amuck-landowner

ColoCrossing, Quick to Get Large IP Blocks Issued and Faster to Soil Them

drmike

100% Tier-1 Gogent
Back in December ColoCrossing was issued by ARIN a /14 of IP space:

http://www.spamhaus.org/sbl/query/SBL214220


NetRange: 107.172.0.0 - 107.175.255.255
CIDR: 107.172.0.0/14
OriginAS: AS36352
NetName: CC-17
NetHandle: NET-107-172-0-0-1
Parent: NET-107-0-0-0-0
NetType: Direct Allocation
RegDate: 2013-12-27
Updated: 2013-12-27

SpamHaus, just yesterday lopped off a /16 of the range for  bad behavior / use of IPs for "Snowshoe spam operation"

Code:
SBL214220 107.172.0.0/16 velocity-servers.net

25-Feb-2014 10:39 GMT snowshoe range
 

mtwiscool

New Member
And to be fair, I was told around 4PM :)

[3:52:51 PM] :: http://www.spamhaus.org/sbl/query/SBL214220

Though I'm not surprised. A ton of their blocks are listed. Lots of spam, DDoS, housing illegal Iranian clients, and just general shit on their network.

i hate spamhaus.

they have been know for blackmailing.

what is counted as spam is vary complex.

i know in the UK it's not illegal to host people from iran and i think it's the same in the US.

i have had honest emails blocked by Hotmail because of they fuckers if one person spams on the ip block the whole block gets black listed for 3 weeks.

spamhaus in breach of laws as they are affecting honest bunniss.

they think they do not need to follow trade laws.

rant over.
 

peterw

New Member
i have had honest emails blocked by Hotmail because of they fuckers if one person spams on the ip block the whole block gets black listed for 3 weeks.
Everyone will ignore them if they do not put this pressure on the ip owners.
 

Navyn

New Member
Verified Provider
The most important thing is when one or two ip involved in spamhouse it listed whole subnet as spam sending and try to put pressure on ip owner to justify the reason of spam which is not possible in every situation.
 

mtwiscool

New Member
The most important thing is when one or two ip involved in spamhouse it listed whole subnet as spam sending and try to put pressure on ip owner to justify the reason of spam which is not possible in every situation.

because hosts need to investigate.

spamhaus act like judges and think everything is one sided.
 

mojeda

New Member
because hosts need to investigate.

spamhaus act like judges and think everything is one sided.
Then maybe ColoCrossing needs to do a better job of dealing with customers abusing IPs, but then again I don't think they really care with as many IPs they have...
 

DomainBop

Dormant VPSB Pathogen
The most important thing is when one or two ip involved in spamhouse it listed whole subnet as spam sending and try to put pressure on ip owner to justify the reason of spam which is not possible in every situation.

If it's an IP owner like ColoCrossing that A. is spammer friendly and B. has invalid SWIP info (see below) on many of its IPs then Spamhaus should ban all of their IPs permanently.

SBL on a /27 received yesterday: http://www.spamhaus.org/sbl/query/SBL214228

SWIP info for that /27:

OrgName:        Warfront Cafe LLC


OrgId:          WCL-94


Address:        23 Walnut St


City:           Wilkes-Barre


StateProv:      PA


PostalCode:     18702


Country:        US


RegDate:        2012-12-10


Updated:        2012-12-10


Ref:            http://whois.arin.net/rest/org/WCL-94

All of these ColoCrossing IP ranges also have invalid SWIP info that incorrectly lists Warfront Cafe LLC as the contact and Alex Vial has been aware for a few months that the contact info is incorrect since it was pointed out to him on the LET UGVPS/Crystal thread and he has stupidly chosen to do nothing about the incorrect info .

