XSServer / Taking down a spam friendly provider

Hello

I run a few Wordpress sites here and there, but I'm amazed at the
amount of spam that comes from xsserver.eu's clients. Their abuse
department is non-responsive: they do not even have auto responders to
emails and the offending IP addresses keep spamming weeks after my
email.

I have CC'd my abuse complaints to Hurricane Electric, with no luck
either, so I'm stuck

Before somebody screams the path of least resistance of "just install
Akismet or (insert spam plugin here)", that type of thinking just
makes spam even worse because we just keep large, possibly stale,
databases of IP addresses that may or may not be active spammers and
does not address the issue.

Does anyone have any recommendations of where to go next because I'm
just limited to doing a whois on the IP address, emailing the abuse
contact and tracerouting.

Examples of the offending IPs are:
109.230.216.225
109.230.220.34
109.230.217.166
109.230.220.95

A prime offender is hellomotow.net, who provides "SEO" services with
automated spamming tools. hellomotow.net has spammed me in the past
from IP addresses like this so I believe XSServer is becoming the new
McColo / AlphaRed / ThePlanet (back in the day, their abuse dept is
very responsive now)

I'm not asking for you to do the footwork for me, unless you want, but
just needed some advice from folks more knowledgeable than myself.

All four addresses are in the Spamhaus sbl-xbl list. It would take ~10
lines of python in your cgi program to work this out.

Nicolai

For folks who do not understand, I'm trying to "McColo" XSServer so
their lack of response in regards to abuse is gone rather than the
suggestions of scripting (guess you didn't read the full text of the
email) or you pushing a product on me because you work for the ISP
that the product is hosted on. Everybody remembers McColo going down
and being dropped from uplinks in 2008 then all the spam disappeared,
right?

Chris,

Can't help much - but can say we find ourselves in a similar boat.

As a rule of thumb, we systematically block, log, and report *every*
spam, virus & brute force etc attempt we receive against any of our
devices.

In the past three years, only one company has ever responded to an abuse
request (CampaignMonitor to name & honour them), though there are
definitely some other good guys out there (a large number of them on
this list)!

[We don't apply the above logic for spam sent to email destinations, for
obvious reasons]

G

McColo and Atrivo were disconnected for much larger sins than spamming
someone's wordpress blog.

William

McColo and Atrivo were disconnected for much larger sins than spamming
someone's wordpress blog.

Many of you do not understand the scope of "just spamming a Wordpress blog".

This is a huge business. Shady "SEO" companies are charging
individuals at least $250 per month to use their spam tools of choice
to spam forums and Wordpress blogs. I got one of the major players on
the run right now because he cannot seem to keep his "business page"
hosted with a company longer than a few weeks and I keep playing
whack-a-mole with him.

Guess what? Innocent people's websites are being deranked on Google
for hiring these guys with their shady backlink services and their
money is being taken. Yes I know they got what they deserved, but it's
so obvious with these backlink guys using cheap virtual private
servers for a month, getting shutdown and getting a new IP address
that something needs to be done.

XSServer could have simply amused me with a default auto reply to make
it look like they are doing something.

Will your host allow you to block IP ranges?

Not the solution I was looking for because blocking IP ranges and
using scripts / services / etc like Akismet or others is simply
ignoring the problem, not solving it.

For folks who say hosting companies are not helpful: Linode, Amazon,
BurstNET, Ubiquity Servers and others are extremely responsive to
abuse complaints.

> McColo and Atrivo were disconnected for much larger sins than
> spamming someone's wordpress blog.

Many of you do not understand the scope of "just spamming a Wordpress
blog".

I do understand the scope of shady SEO companies.

This is a huge business. Shady "SEO" companies are charging
individuals at least $250 per month to use their spam tools of choice
to spam forums and Wordpress blogs. I got one of the major players on
the run right now because he cannot seem to keep his "business page"
hosted with a company longer than a few weeks and I keep playing
whack-a-mole with him.

McColo and Atrivo were not terminated because of spam. If you believe
they are, then you are simply misinformed. Atrivo and McColo were
terminated over their network being used extensively for botnet
control centers.

Really! Not spam!

Guess what? Innocent people's websites are being deranked on Google
for hiring these guys with their shady backlink services and their
money is being taken.

