# B2 Net Solutions (ColoCrossing) and ChicagoVPS Spam



## Kris (Jul 30, 2014)

I avoid making new topics. But while Biloh is at WHT spouting bullshit about cleaning up, spam is getting worse.

*When migrating and setting up a new server tonight that had spam issues previously, I had SpamHaus and BarracudaCentral enabled and decided to see what got through if it needed further tweaking. *

First spam to slip through? *The new IP collector AS of ColoCrossing, B2 Net Solutions - now featuring almost 250,000 IPs!*

Guess they had issues getting new IPs on their other ASN    Still collecting, I see them in the ARIN lists for getting new prefixes.

http://bgp.he.net/AS55286#_prefixes

2014-07-30 17:19:49 1XCe64-000471-Cj <= [email protected] H=26.sonnexes.us (amarned.us) [23.229.57.X]:53518 P=esmtp S=3136 [email protected] T="FHA refinance: it may help you save money" for

 

*Guess they're shifting things to the new IP collecting brand & ASN to get off Spamhaus's bad graces under their normal ASN.*

 

By the way, if you wonder why they don't mind spammers? Not the spam, per se. *They're simply info gathering to justify to ARIN / give customer names. Probably a /29 request for each or more.  opcorn:** *

 

*Hint: They need all the names they can to get more IPs from ARIN, duh. *

 



 

 

Saving time and asking for the client's authorization to simply block both ASN's outright to solve their spam issue.

 

*Nothing of value resides on that network, it's like avoiding a bad area of Detroit... or Chicago IMO. *

 

 

As I was wrapping this post up, take a guess at the second source that slipped through under Spamhaus and Barracuda Networks RBL? 

 


 

ColoCrossing CC-12 (NET-192-227-128-0-1) 192.227.128.0 - 192.227.255.255

New Wave NetConnect, LLC CC-192-227-244-224-27 (NET-192-227-244-224-1) 192.227.244.224 - 192.227.244.255

 

 

*I hate you guys. I really fucking do.*

 

 

*Signed,*

*Everyone Not In a Business Relationship With You*


----------



## SkylarM (Jul 30, 2014)

Mentioned it a few months ago when I saw B2net had a huge collection of IP space. Doesn't really surprise me at all. CC will get away with it for a little bit until Spamhaus catches on.


----------



## D. Strout (Jul 30, 2014)

http://whosspamming.us/


----------



## Kris (Jul 30, 2014)

D. Strout said:


> http://whosspamming.us/


Care to add their subnets for easy APF / CSF blocking?

I'll be getting the recent most as my managed client literally begged me block them, as the spam is killing them (and getting their own server a bad rep with gmail, because it forwards the ColoSpamming)


----------



## D. Strout (Jul 30, 2014)

Kris said:


> Care to add their subnets for easy APF / CSF blocking?
> 
> I'll be getting the recent most as my managed client literally begged me block them, as the spam is killing them (and getting their own server a bad rep with gmail, because it forwards the ColoSpamming)


I just threw this together real quick - WIP as we speak. I'll set it up to post the full list of subnets ASAP.


----------



## Kris (Jul 30, 2014)

Here's CC as of today : https://gist.github.com/anonymous/b1d8f9ea46c4b273227e/raw 

B2 to come. (just making / using them for my client, so why not help others)


----------



## D. Strout (Jul 30, 2014)

Kris said:


> Here's CC as of today : https://gist.github.com/anonymous/b1d8f9ea46c4b273227e/raw
> 
> B2 to come. (just making / using them for my client, so why not help others)


Link gives a 404.


----------



## Kris (Jul 30, 2014)

Ah, yeah go to : https://gist.github.com/anonymous/b1d8f9ea46c4b273227e and click raw. Seems to block raw access


----------



## Kris (Jul 30, 2014)

Bit cleaner, APF threw up before, CC only : https://gist.github.com/anonymous/09206573c554a97e296e


----------



## D. Strout (Jul 30, 2014)

That's a much longer list than I have! I haven't examined your closely, is is possible that it's the same ones as SpamHaus, just broken up in to smaller chunks?



> Spamhaus records 460,050 dirty IPs under *46* SBLs assigned directly to ColoCrossing


----------



## D. Strout (Jul 30, 2014)

Here's what I have: http://whosspamming.us/fulllist.php


----------



## Kris (Jul 30, 2014)

https://gist.github.com/anonymous/60478145cade9f765592

They definitely are some dupes that are announced in smaller chunks, but I just literally copied bgp.he.net out, threw into APF to stop the spam. I'm sure it could be cleaned up, or even added as a public .txt file, so it could be added to APF or CSF as a custom block list to stay updated. 