CC-198-46-153-0-26 (NET-198-46-153-0-1)     198.46.153.0 - 198.46.153.63


CC-198-23-153-0-25 (NET-198-23-153-0-1)     198.23.153.0 - 198.23.153.127


CC-198-46-158-0-25 (NET-198-46-158-0-1)     198.46.158.0 - 198.46.158.127


CC-198-46-136-128-25 (NET-198-46-136-128-1)     198.46.136.128 - 198.46.136.255


CC-198-46-132-128-25 (NET-198-46-132-128-1)     198.46.132.128 - 198.46.132.255


CC-198-23-156-144-29 (NET-198-23-156-144-1)     198.23.156.144 - 198.23.156.151


CC-198-23-228-0-25 (NET-198-23-228-0-1)     198.23.228.0 - 198.23.228.127


CC-198-23-167-128-25 (NET-198-23-167-128-1)     198.23.167.128 - 198.23.167.255


CC-198-144-186-64-26 (NET-198-144-186-64-1)     198.144.186.64 - 198.144.186.127


CC-198-23-250-0-25 (NET-198-23-250-0-1)     198.23.250.0 - 198.23.250.127


CC-198-23-154-192-26 (NET-198-23-154-192-1)     198.23.154.192 - 198.23.154.255


CC-198-23-228-128-25 (NET-198-23-228-128-1)     198.23.228.128 - 198.23.228.255


CC-172-245-33-128-25 (NET-172-245-33-128-1)     172.245.33.128 - 172.245.33.255


CC-192-210-149-0-25 (NET-192-210-149-0-1)     192.210.149.0 - 192.210.149.127


CC-198-23-247-192-26 (NET-198-23-247-192-1)     198.23.247.192 - 198.23.247.255


CC-192-210-216-0-25 (NET-192-210-216-0-1)     192.210.216.0 - 192.210.216.127


CC-198-46-144-0-25 (NET-198-46-144-0-1)     198.46.144.0 - 198.46.144.127


CC-198-46-154-128-26 (NET-198-46-154-128-1)     198.46.154.128 - 198.46.154.191


CC-172-245-7-0-24 (NET-172-245-7-0-1)     172.245.7.0 - 172.245.7.255


CC-198-46-151-64-26 (NET-198-46-151-64-1)     198.46.151.64 - 198.46.151.127


CC-198-46-132-0-25 (NET-198-46-132-0-1)     198.46.132.0 - 198.46.132.127


CC-172-245-222-64-26 (NET-172-245-222-64-1)     172.245.222.64 - 172.245.222.127


CC-198-46-150-64-26 (NET-198-46-150-64-1)     198.46.150.64 - 198.46.150.127


CC-198-46-157-128-25 (NET-198-46-157-128-1)     198.46.157.128 - 198.46.157.255


CC-198-46-138-0-26 (NET-198-46-138-0-1)     198.46.138.0 - 198.46.138.63


CC-198-46-153-64-26 (NET-198-46-153-64-1)     198.46.153.64 - 198.46.153.127


CC-198-46-147-0-25 (NET-198-46-147-0-1)     198.46.147.0 - 198.46.147.127


CC-192-210-194-128-25 (NET-192-210-194-128-1)     192.210.194.128 - 192.210.194.255


CC-192-210-238-128-25 (NET-192-210-238-128-1)     192.210.238.128 - 192.210.238.255


CC-198-46-151-0-26 (NET-198-46-151-0-1)     198.46.151.0 - 198.46.151.63


CC-172-245-35-192-26 (NET-172-245-35-192-1)     172.245.35.192 - 172.245.35.255


CC-172-245-6-0-24 (NET-172-245-6-0-1)     172.245.6.0 - 172.245.6.255


CC-172-245-39-0-24 (NET-172-245-39-0-1)     172.245.39.0 - 172.245.39.255


CC-198-144-187-128-27 (NET-198-144-187-128-1)     198.144.187.128 - 198.144.187.159


CC-192-3-154-32-27 (NET-192-3-154-32-1)     192.3.154.32 - 192.3.154.63


CC-96-8-112-96-27 (NET-96-8-112-96-1)     96.8.112.96 - 96.8.112.127


CC-172-245-223-0-24 (NET-172-245-223-0-1)     172.245.223.0 - 172.245.223.255


CC-192-3-19-0-24 (NET-192-3-19-0-1)     192.3.19.0 - 192.3.19.255


CC-75-102-10-96-27 (NET-75-102-10-96-1)     75.102.10.96 - 75.102.10.127


CC-192-3-115-0-25 (NET-192-3-115-0-1)     192.3.115.0 - 192.3.115.127


CC-192-3-26-128-25 (NET-192-3-26-128-1)     192.3.26.128 - 192.3.26.255


CC-192-3-117-128-25 (NET-192-3-117-128-1)     192.3.117.128 - 192.3.117.255


CC-172-245-19-0-24 (NET-172-245-19-0-1)     172.245.19.0 - 172.245.19.255

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 
 

HaitiBrother

New Member
Well, SPAM is easy to send today, with all these "low end" vpses costing less than like $5 per month, it's just easy to use clean ips to spam.

