Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


What does a spam network look like? How do I tell if a host is a spam operation?
New on LowEndTalk? Please Register and read our Community Rules.

What does a spam network look like? How do I tell if a host is a spam operation?

jarjar Provider

Often a spam network will have a front that looks to be something legitimate. Not always, but often. I've found a great example of how spam networks can be hiding in plain sight, and wanted to share: https://xsserver.eu/

What you see here, XSServer GmbH, is in fact a completely spam network. Don't be fooled into thinking this is just a host with a spam problem. Were that true, there might be some good traffic coming from the network.

Take a look at some of these:

https://bgp.he.net/net/85.209.121.0/24#_dns
https://bgp.he.net/net/185.225.24.0/24#_dns
https://bgp.he.net/net/185.240.226.0/24#_dns
https://bgp.he.net/net/45.142.182.0/24#_dns

Some of them look more questionable like this one:

https://bgp.he.net/net/195.62.32.0/24#_dns

But even that /24 is entirely spam, zero legitimate email going out of it.

When you're looking at a network to see if it's somewhere you might want to host, the DNS tabs at bgp.he.net are very revealing. Look for huge lines of PTR records with "mail" or "mta" in the subdomain, and look for a lot of newer/cheap TLDs like .xyz, .online, and .casa.

The next time you're looking at a new hosting provider, keep this in mind. Be sure to not accidentally support a spam operation.

Comments

  • databossdataboss Member

    It would be easier if you had one thread with companies that @jar thinks suck today

  • jarjar Provider

    @databoss said:
    It would be easier if you had one thread with companies that @jar thinks suck today

    Give a man a fish and you feed him for a day. Teach him how to catch a fish and he'll be fed for life.

    Thanked by 2pike JeDaYoshi
  • LTnigerLTniger Member

    Isn't that spam operators are aware of what they are doing and adapting to the blockades? Xss seems very passive provider which doesn't care about such problem. Their subnets almost all blacklisted to the death.

    Spam operators would change ips frequently and usually are involved in some bgp hijacking.

  • jarjar Provider
    edited July 15

    @LTniger said:
    Isn't that spam operators are aware of what they are doing and adapting to the blockades? Xss seems very passive provider which doesn't care about such problem. Their subnets almost all blacklisted to the death.

    Spam operators would change ips frequently and usually are involved in some bgp hijacking.

    After I listed their ranges they announced another and the spam started right away. They're a spam operation. At best facilitating and ignoring, which is equivalent in every way that matters.

  • LTnigerLTniger Member

    @jar said:

    @LTniger said:
    Isn't that spam operators are aware of what they are doing and adapting to the blockades? Xss seems very passive provider which doesn't care about such problem. Their subnets almost all blacklisted to the death.

    Spam operators would change ips frequently and usually are involved in some bgp hijacking.

    After I listed their ranges they announced another and the spam started right away. They're a spam operation.

    No doubt. I would say that they are illegal streaming service operator more than spammers. But hey, why not both :)

    Thanked by 1jar
  • jackbjackb Member, Provider
    edited July 15

    https://krebsonsecurity.com/wp-content/uploads/2016/08/Spamhaus-2013-DDoS-chat-log1.txt

    He's definitely got the connections, but seems to have the self awareness about legal consequences. I'd have thought he might have pivoted into something else not spam related after what went down in 2013, but rDNS says otherwise.

    He is marceledler in the log, referenced at the very start only.

    Thanked by 1jar
  • raindog308raindog308 Administrator

    @jar said: Give a man a fish and you feed him for a day. Teach him how to catch a fish and he'll be fed for life.

    Make a man a fire, he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life.

  • pikepike Member
    edited July 15

    Marcel Edler. Interesting. He is related to that datacenter in Eygelshoven that @GameTownProjects use. I think he stopped doing spam quite some time ago and invested the money in cryptomining.

    Thanked by 1jar
  • yoursunnyyoursunny Member, IPv6 Advocate

    "We were treated like royalty. I was amazed at the quality of MXroute Spam Plan. MXroute Spam Plan has got everything I need. It's incredible." - Wojciech .

    "I will refer everyone I know. Needless to say we are extremely satisfied with the results. MXroute Spam Plan is worth much more than I paid. MXroute Spam Plan saved my business." - Maia S.

    "Needless to say we are extremely satisfied with the results. Not able to tell you how happy I am with MXroute Spam Plan. Since I invested in MXroute Spam Plan I made over 100,000 dollars profits." - Fredelia A.

    Thanked by 2jar chocolateshirt
  • jarjar Provider

    Black Friday ruined!

  • raindog308raindog308 Administrator

    @yoursunny said: "Needless to say we are extremely satisfied with the results. Not able to tell you how happy I am with MXroute Spam Plan. Since I invested in MXroute Spam Plan I made over 100,000 dollars profits." - Fredelia A.

    I completely believed these were legitimate testimonials until I came to the name "Fredelia".

  • databossdataboss Member

    Fredo's sister? perhaps?

  • raindog308raindog308 Administrator

    @databoss said: Fredo's sister? perhaps?

    Damn @cociu gets in every thread.

    Thanked by 1databoss
  • @jar said:
    At best facilitating and ignoring, which is equivalent in every way that matters.

    Quoted for truth

Sign In or Register to comment.