RIPE Bulgaria, what is going on?

Posted on August 11, 2015 by MagicMail

While we all see occasional false information used by spammers to get hosting IP Space, in an age where IPv4 addresses are scarce you always wonder when large swathes of brand new IP space are used for spamming.

And in this case, this is something we have seen over the last few months, but we see the same operator getting more and more IP(s), which is the surprising part.

They call themselves “Wireless Network Solutions Ltd.” and as of four days ago, it seems they received another 6 Class C’s, and within four days they started abusing the internet quite quickly with spam.

Today, two of those Class C’s fired up, triggering alerts all across North America.

94.156.33.236 : essexsilverlinewest.owenbathrooms.com
94.156.33.237 : hcmcorp-com.websterbathrooms.com
94.156.33.239 : hhgregg.wolfmodernbath.com
94.156.35.120 : inspire-productions.macdonaldcopdfacts.com
94.156.35.121 : dwyerproductions.leblanccopdfacts.com
94.156.35.122 : crewof4.lestercopdsource.com
94.156.35.123 : newkirkpainting.josephcopdsource.com
94.156.35.124 : daltoncarpetone.bowmancomsystems.com
94.156.35.125 : plasm.marshcomsystems.com
94.156.35.126 : cartridgehq.boonebusinessnet.com
94.156.35.127 : bon2-net.maddenbusinessnet.com
94.156.35.128 : mingomedia.craiggetaways.com
94.156.35.129 : maggieumc.mooneyvacations.com
94.156.35.130 : cynthiayoung.sweeneyvacations.com
94.156.35.131 : mlewisdental.webstergetaways.com

This is the same pattern they used in the last block of IP(s) they got, throw away domain names, used to spam at a very high rate.

(A couple of other Class C’s fired up as well)

The obvious question, what kind of a company is this? Doesn’t sound like a wireless company..

212.117.52.160 : footbridgemedia.summerspainhelp.com
212.117.52.161 : nycwebstudio.frenchpainhelp.com
212.117.52.162 : micnguyen.clinepainhelp.com
212.117.52.164 : centralcoastis.delgadopainmanagement.com
212.117.52.209 : gginb.heathcruiselines.com
212.117.52.210 : gildeallc.rubiocruiselines.com
212.117.52.211 : grasslandgranite.mosleytravelpartners.com
212.117.52.213 : barr-02.bryantravelpartners.com
212.117.52.249 : littleturtleknits.davenportbizdegrees.com
212.117.52.251 : mlcplus.burchmbadegrees.com
212.117.52.77 : vldedgsrv1.barberbillingeducation.com
212.117.52.78 : goldiegroup.bartonbillingeducation.com
212.117.52.79 : justplainannies.averybillingeducation.com
212.117.52.80 : magicmini.murillomedcoding.com
212.117.52.81 : dougekos.georgemedcoding.com

212.117.55.150 : multicolors.reportsecurcheckinform.com
212.117.55.151 : momulti.yearadditionreportsinform.com
212.117.55.152 : allsc-net.itemlistinformchecks.com
212.117.55.153 : apsops.checkreturnreportexam.com

85.239.147.100 : lytal.pettyonlinelearning.com
85.239.147.96 : kirkconstruction.armstrongdegreechoice.com
85.239.147.97 : ideastudiosinc.durhamdegreechoice.com
85.239.147.98 : jaegerinteractive.mcclureonlinelearning.com
85.239.147.99 : garanww.hollandonlinelearning.com

85.239.150.121 : dancinwithpam.hermantravelupgrades.com
85.239.150.141 : betasproxy.hodgenetworksolutions.com

And on and on and on..

This entry was posted in Informative and tagged , , , , . Bookmark the permalink.

Leave a Reply