Bummer. Indeed, it sucks to be them. Newsflash: only morons hire
"SEO companies." Perhaps Google is just working on increasing
relevance quality by penalizing them for being morons. I would say it
is a brilliant strategy, myself.

Yes I know they got what they deserved, but it's so obvious with
these backlink guys using cheap virtual private servers for a month,
getting shutdown and getting a new IP address that something needs to
be done.

Ok, and when they go to another budget VPS provider other than
XSServer? I am just wondering if you have a strategy for that
scenario. Will you come and whine on NANOG about that provider too?

XSServer could have simply amused me with a default auto reply to make
it look like they are doing something.

Wow, thanks for the pro tip. You're telling me that if I just replace
my abuse@systeminplace.net contact with an autoresponder that most
people will just assume that we are "doing something" and I can go and
spend all my time on hookers and booze instead of terminating spammers?

Shit. Why didn't anyone tell me earlier?

> Will your host allow you to block IP ranges?

Not the solution I was looking for because blocking IP ranges and
using scripts / services / etc like Akismet or others is simply
ignoring the problem, not solving it.

For folks who say hosting companies are not helpful: Linode, Amazon,
BurstNET, Ubiquity Servers and others are extremely responsive to
abuse complaints.

William

Burstnet is one of the filthiest sewers on the entire Internet. Has been
for many years. They are vehemently pro-spam. See, for example:

  http://groups.google.com/group/news.admin.net-abuse.email/msg/fba14415f70e08c8

They are thus not a good counterexample to use in this case.

---rsk

William,

Atrivo and McColo were terminated _late_.

As an industry, might we not consider finding a reasonable way to do a
more effective job identifying and dealing with shops who can't seem
to keep out the customers who use those facilities to hurt and abuse
the rest of us? If we fail to adequately self-regulate, the courts and
entities like the U.S. Congress will surely find a way to do it for
us. And they won't care nearly as much about the technical constraints
as we do.

I make no judgment about XSServer and offer no solution. I merely
suggest that Chris has posed a legitimate operational problem that our
community may wish to redress while the while the details of such a
choice are still in our hands.

Regards,
Bill Herrin

See, since I emailed this - RIPE wants feedback and sent me an email
offlist! I'll gladly give them an earful about how RIPE address ranges
are starting to be notorious for abuse due to lack of valid WHOIS
information and lack of response from so-called abuse departments.

I would like to thank Mr. Herrin for his input because he is
completely right now. With the Protect IP Act lurking in Congress,
would you rather have the Dept of Justice mandate URL blocking of DNS
or would you continue to enjoy the freedom we have right now between
companies, professionals and everybody else without the government's
blind mandate on everything. I would rather have all of us call the
shots and work in cooperation than a lobbyist or special interest
buying the vote of a politician to have some Chinese / totalitarian
control of the Internet.

Mr. Pittcock, I was point out that I've had providers in the past
automatically respond to abuse complaint but do nothing and in this
instance, an abuse complaint just goes 100% unnoticed. It was not
meant to be taken literally.

Thanks,
-C

I would agree that at the moment, we exist in what is supposed to be a
"self-policing" community. How long will it stay so, if livelihoods are
jeopardized?

Some are paid to move bits, and consider that their only obligation. Others
are charged with operating services that are impacted by the aforementioned
types of pollution. But each party cannot exist without the other, at the
end of the day; the economic relationship between the two, at some level,
makes this a shared problem.

While bit-movers _may not_ have an explicit and direct business reason to
aid in reducing the pollution in the community, as members of the
community, is it not our collective responsibility to work against those
polluting it?

It is disrespectful, IMHO, to those who worked so hard to make this
communal resource the shared treasure it is, for us to neglect the duty to
protect and care for it.

I understand that not everyone feels that it should be policed. I have
respect for those who feel this way. To me, this is a complicated
ecosystem, and we are its custodians, responsible for its continued health
and function.

Who among you do not have a custodial relationship with some network or
inter-networking? Do none of you feel a responsibility to maintain it for
those who will come after you?

As a part of ensuring the continued function of our ecosystem, in light of
the reality of this pollution, I think ensuring the integrity of our
individual administrative domains, and working with others, in some
capacity, to ensure the health and integrity of their own, is paramount.

I would make a reference to the way we have treated and are treating our
planet, but the analogy is tired. I do fear that some day, the 'way we
treated the internet' will be a similarly tired metaphor.

-k