Plus, spamhaus is more for publicity, personally I don't give a shit about spamhaus, if I want to send spam all it will cost me is $5 basically for a server somewhere, 5 minutes to upload files, 30 seconds to hit the send button to this 30M email list sitting here, spam isn't complex, it's just mass mail, but they put this SPAM label on it, trying to make it seem bad, but for example, if ColoCrossing did a mass email saying to their customers they were going to close (if only this was true), that would be considered spam also, yet it's for a legitimate reason.
 

DomainBop

Dormant VPSB Pathogen
spam isn't complex, it's just mass mail, but they put this SPAM label on it, trying to make it seem bad,
It is bad because if you're a business the loss of time and productivity from having to deal with incoming spam (plus the cost of any SPAM prevention measures you implement) adds up to some serious $$$ per year even for small businesses.

http://www.cudamail.com/spam-cost-calculator/default.aspx

if ColoCrossing did a mass email saying to their customers they were going to close (if only this was true), that would be considered spam
Emailing service change notices to customers isn't SPAM.
 
Last edited by a moderator:

staticsafe

New Member
Well, SPAM is easy to send today, with all these "low end" vpses costing less than like $5 per month, it's just easy to use clean ips to spam.

Plus, spamhaus is more for publicity, personally I don't give a shit about spamhaus, if I want to send spam all it will cost me is $5 basically for a server somewhere, 5 minutes to upload files, 30 seconds to hit the send button to this 30M email list sitting here, spam isn't complex, it's just mass mail, but they put this SPAM label on it, trying to make it seem bad, but for example, if ColoCrossing did a mass email saying to their customers they were going to close (if only this was true), that would be considered spam also, yet it's for a legitimate reason.
An electronic message is "spam" if (A) the recipient's personal identity and context are irrelevant because the message is equally applicable to many other potential recipients; AND (B) the recipient has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent.
-- http://www.spamhaus.org/consumer/definition/

Bolded the key part of the definition. The spam apologists in here are amusing.
 
Last edited by a moderator:

kaniini

Beware the bunny-rabbit!
Verified Provider
because hosts need to investigate.

spamhaus act like judges and think everything is one sided.
Well, people aren't required to use Spamhaus, so maybe you should complain to the people who do.  Publishing lists of IPs associated with possible spam operations is protected speech.
 

Francisco

Company Lube
Verified Provider
For what it's worth spamhaus doesn't just ban a huge range like that on a hunch.

They ban it because they either have an informant or because they have enough proof to justify it (be it actual spam or obvious RDNS patterns).

CC has a bad policy when it comes to spammers and SWIP entries. They're now getting punished with minimum /24 bans because they've constantly had large subnets listed for spam. RDNS scans show that the whole subnet was used for such.

I'm talking full, massive, /20's at a time all with the same RDNS pattern and zero SWIP/RWHOIS.

We've had minimal issues with spamhaus. Whenever we've had complaints they inform us, Aldryic unzips, and the problem is resolved (with delisting) within a matter of a couple hours. They've been very reasonable with us and I honestly have zero complaints about them.

Francisco
 

GVH-Jon

Banned
We're pushing for ColoCrossing to get this resolved ASAP .. it's affecting one of our customers as well and we aren't even spammer-friendly.
 
Top
amuck-landowner