LunaNode being booted from SingleHop
- Thread starter MannDude
- Start date
We are migrating our clients who choose to remain with us to BurstNET PA scranton facility where we will own our own hardware, and be able to service our own equipment as opposed to leasing from Singlehop.
We have been a client of singlehop for three years and never had a problem with spam until we started offering low end VPS products, and although we complied with the abuse reports and immediately suspended the clients who allegedly have been sending bulk unsolicited emails, we are still being forced to have our account terminated.
Having done the research on spamhaus, although in theory I agree with what they are trying to do, but their practice of illegally blackmailing ISP to terminate client's accounts, when the client is also a service provider is simply unacceptable. Also especially when we have done our part to the best of our abilities by manually screening new accounts and considering blocking of all outgoing traffic on port 25 by default. Too bad at this point in time there is not any legal measure that can be taken to prevent this from happening.
With all that said, we see this as an opportunity and experiences like these will continue to add to our experience and help us to assist our clients better in the future.
We have been a client of singlehop for three years and never had a problem with spam until we started offering low end VPS products, and although we complied with the abuse reports and immediately suspended the clients who allegedly have been sending bulk unsolicited emails, we are still being forced to have our account terminated.
Having done the research on spamhaus, although in theory I agree with what they are trying to do, but their practice of illegally blackmailing ISP to terminate client's accounts, when the client is also a service provider is simply unacceptable. Also especially when we have done our part to the best of our abilities by manually screening new accounts and considering blocking of all outgoing traffic on port 25 by default. Too bad at this point in time there is not any legal measure that can be taken to prevent this from happening.
With all that said, we see this as an opportunity and experiences like these will continue to add to our experience and help us to assist our clients better in the future.
drmike
100% Tier-1 Gogent
What 14 IPs in a package? Why would anyone....
Lunanode is a member here... Hoping they say something. Cause the letter calling SpamHaus illegal and all that jazz, wow, yeah, wrong bubba. That might fly with newbie users. Rest of us know SpamHaus has issues but illegal, ahh no.
Burst is certainly a downgrade.
Lunanode is a member here... Hoping they say something. Cause the letter calling SpamHaus illegal and all that jazz, wow, yeah, wrong bubba. That might fly with newbie users. Rest of us know SpamHaus has issues but illegal, ahh no.
Burst is certainly a downgrade.
The additional IP addresses are in a /29 or /28 block, which I think isn't useful for spammers anyway. Almost all of the abuse came from clients with /30 (one useable IP) and /29 blocks. We already dealt with the issues and have instituted manual screening of new customers; yet SpamHaus is refusing to acknowledge any of our communications, despite us reiterating that we are willing to work with them.
See http://www.quackpotwatch.org/opinionpieces/spamhausspewsaffidavit.htm for an explanation of which laws SpamHaus has repeatedly violated. Also note that E360 won a lawsuit against SpamHaus in 2011, although the legal fees ended up being more than the penalty SpamHaus was forced to pay. SpamHaus mostly targets small companies like us, and we don't have the money to pay for a lawsuit.
Edit: corrected A2B Internet -> E360. See http://en.wikipedia.org/wiki/The_Spamhaus_Project#e360_Lawsuit
The penalty was dropped from $11 million, to $27,000, and then to $3 on appeal.
Edit2: also I'd think it'd be the newbie users who don't understand the shady things SpamHaus does.
Edit3: and the reason the penalty was dropped was not because they didn't think SpamHaus did illegal things, but because E360 couldn't demonstrate that they had actually suffered as much of a loss to their revenue as what they claimed.
Last edited by a moderator:
drmike
100% Tier-1 Gogent
"blackmailing ISP to terminate client's accounts, when the client is also a service provider is simply unacceptable"
How do they do that? Threaten to list larger IP blocks / all of the provider's ranges? Sounds effective to me
Don't want companies playing whack-a-mole with the migrating spammers.
When stuff like this happens I think of other plagued networks with spam. CC anyone? They all seem to survive and inevitably accounts are shuttered and some folks shown the door... or their new IP ranges.
Sad that providers don't have better intergration with their upstream. Applies to SPAM issues as well as the often used DDoS issue.
How do they do that? Threaten to list larger IP blocks / all of the provider's ranges? Sounds effective to me
Don't want companies playing whack-a-mole with the migrating spammers.When stuff like this happens I think of other plagued networks with spam. CC anyone? They all seem to survive and inevitably accounts are shuttered and some folks shown the door... or their new IP ranges.
Sad that providers don't have better intergration with their upstream. Applies to SPAM issues as well as the often used DDoS issue.
drmike
100% Tier-1 Gogent
How many clients caused this issue?
Were you able to identify the clients? Were their accounts and payments valid?
We communicated with SingleHop and with SpamHaus, but SpamHaus refused to delist the IP ranges despite our resolution of all issues and institution of manual screening of new customer data.
