Maybe it just is not being used for the right purposes..
Last night we looked at our logs and tracking and noticed a new prolific spammer.
Those of us in the industry to realize that there has been a very large increase of Brazilian spam sources, out to make money by spamming, most of it on legitimate hosting companies, and often located right here in North American data centers. Not to pick on the Brazilians, even emerging countries are getting into this simple way to make money by spamming.
And while it is up to the hosting companies to monitor their own networks, when you see a large block of IPv4 space all of a sudden being used to spam the Internet you have to wonder, how did they get that space, when more ‘legitimate’ companies have trouble getting some.
Today, we are looking at a full /19 that should be on all spam auditors radar. That is over 8000 IP(s) that could be used to attack your customers in-boxes.
inetnum: 179.61.224/19 status: reallocated owner: HOST1PLUS hosting services. Brazil. ownerid: BR-HHSB-LACNIC responsible: Felipe Ernst address: Alameda Araguaia, 3641, Barueri address: 06455-000 - Tambor� Barueri - SP country: BR phone: +56 226 382322  owner-c: VIG28 tech-c: VIG28 abuse-c: VIG28 inetrev: 179.61.224/22 nserver: RDNS1.ALPHAVPS.BG nsstat: 20160626 AA nslastaa: 20160626 nserver: RDNS2.ALPHAVPS.BG nsstat: 20160626 AA nslastaa: 20160626 created: 20140207 changed: 20140207 inetnum-up: 179.61.128/17
It looks like they managed to get it from Chilean provider, and there is some further re-allocation, to ‘alphavps.bg’.
Let’s quickly look at some of the naming conventions, that are on that network.
220.127.116.11.in-addr.arpa domain name pointer atl21.digitiform.com. 18.104.22.168.in-addr.arpa domain name pointer diocess.com. 22.214.171.124.in-addr.arpa domain name pointer atl31.diocess.com. 126.96.36.199.in-addr.arpa domain name pointer emailer.diocess.com. 188.8.131.52.in-addr.arpa domain name pointer emailer1-103.diocess.com. 240.225.61.179.in-addr.arpa domain name pointer emailer12-15.diocess.com. 241.225.61.179.in-addr.arpa domain name pointer emailer112-16.diocess.com. 242.225.61.179.in-addr.arpa domain name pointer exchange.diocess.com. 243.225.61.179.in-addr.arpa domain name pointer exchange122.diocess.com. 244.225.61.179.in-addr.arpa domain name pointer discalceated.com. 245.225.61.179.in-addr.arpa domain name pointer msgin.discalceated.com. 246.225.61.179.in-addr.arpa domain name pointer alt2aspmx.discalceated.com.
Actually, the whole Class C, as well as the other ones above it, all have these throwaway domains, and naming conventions.. So, does that mean they are bad by itself?
184.108.40.206 16 aborsive.com 220.127.116.11 13 alt1.aborsive.com 18.104.22.168 13 alt2.aborsive.com 22.214.171.124 12 alt4.aborsive.com 126.96.36.199 15 am0.aborsive.com 188.8.131.52 14 asmpx.aborsive.com 184.108.40.206 15 connect.aborsive.com 220.127.116.11 13 exchange.aborsive.com 18.104.22.168 13 acanthuses.com 22.214.171.124 13 imap.acanthuses.com 126.96.36.199 15 mail.acanthuses.com 188.8.131.52 13 mail-merge.acanthuses.com 184.108.40.206 13 mail2web.acanthuses.com 220.127.116.11 14 mailin.acanthuses.com 18.104.22.168 14 mailin-05.acanthuses.com 22.214.171.124 13 mailin-08.acanthuses.com 126.96.36.199 14 acinetiform.com 188.8.131.52 15 msgin.acinetiform.com 184.108.40.206 15 mta.acinetiform.com 220.127.116.11 13 mta5.acinetiform.com 18.104.22.168 12 mta9.acinetiform.com 22.214.171.124 14 mx4s.acinetiform.com 126.96.36.199 14 mx6.acinetiform.com 188.8.131.52 13 mx8.acinetiform.com 184.108.40.206 11 acouchy.com 220.127.116.11 15 optin.acouchy.com 18.104.22.168 15 pop.acouchy.com
Ah.. yes.. Seems lots of ISP’s reported being under attack by this range last night. We can assume that if they are using everything from the first IP up, probably the intent is to use the rest of the ranges tomorrow.
Well, actually it isn’t the full /19 but the /22 that is used for this. Was this a case where the provider was ‘fooled’ into renting/delegating this space to this spammer? Or was this a business decision? Or was it simply to prove ‘usage’? If the person who owns the /19 doesn’t have a use for it, should it go back to the pool of available IP addresses?
This of course is a controversial subject, even ARIN is currently discussing how to prevent ‘speculators’ picking up IP Space, without a real need.
In the mean time, this operator can make a lot of money, and be quite disruptive to the internet, in just a short period. And there is a line of spammers who are looking to rent blocks of IP(s) solely for the purpose of spam.
Do we have an answer? No, but of course if that’s what they want to do with the IP Space, us spam auditors can be a lot more aggressive in deciding to simply ‘flag’ that space as dirty.