Hint... You're good at this stuff


----------



## Kris (Jul 30, 2014)

Nearly forgot servermania, cross check with my B2 : https://gist.github.com/anonymous/1b46da450d11f78bc05b


----------



## Kris (Jul 30, 2014)

*BTW, I'm adding *all* of their subnets, not just ones 'reported' dirty.*

Entire thing that pissed me off is these *aren't *blocked by Spamhaus, BarracudaNetworks & got right through.

Nothing of value on the network, so just blocking the full monty.


----------



## D. Strout (Jul 30, 2014)

Ah, well, then our purposes don't fully coincide here. I'm just listing from Spamhaus. Of course, even if I wanted to do the full AS I couldn't - bgp.he.net doesn't allow scraping. Try wget http://bgp.he.net/AS36352 and you'll see. Yeah, I could scrape it by changing the user agent, but if HE doesn't want it, who am I to try and break their system?


----------



## Kris (Jul 30, 2014)

D. Strout said:


> Ah, well, then our purposes don't fully coincide here. I'm just listing from Spamhaus. Of course, even if I wanted to do the full AS I couldn't - bgp.he.net doesn't allow scraping. Try wget http://bgp.he.net/AS36352 and you'll see. Yeah, I could scrape it by changing the user agent, but if HE doesn't want it, who am I to try and break their system?


Good point on the wget. I'll just keep watching for new listings, copy and paste into Excel and paste out. The fact I enabled SpamHaus and BarracudaNetworks and they were still getting through... figured, *block it all*.


----------



## DomainBop (Jul 30, 2014)

My current blocklist is much shorter.  I'll have to add in the missing pieces from your lists.

198.23.128.0/17     
192.210.128.0/17
23.94.0.0/15
107.172.0.0/14
192.227.128.0/17
206.217.128.0/20
172.245.56.0/21
162.221.180.0/23
107.161.144.0/20
192.3.0.0/16
23.254.0.0/17
198.12.64.0/18
96.8.112.0/20
138.128.112.0/20
108.174.48.0/20
162.218.88.0/21
162.221.178.0/23


----------



## D. Strout (Jul 30, 2014)

Kris said:


> Good point on the wget. I'll just keep watching for new listings, copy and paste into Excel and paste out. The fact I enabled SpamHaus and BarracudaNetworks and they were still getting through... figured, *block it all*.


Yeah, Spamhaus unofficially recommends a "full blockade", but the SBLs are still just coming in one by one.


----------



## Kris (Jul 30, 2014)

D. Strout said:


> Yeah, Spamhaus unofficially recommends a "full blockade", but the SBLs are still just coming in one by one.


Honestly, as do I. So many were slipping under SpamHaus / aren't listed.

Wonder how many months until they get a full D.R.O.P listing (will make blocking easier, already included in APF)


----------



## D. Strout (Jul 30, 2014)

D. Strout said:


> Yeah, I could scrape it by changing the user agent, but if HE doesn't want it, who am I to try and break their system?


You know what, never mind that. bgp.he.net has no posted terms of service, and I'm sure the block is to avoid getting hit super hard. Once every two hours (which is how frequently I scrape Spamhaus) is hardly going to bring the site down, so I'm going to see if I can work around it by changing the user agent.


----------



## D. Strout (Jul 31, 2014)

@Kris I see you already noticed, but


----------



## Kris (Jul 31, 2014)

Yeahhh!

*One to spit out the raw prefixes would be great.*

That way, enter ASN:

Get all prefixes (for easy copying into a firewall, per se)


----------



## drmike (Jul 31, 2014)

opcorn:

You guys are on fire!   So glad to see people towing the boat on this.   Glad to have other folks creating tools (I don't code).

I caught the muck on LET earlier today between things and unsure when people on LET went so soft and stupid.  Satan could give it hot and loosely over there for the price of some cheap VPS.

B2Net has been crapping all over CC IPs for the past year or more.  I said it before, when push comes to shove and CC has to stop the nonsense with selling to mass spammers, they'll shift to soiling their "partner" ASNs. B2Net/Servermania will be the first partner experiment since they have a special relationship.


----------



## drmike (Jul 31, 2014)

I am not finding the exact link here - ARIN's site is meh.

But since they issue the blocks, that would be the place to get the IP block allocations from so current (they update quickly after blocks get issued, even if they aren't being used or routed).

http://whois.arin.net/rest/org/VGS-9/nets

Maybe @Francisco has a link or input on how to accurately get CC's allocations there on the ARIN site.


----------



## D. Strout (Jul 31, 2014)

Kris said:


> *One to spit out the raw prefixes would be great.*


 to show how that's possible.


----------



## D. Strout (Jul 31, 2014)

And the final result: http://whosspamming.us/

A single page that can be shown to anyone outlining why ColoCrossing is so evil, the significance of B2 Net getting in bed with them, the numbers of total and dirty IPs of each, links to Spamhaus records, and links to lists of IP blocks for easy blocking. Only thing is it's ugly - any help there would be appreciated.


