Is IPv4 Space REALLY in short supply? Spammer

Posted on June 29, 2016 by MagicMail

Maybe it just is not being used for the right purposes..

Last night we looked at our logs and tracking and noticed a new prolific spammer.

Those of us in the industry to realize that there has been a very large increase of Brazilian spam sources, out to make money by spamming, most of it on legitimate hosting companies, and often located right here in North American data centers.  Not to pick on the Brazilians, even emerging countries are getting into this simple way to make money by spamming.

And while it is up to the hosting companies to monitor their own networks, when you see a large block of IPv4 space all of a sudden being used to spam the Internet you have to wonder, how did they get that space, when more ‘legitimate’ companies have trouble getting some.

Today, we are looking at a full /19 that should be on all spam auditors radar.  That is over 8000 IP(s) that could be used to attack your customers in-boxes.

 inetnum: 179.61.224/19
 status: reallocated
 owner: HOST1PLUS hosting services. Brazil.
 ownerid: BR-HHSB-LACNIC
 responsible: Felipe Ernst
 address: Alameda Araguaia, 3641, Barueri
 address: 06455-000 - Tambor� Barueri - SP
 country: BR
 phone: +56 226 382322 []
 owner-c: VIG28
 tech-c: VIG28
 abuse-c: VIG28
 inetrev: 179.61.224/22
 nserver: RDNS1.ALPHAVPS.BG
 nsstat: 20160626 AA
 nslastaa: 20160626
 nserver: RDNS2.ALPHAVPS.BG
 nsstat: 20160626 AA
 nslastaa: 20160626
 created: 20140207
 changed: 20140207
 inetnum-up: 179.61.128/17

 

It looks like they managed to get it from Chilean provider, and there is some further re-allocation, to ‘alphavps.bg’.

Let’s quickly look at some of the naming conventions, that are on that network.

 235.225.61.179.in-addr.arpa domain name pointer atl21.digitiform.com.
 236.225.61.179.in-addr.arpa domain name pointer diocess.com.
 237.225.61.179.in-addr.arpa domain name pointer atl31.diocess.com.
 238.225.61.179.in-addr.arpa domain name pointer emailer.diocess.com.
 239.225.61.179.in-addr.arpa domain name pointer emailer1-103.diocess.com.
 240.225.61.179.in-addr.arpa domain name pointer emailer12-15.diocess.com.
 241.225.61.179.in-addr.arpa domain name pointer emailer112-16.diocess.com.
 242.225.61.179.in-addr.arpa domain name pointer exchange.diocess.com.
 243.225.61.179.in-addr.arpa domain name pointer exchange122.diocess.com.
 244.225.61.179.in-addr.arpa domain name pointer discalceated.com.
 245.225.61.179.in-addr.arpa domain name pointer msgin.discalceated.com.
 246.225.61.179.in-addr.arpa domain name pointer alt2aspmx.discalceated.com.

Actually, the whole Class C, as well as the other ones above it, all have these throwaway domains, and naming conventions.. So, does that mean they are bad by itself?

   179.61.224.3             16   aborsive.com
   179.61.224.4             13   alt1.aborsive.com
   179.61.224.5             13   alt2.aborsive.com
   179.61.224.6             12   alt4.aborsive.com
   179.61.224.7             15   am0.aborsive.com
   179.61.224.8             14   asmpx.aborsive.com
   179.61.224.9             15   connect.aborsive.com
   179.61.224.11            13   exchange.aborsive.com
   179.61.224.12            13   acanthuses.com
   179.61.224.13            13   imap.acanthuses.com
   179.61.224.14            15   mail.acanthuses.com
   179.61.224.15            13   mail-merge.acanthuses.com
   179.61.224.16            13   mail2web.acanthuses.com
   179.61.224.17            14   mailin.acanthuses.com
   179.61.224.18            14   mailin-05.acanthuses.com
   179.61.224.19            13   mailin-08.acanthuses.com
   179.61.224.20            14   acinetiform.com
   179.61.224.21            15   msgin.acinetiform.com
   179.61.224.22            15   mta.acinetiform.com
   179.61.224.23            13   mta5.acinetiform.com
   179.61.224.24            12   mta9.acinetiform.com
   179.61.224.25            14   mx4s.acinetiform.com
   179.61.224.26            14   mx6.acinetiform.com
   179.61.224.27            13   mx8.acinetiform.com
   179.61.224.28            11   acouchy.com
   179.61.224.29            15   optin.acouchy.com
   179.61.224.30            15   pop.acouchy.com

Ah.. yes.. Seems lots of ISP’s reported being under attack by this range last night.  We can assume that if they are using everything from the first IP up, probably the intent is to use the rest of the ranges tomorrow.

Well, actually it isn’t the full /19 but the /22 that is used for this.  Was this a case where the provider was ‘fooled’ into renting/delegating this space to this spammer? Or was this a business decision? Or was it simply to prove ‘usage’? If the person who owns the /19 doesn’t have a  use for it, should it go back to the pool of available IP addresses?

This of course is a controversial subject, even ARIN is currently discussing how to prevent ‘speculators’ picking up IP Space, without a real need.

In the mean time, this operator can make a lot of money, and be quite disruptive to the internet, in just a short period.  And there is a line of spammers who are looking to rent blocks of IP(s) solely for the purpose of spam.

Do we have an answer? No, but of course if that’s what they want to do with the IP Space, us spam auditors can be a lot more aggressive in deciding to simply ‘flag’ that space as dirty.

This entry was posted in Informative, Uncategorized and tagged , , , , , . Bookmark the permalink.

Leave a Reply