B2 Net Solutions (ColoCrossing) and ChicagoVPS Spam

Kris

New Member
I avoid making new topics. But while Biloh is at WHT spouting bullshit about cleaning up, spam is getting worse.

When migrating and setting up a new server tonight that had spam issues previously, I had SpamHaus and BarracudaCentral enabled and decided to see what got through if it needed further tweaking. 

First spam to slip through? The new IP collector AS of ColoCrossing, B2 Net Solutions - now featuring almost 250,000 IPs!

Guess they had issues getting new IPs on their other ASN  ;)  Still collecting, I see them in the ARIN lists for getting new prefixes.

http://bgp.he.net/AS55286#_prefixes

2014-07-30 17:19:49 1XCe64-000471-Cj <= [email protected] H=26.sonnexes.us (amarned.us) [23.229.57.X]:53518 P=esmtp S=3136 [email protected] T="FHA refinance: it may help you save money" for

 

Guess they're shifting things to the new IP collecting brand & ASN to get off Spamhaus's bad graces under their normal ASN.

 

By the way, if you wonder why they don't mind spammers? Not the spam, per se. They're simply info gathering to justify to ARIN / give customer names. Probably a /29 request for each or more.  :popcorn: 

 

Hint: They need all the names they can to get more IPs from ARIN, duh. 

 

Leslie%20Nielsen%20Nothing%20to%20See%20Here.gif

 

 

Saving time and asking for the client's authorization to simply block both ASN's outright to solve their spam issue.

 

Nothing of value resides on that network, it's like avoiding a bad area of Detroit... or Chicago IMO. 

 

 

As I was wrapping this post up, take a guess at the second source that slipped through under Spamhaus and Barracuda Networks RBL? 

 


 

ColoCrossing CC-12 (NET-192-227-128-0-1) 192.227.128.0 - 192.227.255.255

New Wave NetConnect, LLC CC-192-227-244-224-27 (NET-192-227-244-224-1) 192.227.244.224 - 192.227.244.255

 

 

I hate you guys. I really fucking do.

 

 

Signed,

Everyone Not In a Business Relationship With You
 

SkylarM

Well-Known Member
Verified Provider
Mentioned it a few months ago when I saw B2net had a huge collection of IP space. Doesn't really surprise me at all. CC will get away with it for a little bit until Spamhaus catches on.
 
Last edited by a moderator:

D. Strout

Resident IPv6 Proponent
Care to add their subnets for easy APF / CSF blocking?

I'll be getting the recent most as my managed client literally begged me block them, as the spam is killing them (and getting their own server a bad rep with gmail, because it forwards the ColoSpamming) 
I just threw this together real quick - WIP as we speak. I'll set it up to post the full list of subnets ASAP.
 

D. Strout

Resident IPv6 Proponent
That's a much longer list than I have! I haven't examined your closely, is is possible that it's the same ones as SpamHaus, just broken up in to smaller chunks?

Spamhaus records 460,050 dirty IPs under 46 SBLs assigned directly to ColoCrossing
 
Last edited by a moderator:

Kris

New Member
https://gist.github.com/anonymous/60478145cade9f765592

They definitely are some dupes that are announced in smaller chunks, but I just literally copied bgp.he.net out, threw into APF to stop the spam. I'm sure it could be cleaned up, or even added as a public .txt file, so it could be added to APF or CSF as a custom block list to stay updated. 

Hint... You're good at this stuff   :D
 

Kris

New Member
BTW, I'm adding *all* of their subnets, not just ones 'reported' dirty.

Entire thing that pissed me off is these aren't blocked by Spamhaus, BarracudaNetworks & got right through.

Nothing of value on the network, so just blocking the full monty. 
 

D. Strout

Resident IPv6 Proponent
Ah, well, then our purposes don't fully coincide here. I'm just listing from Spamhaus. Of course, even if I wanted to do the full AS I couldn't - bgp.he.net doesn't allow scraping. Try wget http://bgp.he.net/AS36352 and you'll see. Yeah, I could scrape it by changing the user agent, but if HE doesn't want it, who am I to try and break their system?
 

Kris

New Member
Ah, well, then our purposes don't fully coincide here. I'm just listing from Spamhaus. Of course, even if I wanted to do the full AS I couldn't - bgp.he.net doesn't allow scraping. Try wget http://bgp.he.net/AS36352 and you'll see. Yeah, I could scrape it by changing the user agent, but if HE doesn't want it, who am I to try and break their system?
Good point on the wget. I'll just keep watching for new listings, copy and paste into Excel and paste out. The fact I enabled SpamHaus and BarracudaNetworks and they were still getting through... figured, block it all
 

DomainBop

Dormant VPSB Pathogen
My current blocklist is much shorter.  I'll have to add in the missing pieces from your lists.

198.23.128.0/17     
192.210.128.0/17
23.94.0.0/15
107.172.0.0/14
192.227.128.0/17
206.217.128.0/20
172.245.56.0/21
162.221.180.0/23
107.161.144.0/20
192.3.0.0/16
23.254.0.0/17
198.12.64.0/18
96.8.112.0/20
138.128.112.0/20
108.174.48.0/20
162.218.88.0/21
162.221.178.0/23
 

D. Strout

Resident IPv6 Proponent
Good point on the wget. I'll just keep watching for new listings, copy and paste into Excel and paste out. The fact I enabled SpamHaus and BarracudaNetworks and they were still getting through... figured, block it all
Yeah, Spamhaus unofficially recommends a "full blockade", but the SBLs are still just coming in one by one.
 

Kris

New Member
Yeah, Spamhaus unofficially recommends a "full blockade", but the SBLs are still just coming in one by one.
Honestly, as do I. So many were slipping under SpamHaus / aren't listed.

Wonder how many months until they get a full D.R.O.P listing (will make blocking easier, already included in APF) 
 
Last edited by a moderator:

D. Strout

Resident IPv6 Proponent
Yeah, I could scrape it by changing the user agent, but if HE doesn't want it, who am I to try and break their system?
You know what, never mind that. bgp.he.net has no posted terms of service, and I'm sure the block is to avoid getting hit super hard. Once every two hours (which is how frequently I scrape Spamhaus) is hardly going to bring the site down, so I'm going to see if I can work around it by changing the user agent.
 
Top