WHO'S SPAMMING YOU? Top 60 Proxy-Hijacker-Friendly Nets 2003-08-06

What follows below is a volume-ranked list of the most prolific /24
IP address blocks with respect to open proxy hijacking activity over
the past 2 days. These ranking are based on data collected by my
extensive open proxy honeypot network for the 48 hour period from
5 PM Pacific Daylight Time, August 4th, 2003 through 5 PM Pacific
Daylight Time August 6th, 2003.

Some brief commentary material follows the list. If you or someone
you know owns or operates any of the networks listed below, please
contact me off-list so that we may arange for the timely cremation
of the relevant criminal spammers and open proxy hijackers, and
the scattering of their ashes in some suitable garbage dump. (Note
that mass open proxy hijacking of the kind being originated from
all of the /24 blocks listed below is quite clearly a criminal act
within these United States. The criminals doing this stuff are
violating the federal Computer Fraud and Abuse Act in so many dif-
ferent ways it isn't even funny.)

** NOTICE ** I will provide the specific IP addresses that are actually
engaged in the proxy hijacking activities within each of these blocks
upon request. What I positively WILL NOT DO is to provide detailed
log files from my proxy honeypot machines to any party, PERIOD. (DON'T
EVEN ASK unless you enjoy being verbally abused.) Doing so would
only tend to give the spammers info that they could use to deduce the
locations of my honeypot machines, which they would then carefully
avoid.) I will provide date/time stamps to relevant network admini-
strators, but ONLY in cases involving clearly dynamic IP addresses.

1. 38.112.197 cogentco.com - daicahosting.com/daica.com (Tampa, FL)
2. 66.44.228 savanti.net (Tucson, AZ)
3. 202.177.23 kdd.net.hk (Hong Kong)
4. 66.205.223 cetnetworks.com - smartmailhosting.com (New Orleans, LA)
5. 38.114.11 cogentco.com - tailoredservers.com (Frisco, TX)
6. 66.44.231 savanti.net (Tucson, AZ)
7. 209.50.253 servint.com (McLean, VA)
8. 66.111.39 unitedcolo.com aka sagonet.com (San Francisco, CA)
9. 38.114.3 cogentco.com - tailoredservers.com (Frisco, TX)
10. 66.250.125 cogentco.com - applicationx.net (Alpha, NJ)
11. 166.90.206 level3.com - ?Alan Ralsky? (Detroit area, MI)
12. 206.47.187 bell.ca - "Datatech Communications" (Windsor, ON, CA)
13. 38.112.199 cogentco.com - daicahosting.com/daica.com (Tampa, FL)
14. 38.118.143 cogentco.com - infinology.com (Goleta, CA)
15. 216.99.99 nutnbut.net (Hazelwood, MO)
16. 63.246.136 unitedcolo.com aka sagonet.com (San Francisco, CA)
17. 66.118.189 sagonet.com (Tampa, FL)
18. 64.5.51 theplanet.com (Dallas, TX)
19. 66.118.187 sagonet.com (Tampa, FL)
20. 69.33.1 megapath.net (Pleasanton, CA)
21. 62.219.50 bezeqint.net (Petach Tikva, Israel)
22. 146.82.135 gblx.net - archercomms.com (Minneapolis, MN)
23. 66.205.219 cetnetworks.com (Redwood City, CA)
24. 207.164.251 jet2.net (Windsor, ON, CA)
25. 63.246.135 unitedcolo.com aka sagonet.com (San Francisco, CA)
26. 216.81.218 lh.net (Des Moines, IA)
27. 66.118.142 sagonet.com - argobroadcast.com (Tampa, FL)
28. 64.180.125 telus.net - "Trinity Prof-Soho" (Vancouver, BC, CA)
29. 216.8.169 mnsi.net (Windsor, ON, CA)
30. 66.230.228 level3.com - city-guide.com/neucom.com/candidhosting.net (Tampa)
31. 64.228.134 bell.ca/sympatico.ca (Montreal, QB, CA)
32. 66.111.40 unitedcolo.com aka sagonet.com (San Francisco, CA)
33. 207.101.233 algx.net (Dallas, TX)
34. 216.54.223 twtelecom.net - ozline.net (Clearwater, FL)
35. 63.247.65 gnax.net/dv2.net - burtonhosting.com (North Yorkshire, GB)
36. 66.135.15 broadbandip.net (Baton Rouge, LA)
37. 67.8.179 cfl.rr.com (RR - Florida)
38. 38.117.14 cogentco.com - sagonet.com (Tampa, FL)
39. 64.23.55 affinity.com - skynetweb.com (Baltimore, MD)
40. 64.70.45 exodus.net - nrsoftware.com (Santa Monica, CA)
41. 64.159.76 level3.com - city-guide.com/neucom.com/candidhosting.net (Tampa)
42. 216.58.92 igs.net (Kanata, ON, CA)
43. 66.118.180 sagonet.com (Tampa, FL)
44. 63.246.131 unitedcolo.com aka sagonet.com (San Francisco, CA)
45. 69.0.240 dialtone.com/dialtoneinternet.net (Davie, FL)
46. 203.98.177 newworldtel.com (Hong Kong)
47. 203.98.164 newworldtel.com (Hong Kong)
48. 66.176.226 attbb.net (Chelmsford, MA)
49. 64.237.34 mfnx.net - netlabs.net - "AdultBouncer" (Hazlet, NJ)
50. 69.28.206 peer1.net (Vancouver, BC, CA)
51. 202.181.236 hkcix.com (Hong Kong)
52. 66.70.114 datapipe.com (Hoboken, NJ)
52. 216.128.72 band-x.com - sxpress.com (Hackensack, NJ)
53. 162.42.131 cybertrails.com - atjeu.com (Phoenix, AZ)
54. 216.67.251 pwebtech.com (Parsippany, NJ)
55. 207.180.3 ici.net (Tulsa, OK)
56. 216.232.165 telus.net - "Consumer ADSL" (New Westminster, BC, CA)
57. 66.36.98 burlee.com (Toronto, ON, CA)
58. 65.34.198 attbb.net (Chelmsford, MA)
59. 38.114.4 cogentco.com - 800hosting.com (Dalas, TX)
60. 62.205.161 corbina.net (Moscow, RU)

