As you know, I often point out how bad the North American hosting companies can be as spam sources, but of course with most of the hosting companies being in North America, this would be logical. It used to be that Russian spammers were from poorly secured networks, but that hasn’t been as big of an issue for the last couple of years, as network operators caught up.
However, this last few days has seen new ‘hosting companies’, or co-location facilities either springing up, getting more IP Space, or simply being more liberal with who they let operate on their networks.
And the two biggest outbreaks came from:
MosCityLine LLC 220.127.116.11 – 18.104.22.168
And Various NetBlocks belonging to JSC Server WebDC colocation
While normally, most hosting companies offer SWIP or rWhois to designate customers IP Space, neither of these companies do that so it is hard to tell if this is the company itself, or their clients that are the problem.
A simple examination of the IP Space using DNS Queries points out a pattern that appears to be suspect.
Eg, for MosCityLine..
#22.214.171.124.in-addr.arpa domain name pointer sidney.jellystacks.com.
#126.96.36.199.in-addr.arpa domain name pointer reft.jellystacks.com.
#188.8.131.52.in-addr.arpa domain name pointer wants.cocotugo.com.
#184.108.40.206.in-addr.arpa domain name pointer antiferromagnetism.cocotugo.com.
#220.127.116.11.in-addr.arpa domain name pointer lateritious.manrenello.com.
#18.104.22.168.in-addr.arpa domain name pointer cottage.waytomanigoldo.com.
#22.214.171.124.in-addr.arpa domain name pointer rarely.waytomanigoldo.com.
#126.96.36.199.in-addr.arpa domain name pointer jejunostomy.cheaperli.com.
#188.8.131.52.in-addr.arpa domain name pointer salicaceae.cheaperli.com.
#250.229.157.93.in-addr.arpa domain name pointer ensiform.cheaperli.com.
#184.108.40.206.in-addr.arpa domain name pointer supplicant.fridgehoster.com.
#220.127.116.11.in-addr.arpa domain name pointer sapphist.fridgehoster.com.
#18.104.22.168.in-addr.arpa domain name pointer salal.fridgehoster.com.
#22.214.171.124.in-addr.arpa domain name pointer centipede.xcoldweb.com.
#126.96.36.199.in-addr.arpa domain name pointer caeca.susanmanner.com.
#188.8.131.52.in-addr.arpa domain name pointer temperament.benniesite.com.
#184.108.40.206.in-addr.arpa domain name pointer broncho.benniesite.com.
#220.127.116.11.in-addr.arpa domain name pointer bibliographer.doggystarsr.com.
# 18.104.22.168.in-addr.arpa domain name pointer gouttes.doggystarsr.com.
#10.231.157.93.in-addr.arpa domain name pointer sociobiologic.nomakblack.com.
#22.214.171.124.in-addr.arpa domain name pointer latterly.nomakblack.com.
#126.96.36.199.in-addr.arpa domain name pointer rigger.trinityblade.com.
#188.8.131.52.in-addr.arpa domain name pointer mesopotamia.lukestars.com.
#184.108.40.206.in-addr.arpa domain name pointer filler.lukestars.com.
#220.127.116.11.in-addr.arpa domain name pointer pervestigation.louispenguin.com.
#18.104.22.168.in-addr.arpa domain name pointer tylenchus.louispenguin.com.
#22.214.171.124.in-addr.arpa domain name pointer hanging.silvatrainner.com.
#126.96.36.199.in-addr.arpa domain name pointer aroused.silvatrainner.com.
#241.231.157.93.in-addr.arpa domain name pointer forfend.silvatrainner.com.
It’s obvious that these are throw away domain names. And all the domain names lead to an ‘unsubscribe’ page <sic>. Aside from this being a terrible waste of the limited IP Space, they could have done this all from a single IP, and aside from RIPE not really in the position of determining what IP(s) are going to be used for, this type of activity is a serious burden on email operators, and clearly goes against most Anti-Spam legislation.
I am sure it won’t be long before most of this IP space is on most of the major blacklists.
All messages are OS generated, DKIM and Domain Key signed, minimal headers, and topics like:
Records indicate you may be eligible for a Student Forgiveness Plan. If you are behind on monthly dues, your wages may garnished. Tax Refund checks issued by April may be withheld. Please call 888-339-7139 to discuss options and complete enrollment. Thanks,
Someone else can take the risk of calling that number.
While, on the other hand …
188.8.131.52 4 the-genuine.com 184.108.40.206 3 bestpharmbargain.com 220.127.116.11 4 bestpharmbargain.com 18.104.22.168 4 nicehills24.com 22.214.171.124 3 quickmeddirect.com
JSC Server WebDC colocation 126.96.36.199 – 188.8.131.52, these types of ranges are all across many different ranges, most of the IP(s) being allocated within the last three months.
184.108.40.206 3 americanpharmshop.com 220.127.116.11 4 naturalsecuremarts.in 18.104.22.168 4 americanpharmshop.com 22.214.171.124 3 rxbestpharma24.com
126.96.36.199 3 canadian-24h-pharm.com 188.8.131.52 2 nicehills24.com
I don’t think that these types of operators are hard for the company to notice, this would take a very blind eye, or someone asleep at the wheel. Maybe they were fooled into renting out a lot of IP Space, but it is all across the networks.
184.108.40.206 4 the-genuine.com 220.127.116.11 3 bestpharmbargain.com 18.104.22.168 2 rxbestpharma24.com 22.214.171.124 1 lucky-mens-power.com 126.96.36.199 4 canadian-24h-pharm.com 188.8.131.52 2 nicehills24.com 184.108.40.206 4 onnectionn.com 220.127.116.11 2 nicehills24.com 18.104.22.168 1 naturalsecuremarts.in 22.214.171.124 2 webcanadiasite.com 126.96.36.199 1 bestluckymens24.com
Given the huge amount, and the references to Canadian Pharm, this should quickly attract the attention of both legal authorities and RBL’s.