I got a live one! - Spam source

Mailman List Mirror (Read Only)
1

Could you elaborate on what constitutes correct swip information?

Sure, you just opened the door to my opinions on this :slight_smile:

-- WRONG --

OrgName: FortressITX
OrgID: FORTR-5
Address: 100 Delawanna Ave
City: Clifton
StateProv: NJ
PostalCode: 07014
Country: US

Found a referral to rwhois.fortressitx.com:4443.

Timeout.
-- -----------------
The argument that whois information should not be made public, is ridiculous.
I here people saying that they don't publish whois information because they
don't want the email's made public. Okay, at least the registered company
name, or individual who presented the ID should be there.

-- WRONG --

OrgName: Peer 1 Dedicated Hosting
OrgID: P1DH-1
Address: 101 Marietta Street
Address: Suite 500
City: Atlanta
StateProv: GA
PostalCode: 30303
Country: US

NetRange: 216.150.0.0 - 216.150.31.255
CIDR: 216.150.0.0/19

2

hmmm - odd that the 2 you chose to show as wrong, both feature highly
in my postfix reject_clients map.....

3

Dysfunctional rwhois servers sounds more like general brokenness than
malice. The other interesting (!) characteristic of thie sort of bulk
mailer discussed in this thread is that the netblock is most likely
swipped / rwhois'd to a brand new shell company LLC, headquartered in
what looks like a UPS store maildrop.

4

In the instances he quoted, I prefer, at best, a wish not to know about
what is spewing from their address space.

5

Without delving too far into this: there is no point whatsoever in attempting
to conceal or obfuscate email addresses --not any more. It is an obsolete,
"cargo cult" practice that many are still engaged in without grasping that
it was quite thoroughly defeated by spammers and their associates years ago.

That said, I concur in full with your opinions in re whois data and
the need to assign it properly. I've long since stopped trying to
deal with missing information and have adopted the rule that if the
neighborhood looks sufficiently bad, I just block a /24 worth. That
may sound arbitrary, but in practice it works extremely well.

---Rsk

6

Not to keep endlessly on this thread, but again with reference to good whois
record keeping and bad..

64.21.87.136: mx2.yvzus.com
64.21.87.141: mx3.xmabs.com
64.21.87.168: mx5.zgows.com
64.21.87.170: mx5.zntas.com

<GOOD> We know the activity is probably limited to:

Found a referral to whois.nac.net:43.

NAC-Rwhoisd32 Server Ready - [hydrogen/43] Rwhoisd32 - 1.0.76

Private (NET-40155780-26)
   1000 Elliott Ave W
   Seattle, WA 98119
   US

OrgID : NAC-40612
Netname : NET-40155780-26
Netblock: 64.21.87.128/26
NetUse : additional loopback ips for 66.246.252.57

Coordinator:
   Whitaker, Claude washwhitaker@aol.com
   Phone: 206-407-3201

67.229.101.206: hikmvo.leadingsolutionlinks.com
67.229.101.207: noqo.leadingsolutionlinks.com
67.229.101.208: rqecf.leadingsolutionlinks.com

<GOOD> We know that the activity is probably limited to:

VPLS Inc. d/b/a Krypt Technologies VPLSNET (NET-67-229-0-0-1)
                                  67.229.0.0 - 67.229.255.255
Roy Diaz ROY (NET-67-229-96-0-1)
                                  67.229.96.0 - 67.229.111.255

(Other than VPLS/Krypt seems to really like these type of customers)

70.97.119.58: mail1.ugallshwomange.com
70.97.119.59: mail1.ugouricarali.com
70.97.119.60: mail1.utanonesiana.com
70.97.119.61: mail1.vatetricarkose.com
70.97.119.62: mail1.venesiandsgu.com
70.97.119.63: mail1.viandslahass.com
70.97.119.64: mail1.vientianarica.com
70.97.119.65: mail1.vientuckyan.com

<BAD>

Integra Telecom, Inc. ELI-NETWORK-ELIX (NET-70-96-0-0-1)
                                  70.96.0.0 - 70.99.255.255
Syptec ITCM-70-97-118-0-23 (NET-70-97-118-0-1)
                                  70.97.118.0 - 70.97.119.255

This is a /23 but with Syptec's record... They sure like opening ranges to
email marketers first :slight_smile: Unless Syptec is operating those machines
themselves.. but in that class C all the IP's don't appear to start on a
normal boundary, .35-.65 with all the rest of the IP's having no reverse DNS.
Does this client of theirs have control over the whole /23 or just a part?

205.251.11.130: loneas41.instantcasheasynow.com
205.251.11.163: lon69.instantcasheasynow.com
205.251.11.70: lon83.instantcasheasynow.com
205.251.7.144: click37.fallcreditcash.com
205.251.7.204: track42.fallcreditcash.com
205.251.7.253: click14.fallcreditcash.com
205.251.7.99: track4.fallcreditcash.com

<BAD>

InfoRelay Online Systems, Inc. INFORELAY-EST-02 (NET-205-251-0-0-1)
                                  205.251.0.0 - 205.251.127.255
Reaction54 REACT54-03 (NET-205-251-8-0-1)
                                  205.251.8.0 - 205.251.15.255

Is this two different clients on Reaction54, or is this Reaction54 themselves?
I think you have to assume the later based on this whois information..
Especially when you see that the whole class C has the same naming patterns.

216.52.246.253: host6.chemistryearth.com
216.52.246.254: host6.consecutiveworld.com

<GOOD>

Internap Network Services Corporation PNAP-8-98 (NET-216-52-0-0-1)
                                  216.52.0.0 - 216.52.255.255
Aurora Networking INAP-LAX-AURORA-34937 (NET-216-52-246-0-1)
                                  216.52.246.0 - 216.52.246.255

More companies on Internap, but at least we know exactly what range is owned
by this company.. We can just look at the one class 'C'.

And of course we can see that this is quite typical right across the range..

218.213.228.76: ad-a11.pointdnshere.com
218.213.228.92: ns193.pointdnshere.com

<BAD>

Ummm.. we can't say the same operator is using all of these can we?

inetnum: 218.213.0.0 - 218.213.255.255
netname: HKNET-HK
descr: HKNet Company Limited
descr: 15/F, Tower 2, Ever Gain Plaza,
descr: 88 Container Port Road, Kwai Chung, N.T.
country: HK

And if we guessed, and said the same behavior was across the board, we would
be hurting the poor guy on that class C in the top of the range..

(Oh, yeah.. I know.. I threw that last example to show that this isn't just a
North American problem)