----------



## drmike (Jul 31, 2014)

@D. Strout

*even though ColoCrossing is a relatively small company with only $12 million in projected revenue*

Their current year sales were a bit north of $6 million.   So they are basically saying they will double their income in one year.  This is why competing with themselves and their own customers and while while circus pushes prices down to unsustainable prices.  As we saw recently:  1. BlueVM hit their price bottom and floating prices up.   2. 123Systems hit their price bottom and floating prices up.  3. The biggest example of price destruction, GVH announced recently a 15% uptick in prices.

CC is going to find 6 million new coins where?  Sell more IPs to spammers, sure.  Sell more IPs on swapped deals with partners, sure.  Start accepting BitCoin and play the collect and speculate game, sure (while ducking taxation).  Acquire some tiny companies, sure, they've been sending out let's talk / merge things since the M&A Robinson fellow came on board.

6 million excuses.

*Server Mania*

It's ServerMania

Good work!!!!!!!!!!!!!!!!!!!


----------



## MannDude (Jul 31, 2014)

Looks like I am the only one who voted 9...

Maybe I'm an optimist, but it could always be _worse_. Don't get me wrong, they need to get their shit together... but I won't give them a 10/10 for poor being a poor spam-happy network for the same reason I won't give a 10/10 rating for something that I consider _good_, like a good service or good meal. Always room for improvement, or in their case, room to be worse.


----------



## k0nsl (Jul 31, 2014)

Very nice work, Strout! I'm adding this list below to my most important boxes:
http://whosspamming.us/list.php?provider=vs&list=all

Thanks again, very useful.

[edit]

I also HN'd it for more exposure.



D. Strout said:


> And the final result: http://whosspamming.us/
> 
> A single page that can be shown to anyone outlining why ColoCrossing is so evil, the significance of B2 Net getting in bed with them, the numbers of total and dirty IPs of each, links to Spamhaus records, and links to lists of IP blocks for easy blocking. Only thing is it's ugly - any help there would be appreciated.


----------



## D. Strout (Aug 1, 2014)

Fixed a few typos on the site, and also added an option for "raw" output of subnets by adding &nocomments to the end of the URL.

Looking at the list, I noticed that there are some Level 3 IPs on it, along with other companies I don't know about. I'd love to get you guys' thoughts on this version of the list, with the obvious players removed. (Yeah, I added a filter option too, &filter=[semicolon-separated list of items to hide])


----------



## Francisco (Aug 1, 2014)

You could add it as an option but I don't think you should ignore reallocated subnets.

Infact, here's a prime example why - http://www.spamhaus.org/sbl/query/SBL229503

Given it's a reallocated box i'm thinking it was probably compromised.

Francisco


----------



## drmike (Aug 1, 2014)

I use to feel bad for collateral damage to CC's customers.  Fact is, I am pretty sure they all have been warned and should have seen 50 different NEGATIVE things about CC by now.

And the head cheese Biloh blames crap on his network on "fact" that there are so many VPS companies under CC and a spammer can be booted out, just to show up at yet another company on the network in 15 seconds.

See all stupidity by design.  Cause really, they could institute something with teeth to slap bad customers.   They could limit SMTP send rates.   They could do many things.   But they don't and it's part of the whoa poor us schtick.

If their downstream VPS companies (that they don't have investment or partner gimmick with) are so g*d damn inept, then they deserve to be beaten, slapped, banned, bankrupted.

Include every IP issued to CC and all those which they get from datacenters and bandwidth upstreams.


----------



## Francisco (Aug 1, 2014)

drmike said:


> I use to feel bad for collateral damage to CC's customers.  Fact is, I am pretty sure they all have been warned and should have seen 50 different NEGATIVE things about CC by now.
> 
> And the head cheese Biloh blames crap on his network on "fact" that there are so many VPS companies under CC and a spammer can be booted out, just to show up at yet another company on the network in 15 seconds.
> 
> ...


Brutal.

While they probably don't want to get involved in how their customers operate their nodes, it may be in their best interest to put out a notice requesting hosts install something like nodewatch or something similar just to get things cleaned up.

Once all the VPS/cloud providers are in check you find out which reseller is reselling the most dedicated servers to spammers and boot 'em. It doesn't matter if they have 30 - 50 servers on their account, if they're refusing to keep their nose clean you need to start fining them for the SPAM cleanup or just off them.

The amount of flack they're having to eat day in/day out has to be stressing the hell out of them. It simply can't be worth it to keep dealing with the providers that refuse to do their due diligence.

Francisco


----------



## Mun (Aug 1, 2014)

Where is a good place to get a list of CC ips?