Before getting in to the commentary, I should perhaps mention that all
of the above /24 blocks, as well as the companies that provide connectivity
to them are now subject to the new listing criteria for the Monkeys.Com
Unsecured Proxies List:


(Please see criteria #2, which was just recently added.)


Note: I have already been posting `Top 40' lists of the worst and most
proxy-hijacker friendly networks to news.admin.net-abuse.email and SPAM-L
for about two weeks now. Some of you may have seen those prior lists
and thus may be all too familiar with many of the networks listed above,
especially in the topmost few positions. My comments about specific
networks follow:

cogentco.com: What can I say? The facts speak for themselves. This is
now the #1 most criminal-friendly network on the Internet. They have
been hosting the criminal open proxy hijackers that are attached to the
net via the following downstream customers for a long while now, and they
know exactly what's going on here, because I told them, several times.
I can only infer that they prefer to keep on accepting money from criminals:

  daicahosting.com/daica.com (previously throw off 2 other networks)
  tailoredservers.com (totally unreachable & bullet-proof)
  applicationx.net (caught red-handed with a web page full of proxies)
  sagonet.com (Has some blocks suspiciously SWIPed to Cogentco.)

Cogent's `tailoredservers.com' customer is THE perfect false front for
spamming activities. No phone numbers on the web site. False/disconnected
phone number in their WHOIS, and no need for them to ever take any call
from any disgruntled folks whose servers they (or their customers) have

Level3: These people have been hosting a ``mystery'' major-league criminal
proxy hijacker in their 166.90.206/24 block for MONTHS, and if they don't
know that then it is only because they don't want to know. (I've already
told them myself, several times.) And they were informed that this criminal
activity was going on from their network all the way back as far as March:


Note that the criminal in question is located someplace in the Detroit
area and has been rumored to most likely be none other than Alan Ralsky,
known mega-spammer who bragged in this article:


that he's got 20 spam pumping machines in his basement going 24/7. And
the evidence suggests that he does, and that they are all busy hijacking
other people's poorly secured proxies, all courtesy of the kind folks at
Level3. Note: The SpamHaus Project describes Ralsky as a "convicted
fraudster" and has an extensive file on him:


Oh! And lest I forget, Level3 also continues to provide bandwidth to
the criminal open proxy hijackers that are working out of the notorious
spam-friendly outfit called `CandidHosting'.

sagonet.com: Sagonet.com and its west coast subsidiary, unitedcolo, seem
to have more criminal open proxy hijackers per square inch than any other
network or company on the net. A few days ago, they had no fewer than
9 different /24s listed in my Top 60 list of open proxy hijacking origi-
nation points. I've seen some signs in the past 24 hours that they may
perhaps finally be getting their act together, but then again, maybe not.
Time will tell. (I have been told that the owner is just plain greedy,
and that he does really understand why spam is bad.)

savanti.net: Finally got kicked off sterlingnetwork.net within the past
24 hours. Will be looking for a new home, I'm sure. BE ON THE LOOKOUT
FOR THESE GUYS as they wander around, in search of new connectivity.
(This is as least the second strike for them, or so I'm told. They
were kicked off another network before sterlingnetwork.net.)

kdd.net.hk: Seems to be approaching the density of lead. No response
whatsoever to hijacking reports. The lights are on but nobody's home.
Does anybody know anybody who can explain to these people what proxy
hijacking is and why it's bad?

servint.com: Sounds familiar. These guys have been in trouble before,
haven't they?

nutnbut.net: Could be renamed to Nothin' But /dev/null

P.S. My special thanks to verio.net, rr.com, algx.net, and jet2.net, all
of whom seem to be able to kill these blasted proxy hijackers just about
as fast as I can report them.