# Dear Spamhaus, why can't you group providers right?



## drmike (Apr 14, 2014)

Dear Spamhaus,

Why can't you group providers right?

Spamhaus is a site all the company owners around here are likely familiar with.  Lists bad behaving networks with spam activity.  Groups of dirty IPs.

http://www.spamhaus.org/sbl/listings/velocity-servers.net

That shows, 18 current entries.

http://www.spamhaus.org/sbl/listings/chicagovps.net

That shows, 9 current entries.

The problem is, ChicagoVPS is 100% ColoCrossing through and through.  Same IPs, same ownership, even share same fricking offices.

ChicagoVPS isn't very quick or caring about their soiled IPs.  Oldest entry goes all the way back to September 9, 2013.  The most recent active entry is March 30, 2014. Of the 9 entries 5 have the distinction of big yellow boxes and red triangles with exclamation points for being ROKSO gang spammers.

I want Spamhaus to combine these entries and shove them under ColoCrossing/Velocity-servers, the owner of the IPs.

What does everyone else think?


----------



## Virtovo (Apr 14, 2014)

Although I can see how their close ties may make cycling IPs easier and obscuring abuse; however as it stands they are separate entities and there has been no proof to say otherwise.


----------



## drmike (Apr 14, 2014)

Yeah but every other provider - well all I've checked on CC's network, get bundled under Velocity.  Not broken out like CVPS.  Something rather strange with this one.


----------



## drmike (Apr 14, 2014)

To this point, on Velocity's listings:

SBL219336 23.249.160.24/32 velocity-servers.net
12-Apr-2014 11:13 GMT Snowshoe spam source - VPS ACE

SBL219280 192.227.182.155/32 velocity-servers.net
11-Apr-2014 20:48 GMT Snowshoe spam source - Cloud Shards

SBL219250 172.245.240.36/32 velocity-servers.net
11-Apr-2014 13:46 GMT Snowshoe spam source - Hudson Valley Host

SBL219191 23.94.101.128/25 velocity-servers.net
11-Apr-2014 08:44 GMT Repeatedly hosting snowshoers - ElectricByte

*SBL218094 192.227.172.192/26 velocity-servers.net
31-Mar-2014 22:08 GMT Spam source - ChicagoVPS*

Lookie there.... Even CVPS once in a while gets included...

Strange.


----------



## AlexBarakov (Apr 14, 2014)

Isn't there another thread about that already?

On the other side, I am still waiting on Spamhaus to respond on request for removal of a block, that is not on CC's network.


----------



## Francisco (Apr 14, 2014)

Alex_LiquidHost said:


> Isn't there another thread about that already?
> 
> On the other side, I am still waiting on Spamhaus to respond on request for removal of a block, that is not on CC's network.


In your case you'll likely need to get your ISP to handle it.

They don't really like dealing with customers of the networks much as it could lead to the customer

trying to slip under the radar if the network owner is oblivious of the listings.

Senderbase gives you a really solid outlook into what's going on in Buffalo. There's countless IP's at

senderbase that are still alive and well....pushing mountains of spam and haven't been delisted.

Spamhaus doesn't take "other" BL's into consideration for listings, though, and that just means said

spammers have a spamhaus free mailing list to go off.

Francisco


----------



## AlexBarakov (Apr 14, 2014)

Francisco said:


> In your case you'll likely need to get your ISP to handle it.
> 
> 
> They don't really like dealing with customers of the networks much as it could lead to the customer
> ...


Well, that's quite unreasonable  . A huge load of the EU businesses get their PI IP space from their LIRs. Why would I have to get my provider deal with them, when I am operating with those IPs and are SWIPd udner my company's name?

I'll wait a little bit longer, though, will see if I get a proper response from them, on my emails.


----------



## Francisco (Apr 14, 2014)

RIPE is nothing like ARIN when it comes to allocations.

There is no local state LIR's that provide local allocations, it's all ARIN.

When IP's get spam'listed they usually get pushed to the direct subnet and if that doesn't work, to the

LIR. If *that* fails, they will mark it to RIPE and you best find new space.