Primarily a single client who registered eight accounts from different IP addresses. We terminated all of the accounts and blocked the common subnet, as stated in the email.
The client was identified and we have not had further issues after blocking his subnet and disabling automatic provisioning for new clients. The names, addresses, and other information were most likely faked, although appeared legitimate. There is no indication that the payments were not "valid".
We already curbed abuse with manual screening. We contacted SpamHaus and informed them we would also be willing to make further adjustments if they found the other policy changes insufficient. They are ignoring all of our communications.How do they do that? Threaten to list larger IP blocks / all of the provider's ranges? Sounds effective to me
Last edited by a moderator:
jarland
The ocean is digital
The spammer must have really been successful for it to come to this. Heavy handed as SpamHaus may be, they would be working toward their own irrelevance if a little spam caused them to start blacklisting such large subnets every day. After a while they would just be a list of subnets that, if subscribed to, would cripple the internet entirely. So I hope LunaNode has learned a lesson about policing outbound e-mail, as a provider you just have to monitor for high traffic of certain types and you have to open a dialogue, followed by port blocks if they don't respond soon, and eventual termination if they don't respond at all. Privacy and all that jazz is nice, but no one wants the kind of privacy that comes as "Your e-mails will be so private that they won't even reach anyone's inbox."
Best of luck to the guys.
Best of luck to the guys.
We have suspended all virtual machines where reports were received about spam within a few hours after receiving the report.
Last edited by a moderator:
jarland
The ocean is digital
Spam can go on for weeks before reports. Monitor port 25 and open a ticket at x number of simultaneous connections. It's worth it.
drmike
100% Tier-1 Gogent
Oy vey!
You lads are getting spanked by one user's actions. This is very unfortunate.
I agree with @jarland, sounds like a good heavy load of spam was involved here.
I ask about the subscribers because when/if stuff like this happens, there should be provider database for these users and to shame / block their future attempts.
Would be nice to see the garbage they were sending out.
You lads are getting spanked by one user's actions. This is very unfortunate.
I agree with @jarland, sounds like a good heavy load of spam was involved here.
I ask about the subscribers because when/if stuff like this happens, there should be provider database for these users and to shame / block their future attempts.
Would be nice to see the garbage they were sending out.
We'll try to work on that as an alternative to blocking outgoing traffic to port 25 by default. However SpamHaus doesn't seem to care either way, it's easier for them to just shut down small companies.
Either way, the same situation won't happen again with the disabled automatic provisioning for new clients.
Last edited by a moderator:
DomainBop
Dormant VPSB Pathogen
Are you positive that moving to BurstNet will solve your problems with Spamhaus? If you don't convince them that you're innocent they'll probably blacklist any IP you move to since they've labeled you a "spam hosters / operation".
SBL207665 184.154.99.0/27 singlehop.com 15-Dec-2013 07:21 GMT lunanode.com spam hosters / operation
SBL207663 173.236.82.176/28 singlehop.com 15-Dec-2013 07:09 GMT LunaNode sapm block
SBL207344 108.163.229.224/28 singlehop.com 12-Dec-2013 05:07 GMT LunaNode spa block
SBL206962 69.175.68.128/28 singlehop.com 08-Dec-2013 22:43 GMT LunaNode spam block
SBL206907 173.236.14.32/28 singlehop.com 08-Dec-2013 19:25 GMT LunaNode spam block
SBL206845 173.236.15.240/28 singlehop.com 08-Dec-2013 06:50 GMT LunaNode spam block
SBL207665 184.154.99.0/27 singlehop.com 15-Dec-2013 07:21 GMT lunanode.com spam hosters / operation
SBL207663 173.236.82.176/28 singlehop.com 15-Dec-2013 07:09 GMT LunaNode sapm block
SBL207344 108.163.229.224/28 singlehop.com 12-Dec-2013 05:07 GMT LunaNode spa block
SBL206962 69.175.68.128/28 singlehop.com 08-Dec-2013 22:43 GMT LunaNode spam block
SBL206907 173.236.14.32/28 singlehop.com 08-Dec-2013 19:25 GMT LunaNode spam block
SBL206845 173.236.15.240/28 singlehop.com 08-Dec-2013 06:50 GMT LunaNode spam block
Last edited by a moderator:
The five records are related to the customer who registered multiple accounts. The first record is our web server, which doesn't send any email (we have a dedicated mail server outside of SingleHop LLC's network). We're not positive of anything since SpamHaus Project Ltd. is ignoring our communications, but presumably they won't blacklist our IP address blocks with BurstNET if no spam is sent.
Last edited by a moderator:
Not certain, but that is a possibility that what you mentioned could happen. I discussed this with perennate, and if it does come to that, despite the preventative measures that we will take, as well as continuing to try to establish communication with spamhaus, we might just need to go with a new name : /