----------



## drmike (Aug 1, 2014)

Mun said:


> Where is a good place to get a list of CC ips?


bgp.he.net has all the ranges... but if they are just issued and perhaps not ASN announced will not show on bgp.he.net.

Somewhere in ARIN's mess of a site you can find all the ranges issued (and neartime since ARIN is the issuer).  But ARIN's site is BLAH!!!!!!

The whosspamming.us site has a list at the bottom - actually various lists.   (easiest route to re-use already done work).


----------



## Mun (Aug 1, 2014)

https://cdn.content-network.net/tools/cc-blocklist/

RAW is just a RAW text file of all their IPS.

cc-blocklist is like my nginx ban list file and can be used to block all cc ips from accessing your nginx based web server.

htaccess is of course for using with apache

iptables is a prebuilt file with all the commands needed to ban the CC ip space.


----------



## Mun (Aug 1, 2014)

Ohh someone build me a readme file. I'm too busy at the moment. Should update every day just FYI.


----------



## mojeda (Aug 1, 2014)

Mun said:


> Ohh someone build me a readme file. I'm too busy at the moment. Should update every day just FYI.


http://pastebin.com/7YxH9N7K


----------



## Mun (Aug 1, 2014)

mojeda said:


> http://pastebin.com/7YxH9N7K


-.- that trolling


----------



## drmike (Aug 1, 2014)

Mun said:


> https://cdn.content-network.net/tools/cc-blocklist/


AWESOME @Mun  !!!!!


----------



## Mun (Aug 1, 2014)

drmike said:


> AWESOME @Mun  !!!!!


Any suggestions, config files etc?


----------



## drmike (Aug 1, 2014)

Mun said:


> Any suggestions, config files etc?


Does your script your stuff to pull data from whoispamming.us?  Just in case I spend time with the data and find ranges missing or other things to note (still have to do such).

And, how often is it updated?

We are going to need to make a sticky / reference section and include all of this work.  Great stuff!


----------



## Mun (Aug 1, 2014)

drmike said:


> Does your script your stuff to pull data from whoispamming.us?  Just in case I spend time with the data and find ranges missing or other things to note (still have to do such).
> 
> And, how often is it updated?
> 
> We are going to need to make a sticky / reference section and include all of this work.  Great stuff!


No, I don't use the whoisspamming.us I use bgp.he.net, with my own script. I also do not use CC's ASN and instead base it off everything with the name "ColoCrossing". I did this because this is about CC, and though I know bluevm and newwave tech isn't perfect with spam either, they are by all intensive purposes their own entity. This is why you see weird names in his list.

It currently runs a cronjob once a day and builds the list. It should keep it pretty up to date.

If you want other lists made it is very easy and modular for me to do so. Please send me the ASN you want and I'll set it up asap.

I will be making a thread on qwdsa.com for support in the near future for this little applet in case any of you notice an issue which their should be none.

You may also want to check out NBL which is based off stop forum spam. Please note "DO NOT USE THE htaccess file" as apache will get destroyed by the size of the file. Nginx is the only one suggested.

https://cdn.content-network.net/nbl/

Sorry for my bad grammar.


----------



## DomainBop (Aug 1, 2014)

Mun said:


> No, I don't use the whoisspamming.us I use bgp.he.net, with my own script. I also do not use CC's ASN and instead base it off everything with the name "ColoCrossing". I did this because this is about CC, and though I know bluevm and newwave tech isn't perfect with spam either, they are by all intensive purposes their own entity. This is why you see weird names in his list.


ColoCrossing's Spamhaus SBLs are fairly evenly distributed across 3 groups of IPs: ColoCrossing unswipped, IPs assigned to HudsonValleyHost, and IPs assigned to New Wave Netconnect (CVPS) so NewWave Netconnect should be included too otherwise you're still going to get hit with a large percentage of the CC spam/botnets/crap.


----------



## Mun (Aug 1, 2014)

DomainBop said:


> ColoCrossing's Spamhaus SBLs are fairly evenly distributed across 3 groups of IPs: ColoCrossing unswipped, IPs assigned to HudsonValleyHost, and IPs assigned to New Wave Netconnect (CVPS) so NewWave Netconnect should be included too otherwise you're still going to get hit with a large percentage of the CC spam/botnets/crap.


Separate files or combined?


----------



## DomainBop (Aug 1, 2014)

I'd combine the files


----------



## Mun (Aug 1, 2014)

Ill make a new thread when I get home to discuss what the possibilities are.


----------



## Mun (Aug 2, 2014)

NM im too tired, I have some ideas and I will put them into play how I think they should be done.

Can I get some ASN's people would like block lists for. Yes I am lazy and have no Idea on all the block lists you might like. Shoot me anything you like.

Mun

See you in 8 hours.


----------



## Mun (Aug 2, 2014)

Done C=


----------

