Pesky Russian Spam Sources Increasing Again?

As you know, I often point out how bad the North American hosting companies can be as spam sources, but of course with most of the hosting companies being in North America, this would be logical. It used to be that Russian spammers were from poorly secured networks, but that hasn’t been as big of an issue for the last couple of years, as network operators caught up.

However, this last few days has seen new ‘hosting companies’, or co-location facilities either springing up, getting more IP Space, or simply being more liberal with who they let operate on their networks.

And the two biggest outbreaks came from:

MosCityLine LLC 93.157.224.0 – 93.157.231.255

And Various NetBlocks belonging to JSC Server WebDC colocation

While normally, most hosting companies offer SWIP or rWhois to designate customers IP Space, neither of these companies do that so it is hard to tell if this is the company itself, or their clients that are the problem.

A simple examination of the IP Space using DNS Queries points out a pattern that appears to be suspect.

Eg, for MosCityLine..

#13.229.157.93.in-addr.arpa domain name pointer sidney.jellystacks.com.
#51.229.157.93.in-addr.arpa domain name pointer reft.jellystacks.com.
#75.229.157.93.in-addr.arpa domain name pointer wants.cocotugo.com.
#77.229.157.93.in-addr.arpa domain name pointer antiferromagnetism.cocotugo.com.
#113.229.157.93.in-addr.arpa domain name pointer lateritious.manrenello.com.
#144.229.157.93.in-addr.arpa domain name pointer cottage.waytomanigoldo.com.
#153.229.157.93.in-addr.arpa domain name pointer rarely.waytomanigoldo.com.
#201.229.157.93.in-addr.arpa domain name pointer jejunostomy.cheaperli.com.
#210.229.157.93.in-addr.arpa domain name pointer salicaceae.cheaperli.com.
#250.229.157.93.in-addr.arpa domain name pointer ensiform.cheaperli.com.
#24.230.157.93.in-addr.arpa domain name pointer supplicant.fridgehoster.com.
#44.230.157.93.in-addr.arpa domain name pointer sapphist.fridgehoster.com.
#61.230.157.93.in-addr.arpa domain name pointer salal.fridgehoster.com.
#82.230.157.93.in-addr.arpa domain name pointer centipede.xcoldweb.com.
#124.230.157.93.in-addr.arpa domain name pointer caeca.susanmanner.com.
#163.230.157.93.in-addr.arpa domain name pointer temperament.benniesite.com.
#181.230.157.93.in-addr.arpa domain name pointer broncho.benniesite.com.
#204.230.157.93.in-addr.arpa domain name pointer bibliographer.doggystarsr.com.
# 234.230.157.93.in-addr.arpa domain name pointer gouttes.doggystarsr.com.
#10.231.157.93.in-addr.arpa domain name pointer sociobiologic.nomakblack.com.
#50.231.157.93.in-addr.arpa domain name pointer latterly.nomakblack.com.
#73.231.157.93.in-addr.arpa domain name pointer rigger.trinityblade.com.
#101.231.157.93.in-addr.arpa domain name pointer mesopotamia.lukestars.com.
#105.231.157.93.in-addr.arpa domain name pointer filler.lukestars.com.
#145.231.157.93.in-addr.arpa domain name pointer pervestigation.louispenguin.com.
#157.231.157.93.in-addr.arpa domain name pointer tylenchus.louispenguin.com.
#195.231.157.93.in-addr.arpa domain name pointer hanging.silvatrainner.com.
#221.231.157.93.in-addr.arpa domain name pointer aroused.silvatrainner.com.
#241.231.157.93.in-addr.arpa domain name pointer forfend.silvatrainner.com.

It’s obvious that these are throw away domain names.  And all the domain names lead to an ‘unsubscribe’ page <sic>.  Aside from this being a terrible waste of the limited IP Space, they could have done this all from a single IP, and aside from RIPE not really in the position of determining what IP(s) are going to be used for, this type of activity is a serious burden on email operators, and clearly goes against most Anti-Spam legislation.

I am sure it won’t be long before most of this IP space is on most of the major blacklists.

All messages are OS generated, DKIM and Domain Key signed, minimal headers, and topics like:

Records indicate you may be eligible for a Student Forgiveness Plan.
If you are behind on monthly dues, your wages may garnished. Tax
Refund checks issued by April may be withheld. Please call
888-339-7139 to discuss options and complete enrollment.
 
Thanks,

Someone else can take the risk of calling that number.

While, on the other hand …

213.159.208.158              4   the-genuine.com
   213.159.208.167           3   bestpharmbargain.com
   213.159.208.172           4   bestpharmbargain.com
   213.159.208.233           4   nicehills24.com
   213.159.208.254           3   quickmeddirect.com

JSC Server WebDC colocation 213.159.208.0 – 213.159.211.255, these types of ranges are all across many different ranges, most of the IP(s) being allocated within the last three months.

213.159.209.94               3   americanpharmshop.com
   213.159.209.173           4   naturalsecuremarts.in
   213.159.209.219           4   americanpharmshop.com
   213.159.209.254           3   rxbestpharma24.com
213.159.214.17               3   canadian-24h-pharm.com
   213.159.214.67            2   nicehills24.com

I don’t think that these types of operators are hard for the company to notice, this would take a very blind eye, or someone asleep at the wheel.  Maybe they were fooled into renting out a lot of IP Space, but it is all across the networks.

83.220.171.120               4   the-genuine.com
   83.220.171.177            3   bestpharmbargain.com
   83.220.171.210            2   rxbestpharma24.com
   83.220.171.216            1   lucky-mens-power.com
   83.220.171.243            4   canadian-24h-pharm.com
   83.220.171.254            2   nicehills24.com
83.220.172.37                4   onnectionn.com
   83.220.172.38             2   nicehills24.com
   83.220.172.47             1   naturalsecuremarts.in
   83.220.172.53             2   webcanadiasite.com
   83.220.172.63             1   bestluckymens24.com

Given the huge amount, and the references to Canadian Pharm, this should quickly attract the attention of both legal authorities and RBL’s.

 

This entry was posted in Informative and tagged , , , , , . Bookmark the permalink.

Leave a Reply