Francisco


----------



## AlexBarakov (Apr 14, 2014)

Francisco said:


> RIPE is nothing like ARIN when it comes to allocations.
> 
> 
> There is no local state LIR's that provide local allocations, it's all ARIN.
> ...


Not exactly sure what I've read, however do you mean that there are no local RIPE LIR's, or? Cause I am quite sure that my IPs are from a RIPE LIR.


----------



## Mun (Apr 14, 2014)

http://www.senderbase.org/static/spam/#tab=2

@colocrossing in #2 for worst IP in the whole world.

@crisis Solutions #4


----------



## Kruno (Apr 14, 2014)

Alex_LiquidHost said:


> Not exactly sure what I've read, however do you mean that there are no local RIPE LIR's, or? Cause I am quite sure that my IPs are from a RIPE LIR.


Spamhaus goes after ASN owner. If you have RIPE PI or swip'd PA(at least /24) you may be able to arrange something with spamhaus directly and they will contact you directly in the future. Speaking from experience. Of course, there may be some exceptions here and there.


----------



## AlexBarakov (Apr 14, 2014)

Kruno said:


> Spamhaus goes after ASN owner. If you have RIPE PI or swip'd PA(at least /24) you may be able to arrange something with spamhaus directly and they will contact you directly in the future. Speaking from experience. Of course, there may be some exceptions here and there.


Just had the listings removed, an hour ago 

Something I didn't take in consideration - saturday and sunday are not workdays and they operate on US timezones. So yeah.


----------



## mtwiscool (Apr 15, 2014)

some of the listings are a joke like:



> SBL218995
> 23.94.42.123/32  velocity-servers.net
> 09-Apr-2014 16:28 GMT
> indian spammer?





> SBL213950
> 198.46.157.41/32  chicagovps.net
> 21-Feb-2014 19:53 GMT
> indian spammer?


----------



## ryanarp (Apr 15, 2014)

Love not being on that list, hard work usually pays off.


----------



## mtwiscool (Apr 15, 2014)

ryanarp said:


> Love not being on that list, hard work usually pays off.


you do know spamhaus lists people with no warnings?

Its a stupid case of punishment with no proof as it blocks you from sending emails to mail server owned by people like Hotmail and gmail.

INCERO your actions prove your scared of them, and this is proved by your actions.

Spamhaus treat webmasters like trash.


----------



## ryanarp (Apr 15, 2014)

mtwiscool said:


> you do know spamhaus lists people with no warnings?
> 
> Its a stupid case of punishment with no proof as it blocks you from sending emails to mail server owned by people like Hotmail and gmail.
> 
> Spamhaus treat webmasters like trash.


I do know this, I was talking about the list that @Mun pointed out, not the website as a whole. 

I have never known a IP to get blacklisted without proof. Last I checked there wasn't a random drawing to determine what IP will get blacklisted today. 

Generally I haven't had a issue with Spamhaus, granted everyone has a different approach on SPAM.


----------



## drmike (Apr 15, 2014)

Mun said:


> http://www.senderbase.org/static/spam/#tab=2
> 
> @colocrossing in #2 for worst IP in the whole world.
> 
> @crisis Solutions #4


I can't replicate your findings   Guess these change on live or daily basis.

ColoCrossing is ~ 4th right now.

But they are first if you sort by domains... More domains spamming than anyone else.

ColoCrossing    7.8    52.8% ↑    271 domains

This domains part is defined as:

"Number of Domains


Number of email sending domains associated with the network owner."


----------



## drmike (Apr 15, 2014)

Also interesting is place #11 when sorting by domains:

B2 Net Solutions

6.9

-31.3% 47

B2 Net Solutions is a ColoCrossing customer, uses CC's Sheridan Road address as their own, uses CC's Buffalo datacenter address as their own, uses CC's IPs, engages in mass IP hoarding also...  and are literally best friends with Jon Biloh - plus are local to CC HQ's / Biloh's backyard.

What's the random chance of this happening naturally without a concerted effort to appeal to and sell to spammers? ZERO.


----------



## Mun (Apr 16, 2014)

It changes by day.


----------



## Francisco (Apr 16, 2014)

They're #1 right now.

See, the bad part is that there's historical showing it hasn't improved at all. Infact it has increased 50% in the past 24 hours, if you take senderbase as truth.

I dunno, you can scan over the RDNS entries they show and it's so obviously spam that you can tell

that CC's either straight up "Need some IP's?" or not doing their part in monitoring

their own network.

B2's on the way down so it's possible they're cleaning up their act but I dunno...

Francisco


----------



## DomainBop (May 3, 2014)

Dear Spamhaus,

/15 #2!

Thank you! Thank you! Thank you!

Sincerely,

D. Bop


----------



## Francisco (May 3, 2014)

DomainBop said:


> Dear Spamhaus,
> 
> /15 #2!
> 
> ...


Like I said on WHT, yikes.

That 192 /17 is going to go soon as well if they're not careful.

Francisco


----------



## MannDude (May 3, 2014)

DomainBop said:


> Dear Spamhaus,
> 
> /15 #2!
> 
> ...


I rarely, "LOL", but I did laugh out loud when I saw this thread on WHT today: https://www.webhostingtalk.com/showthread.php?t=1372238


----------



## DomainBop (May 3, 2014)

They've increased their number of IPs by about 50% in the past few months: 720,896 now.

Today's blacklisting of the 23.94.0.0/15 is going to hurt a lot of hosts and end users.  A quick search shows CloudShards, FTPIT, HudsonValleyHost, SSDVPS, LiquidSolutions, McMyHost,GVH, CVPS all have IPs in that range.

LEB/LET's mx records are in that range too... http://mxtoolbox.com/SuperTool.aspx?action=mx%3alowendbox.com&run=toolpage


----------



## AlexBarakov (May 3, 2014)

DomainBop said:


> They've increased their number of IPs by about 50% in the past few months: 720,896 now.
> 
> Today's blacklisting of the 23.94.0.0/15 is going to hurt a lot of hosts and end users.  A quick search shows CloudShards, FTPIT, HudsonValleyHost, SSDVPS, LiquidSolutions, McMyHost,GVH, CVPS all have IPs in that range.
> 
> LEB/LET's mx records are in that range too... http://mxtoolbox.com/SuperTool.aspx?action=mx%3alowendbox.com&run=toolpage


Not exactly sure how you've done your search, however Liquid does not have any ranges in this block. Neither does CloudShards have a range in use from the 23.94.0.0/15 block.


----------



## DomainBop (May 3, 2014)

Alex_LiquidHost said:


> Not exactly sure how you've done your search, however Liquid does not have any ranges in this block. Neither does CloudShards have a range in use from the 23.94.0.0/15 block.


My listing of CloudShards was based on a current Spamhaus SBL and the ARIN SWIP info for the IP:

http://www.spamhaus.org/sbl/query/SBL221229 23.94.69.18/31

http://whois.arin.net/rest/net/NET-23-94-69-0-1/pft

a total of 5 IP ranges in that /15 are currently SWIPed to CloudShards http://whois.arin.net/rest/org/CS-285/nets

ColoCrossing has a habit of never updating SWIP info though.  There were still IPs SWIPed to End of Reality a year after they left


----------



## AlexBarakov (May 4, 2014)

DomainBop said:


> My listing of CloudShards was based on a current Spamhaus SBL and the ARIN SWIP info for the IP:
> 
> http://www.spamhaus.org/sbl/query/SBL221229 23.94.69.18/31
> 
> ...


I stand corrected here. My mistake 

However I am certain that Liquid currently does not have anything in that range.


----------



## DomainBop (May 6, 2014)

Fabozo the Clown must have joined his former employer's affiliate program... 

_Subject: Kohl's is rewarding its customers, today_

_Received-SPF: pass (xxxx: domain of [email protected] designates 198.23.141.220 as permitted sender) client-ip=198.23.141.220;_

We're filtering ColoCrossing IPs and automatically submitting their email SPAM to Spamcop as they arrive.  This is the list from just the past few hours:

Submitted: 06/05/2014 17:16:37 +0200:
Kohl's is rewarding its customers, today

( 198.23.141.220 )

Submitted: 5/6/2014, 6:29:51 AM -0400:
_World's leading married- dating-service for (discreet encounters.)_

( 192.3.42.155 )

Submitted: 5/6/2014, 6:25:08 AM -0400:
_You may Save More with the HARP Refi Program_

_( 192.3.42.151 )_

_Submitted: 5/6/2014, 2:46:06 AM -0400:
#1 Tip To Perfect Skin - REVEALED by Oz Show_

_( 192.3.42.149 )_

_Submitted: 5/6/2014, 2:40:38 AM -0400:
Hi, 50% off Flowers for Mom_

_( 192.3.42.146 )_

I predict some more large blocks being blacklisted by Spamhaus soon... 

The comment spam bot problem from ColoCrossing IPs is also getting worse: http://cleantalk.org/blacklists/AS36352

Congratulations to Jon Biloh and his sidekick Alex Vial for creating the U.S. equivalent of Ecatel.  *spits*


----------



## DomainBop (Jun 10, 2014)

Time for a little update:

As of today, Velocity Servers is now listed on Spamhaus's "The World's Worst ISPs" list at #6 with 45 SBL listings.

http://www.spamhaus.org/statistics/networks/


----------



## nunim (Jun 10, 2014)

DomainBop said:


> Time for a little update:
> 
> As of today, Velocity Servers is now listed on Spamhaus's "The World's Worst ISPs" list at #6 with 45 SBL listings.
> 
> http://www.spamhaus.org/statistics/networks/


CC is the top sender according to SenderBase which I find to be quite accurate:


----------



## coreyman (Jun 18, 2014)

Did anyone see this range on spamhaus of CC?

*107.172.0.0/15*


----------



## drmike (Jun 18, 2014)

DomainBop said:


> Time for a little update:
> 
> As of today, Velocity Servers is now listed on Spamhaus's "The World's Worst ISPs" list at #6 with 45 SBL listings.
> 
> http://www.spamhaus.org/statistics/networks/


Now they are up to #4 on Spamhaus' list


----------



## drmike (Jun 18, 2014)

coreyman said:


> Did anyone see this range on spamhaus of CC?
> 
> *107.172.0.0/15*


Did I see that range listed by Spamhaus?  No.  But my logging only goes back a few months.  March 11th to be exact....

Wait... I see it... I think


----------



## drmike (Jun 18, 2014)

Unsure why the range isn't in my database... Bug in code...

*SBL214220*


*107.172.0.0/15*

*velocity-servers.net*


25-Feb-2014 10:39 GMT


snowshoe range 



Now, this is at least the second /15 listed by Spamhaus since I started logging:

'2014140503-1838' ; 'SBL221319' ; '0' ; '' ; '023.94.0.0/15' ; '023.94.0.0' ; '0' ; '' ; 'OrgName:        ColoCrossing


----------



## drmike (Jun 18, 2014)

... and back to the original idea behind this post.... Spamhaus WAS NOT counting ChicagoVPS and probably some other companies abuse under CC, even though they solely use CC for IPs and network.

Well, been looking recently and the ChicagoVPS items seem to be filed now under CC, properly.

Which has caused CC to go up in abuse totals and rank....

Thanks to whoever at Spamhaus who took notice and cleaned this up


----------



## DomainBop (Jun 19, 2014)

drmike said:


> ... and back to the original idea behind this post.... Spamhaus WAS NOT counting ChicagoVPS and probably some other companies abuse under CC, even though they solely use CC for IPs and network.
> 
> Well, been looking recently and the ChicagoVPS items seem to be filed now under CC, properly.
> 
> ...



