online. As Spamhaus states on its website, some of its collected information is shared with law enforcement world wide.

Researching these operations is very tedious and takes a lot of time. Many people who do not understand this process, get very angry when they see Spamhaus blocking their IP address they use to send their mail from. Some people will even write Spamhaus themselves to get their IP unblocked, while this should be done at the ISP level.

Final Note: as the status on these blocklistings changes, we plan to update this post.

Advertisements


No Responses Yet to “Rogue Networks and Spamhaus”

  1. Leave a Comment

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: