# Colocrossing spam happy network



## drmike (Oct 1, 2013)

[source: http://www.webhostingtalk.com/showthread.php?t=1308803 ]



> For a very long time we received many spam from vuvunews.com / vuvuplaza.com, unsubscribe while never subscribed in the first place and report such spam but colocrossing.com don't seems to care and even spamcop eventually devnulled spam reports to colocrossing.


and later from another posted



> Vuvu spamming dating back more than one or two years but colocrossing NEVER acted on so many spamcop spam reports. No wonder that even spamcop eventually devnulled colocrossing.com reports because it seems useless to get anywhere with them.
> 
> abuse#[email protected]
> 
> ...



----------------------------------------------------------------------------------------------------------------------------------------------------------

When you head over to Spamhaus there are 5 IP ranges belonging to Velocity/Colocrossing still listed.  One IP range is a massive /18:

http://www.spamhaus.org/sbl/listings/velocity-servers.net

And, they have one IP range that is labeled hijacked... The company who was issued the range has forgotten/abandoned the IPs, but spamming has gone on within their range:


```
SBL181088		204.86.16.0/20	velocity-servers.net

09-Apr-2013 13:02 GMT		zombies
 possible hijack - Hoffman Engineering
```


----------



## MannDude (Oct 1, 2013)

Couldn't this mean that just a customer of CC is hosting these?

While it's shitty, it's not uncommon for the low end industry to be full of this crap. Low price points attract some of the worse clients.


----------



## drmike (Oct 1, 2013)

That's just the tip of the iceberg...

http://www.malwareurl.com/ns_listing.php?as=AS36352

^--- Look at all those scam/fraud sites...

https://cleantalk.org/blacklists/AS36352



> # ASN, Organization name Country Detected IP addresses Spam active IP addresses Spam rate
> 1 AS36352 ColoCrossing 1 343 454 33.80%


^--- interesting rooting through info there too.


----------



## serverian (Oct 1, 2013)

http://www.malwareurl.com/ns_listing.php?as=AS36351


----------



## Francisco (Oct 1, 2013)

Yikes.

I know when BlueVM was in the midst of their move to CC they were given some subnets that were completely dirty. I'm not sure if they rotated out of it or just had to wait on CC to contact spamhaus.

Francisco


----------



## manacit (Oct 1, 2013)

serverian said:


> http://www.malwareurl.com/ns_listing.php?as=AS36351



SOFTLAYER SPAM HAPPY NETWORK


----------



## drmike (Oct 1, 2013)

MannDude said:


> Couldn't this mean that just a customer of CC is hosting these?


No doubt.  You will notice "house" brands though at CC among the ranges spamming (i.e. ChicagoVPS).   You'd think they'd be much tighter on closing people down for spamming.



manacit said:


> SOFTLAYER SPAM HAPPY NETWORK


No doubt, dog pile worth there too.  I suspect Softlayer is massive in comparison of actual customers.  



Francisco said:


> BlueVM was in the midst of their move to CC they were given some subnets that were completely dirty.


Someone from BlueVM care to comment?  I remember hearing of the incident -- pre-soiled spam used IPs....


----------



## Francisco (Oct 1, 2013)

The incident was documented by... Justin? on LEB I think it was. I do know that whomever runs the 'BlueVM' social accounts was the one that mentioned it.

Francisco


----------



## jarland (Oct 1, 2013)

manacit said:


> SOFTLAYER SPAM HAPPY NETWORK


Relativity is important. If I make tires and distribute 40, 25 of which blow out in a week and you make tires and distribute 4000, 150 of which blow out in a week, which one of us fails more at making quality tires?


----------



## Aldryic C'boas (Oct 1, 2013)

Issues like this are why I pushed for QC when it came to accepting new signups.


----------



## Magiobiwan (Oct 1, 2013)

I remember us having gotten a dirty block when we moved to CC, but I can't remember if we cleaned it ourselves, if we waited for CC, or if we got a fresh block.


----------



## drmike (Oct 1, 2013)

Aldryic C said:


> Issues like this are why I pushed for QC when it came to accepting new signups.


Speaking of scrutinizing new customers, right?


----------



## Aldryic C'boas (Oct 1, 2013)

buffalooed said:


> Speaking of scrutinizing new customers, right?


My stance was always about preventing repeat offense.  New clients get the benefit of the doubt;  one of my primary goals was preventing someone that had been terminated for.. spam, for example, to stay on topic.. from just opening a new account and going at it again.  Our SBLs were a bit of a mess as well back in the pre-BuyVM days - I spent a lot of time cleaning up when I took over billing.  Both SBLs and internally.

Aye, people did cry about strict signups with us - but now we only have _maybe_ 2-3 actual SBLs a year.  And any we do have I get taken care of and de-listed within 24 hours - which means we don't have entire _ranges_ getting listed and screwing things up for clients just minding their own business.


----------



## Francisco (Oct 1, 2013)

You know, I was reading this over while out getting some food and it hit me.

How the *fuck* did someone get a BGP session/ prefix announcement for a *stolen* IP allocation before 2 of their customers got approved for BGP sessions?

@SkylarM must be spinning like a top right now.

Francisco


----------



## drmike (Oct 1, 2013)

Aldryic C said:


> Aye, people did cry about strict signups with us - but now we only have _maybe_ 2-3 actual SBLs a year.  And any we do have I get taken care of and de-listed within 24 hours - which means we don't have entire _ranges_ getting listed and screwing things up for clients just minding their own business.


Even though your policies have gotten waa-waa from some buyers over policies, I like them.  Think your approach is mainly on target.  Have to be strict or you end up with a network and IP space like we see with the mentioned company.  

Obviously, I suspect they've cleaned up quite a bit... I saw a good 4 plus other IP ranges being put out by Spamhaus earlier this week.   Others in the past.  Revolving door of sorts.  Suspect they might care a tad more if they weren't swimming in IP allocation


----------



## drmike (Oct 1, 2013)

@Skylar,

Fran is referring to this IP range I believe:


SBL181088 204.86.16.0/20	velocity-servers.net

09-Apr-2013 13:02 GMT zombies
possible hijack - Hoffman Engineering

The IP range appears here also:

http://www.turkhackteam.net/bilgisayar-guvenligi/10036-tum-dunyanin-ip-adresleri-buyrun.html

"Turk Hack Team"....

That post was allllll the way back in 2006

"204.86.16.0-204.86.115.255"


----------



## Francisco (Oct 1, 2013)

It has to be a pre-ARIN subnet, otherwise the owner would have stopped paying their dues to ARIN.

That, or ARIN would have direct contact with the owner.

Francisco


----------



## drmike (Oct 1, 2013)

The IP allocation to Hoffman was circa 1994 I believe.

Odd though since Hoffman is a subsidiary of a very large multi billion dollar international company with several well known subsidiaries.


----------



## serverian (Oct 2, 2013)

buffalooed said:


> @Skylar,
> 
> Fran is referring to this IP range I believe:
> 
> ...


That post lists all IPv4 ranges...


----------



## wlanboy (Oct 3, 2013)

There are plenty of networks that should be just dropped:


```
142.0.32.0/20 VolumeDrive
200.85.48/20 Telecel S.A.
108.171.240.0/20 Psychz Networks
204.188.192.0/18 SHARKTECH
```


----------