It probably bears repeating what Spamhaus has said about Velocity Servers Inc / ColoCrossing (#4 on the Spamhaus World's Worst ISPs list) and their ilk:



> The networks listed on this page knowingly provide service to criminal spam gangs and ignore spam reports from anti-spam systems and Internet users. These networks are defacto Spam Havens from where spammers operate freely and with the full knowledge of the network administrators and the executives. In the name of profits, these ten networks turn a blind eye to criminal spam gangs on their networks.
> http://www.spamhaus.org/statistics/networks/


----------



## DomainBop (Jun 19, 2014)

This is worth a read: ChicagoVPS customer (and ROKSO listee) James Carner claims a first amendment right to SPAM 

http://www.spamhaus.org/rokso/evidence/ROK9814/james-carner-ehygienics/claims-a-first-amendment-right-to-send-spam


----------



## coreyman (Jun 19, 2014)

drmike said:


> Unsure why the range isn't in my database... Bug in code...
> 
> *SBL214220* *107.172.0.0/15* *velocity-servers.net* 25-Feb-2014 10:39 GMT snowshoe range
> 
> ...


Wow... that's a ton of addresses! 128,000!!


----------



## mtwiscool (Jun 19, 2014)

read this:

http://www.cyberbunker.com/web/spamhaus.php


----------



## drmike (Jun 19, 2014)

DomainBop said:


> This is worth a read: ChicagoVPS customer (and ROKSO listee) James Carner claims a first amendment right to SPAM
> 
> http://www.spamhaus.org/rokso/evidence/ROK9814/james-carner-ehygienics/claims-a-first-amendment-right-to-send-spam


Wow!  Unsure where Spamhaus sourced this from, but this guy, yeah... Free speech... I love how companies, commerce driven, usually limited liability, intentionally divided from a soul infected human, claim at law and in public courts of opinion the concept that they have "freedom of speech".

James Carner / eHygienics


Evidence Menu:




*

James Carner / eHygienics Index*





Country: *United States*


State: *OR*



​ 

James Carner is a spammer who spams to advertise his harvested email lists and email listwashing service. He claims to be able to remove Spamhaus spamtraps from any list of email addresses. However, this service does not work very well since we catch him spamming all the time. Formerly known as Quickie Marketing.





*James Carner / eHygienics SBL Listings History*




Current SBL Listings




Archived SBL Listings



Claims a First Amendment right to send spam





James Carner says it's his First Amendment right to send spam, among other choice quotes.


TVS Weekly Newsletter - 84,000 Readers & Growing


James Carner - Editor


[email protected]


Two of every three office e-mails are spam AND THIS STAT IS BULLSHIT


Spam Loses Corporations Money


Well wipe my ass with coleslaw


Guess who, it's James Carner. When I see articles like


"Two of every three office e-mails are spam" I tend to wonder how


these numb nuts get their statistics. First of all, the reason


employees gets spam is because they are crappy employees who are


surfing the web instead of doing their freakin jobs. Instead of


blaming spam, let's blame the dill hole who hired that employee and gave


them internet access to buy penis enlargements. Spam is not to blame.


I own two companies and combined I get 1 Christmas tree


of junk direct mail every day. Oh but the time I spend throwing away


all of that mangy stuff is causing a loss of $120 a day. Are we being


serious here? Obviously there must not be enough news to report about


dead Americans on foreign soil or mass corporations supplying the Illuminati


enough money to control the world to focus on such emphasis on unsolicited


emails. Wake up America! The feds say, "Spam away!" because it's


our 1st amendment right of freedom of speech. Yet the States complain


like Britney Spears that they have no time for themselves.


If I had my way,


the spamcop's, spamhaus' and IT geeks would all be placed on their own


little island to complain back and forth to one another. Then


eventually, I would nuke the island and not cry. I am become death...


Back off and let us


put bread on the table and live in a free country you spineless dip-shits!


Instead of complaining about unsolicited emails, why don't you do some good


and plant a tree so that we may cut that down to send you more direct mail.


Fascists!


----------



## drmike (Jun 19, 2014)

CC continues to go up in the ranks 

*3 *​ 

velocity-servers.net

Number of Current Known Spam Issues: *54*


----------

