WHO'S SPAMMING YOU? Top 60 Proxy-Hijacker-Friendly Nets 2003-08-06

• Previous message (by thread): Anyone from geocities or yahoo on the list?
• Next message (by thread): dcom worm released
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

What follows below is a volume-ranked list of the most prolific /24
IP address blocks with respect to open proxy hijacking activity over
the past 2 days.  These ranking are based on data collected by my
extensive open proxy honeypot network for the 48 hour period from
5 PM Pacific Daylight Time, August 4th, 2003 through 5 PM Pacific
Daylight Time August 6th, 2003.

Some brief commentary material follows the list.  If you or someone
you know owns or operates any of the networks listed below, please
contact me off-list so that we may arange for the timely cremation
of the relevant criminal spammers and open proxy hijackers, and
the scattering of their ashes in some suitable garbage dump.  (Note
that mass open proxy hijacking of the kind being originated from
all of the /24 blocks listed below is quite clearly a criminal act
within these United States.  The criminals doing this stuff are
violating the federal Computer Fraud and Abuse Act in so many dif-
ferent ways it isn't even funny.)

** NOTICE ** I will provide the specific IP addresses that are actually
engaged in the proxy hijacking activities within each of these blocks
upon request.  What I positively WILL NOT DO is to provide detailed
log files from my proxy honeypot machines to any party, PERIOD.  (DON'T
EVEN ASK unless you enjoy being verbally abused.)  Doing so would
only tend to give the spammers info that they could use to deduce the
locations of my honeypot machines, which they would then carefully
avoid.)  I will provide date/time stamps to relevant network admini-
strators, but ONLY in cases involving clearly dynamic IP addresses.

 1. 38.112.197	cogentco.com - daicahosting.com/daica.com (Tampa, FL)
 2. 66.44.228	savanti.net (Tucson, AZ)
 3. 202.177.23	kdd.net.hk (Hong Kong)
 4. 66.205.223	cetnetworks.com - smartmailhosting.com (New Orleans, LA)
 5. 38.114.11	cogentco.com - tailoredservers.com (Frisco, TX)
 6. 66.44.231	savanti.net (Tucson, AZ)
 7. 209.50.253	servint.com (McLean, VA)
 8. 66.111.39	unitedcolo.com aka sagonet.com (San Francisco, CA)
 9. 38.114.3	cogentco.com - tailoredservers.com (Frisco, TX)
10. 66.250.125	cogentco.com - applicationx.net (Alpha, NJ)
11. 166.90.206	level3.com - ?Alan Ralsky? (Detroit area, MI)
12. 206.47.187	bell.ca - "Datatech Communications" (Windsor, ON, CA)
13. 38.112.199	cogentco.com - daicahosting.com/daica.com (Tampa, FL)
14. 38.118.143	cogentco.com - infinology.com (Goleta, CA)
15. 216.99.99	nutnbut.net (Hazelwood, MO)
16. 63.246.136	unitedcolo.com aka sagonet.com (San Francisco, CA)
17. 66.118.189	sagonet.com (Tampa, FL)
18. 64.5.51	theplanet.com (Dallas, TX)
19. 66.118.187	sagonet.com (Tampa, FL)
20. 69.33.1	megapath.net (Pleasanton, CA)
21. 62.219.50	bezeqint.net (Petach Tikva, Israel)
22. 146.82.135	gblx.net - archercomms.com (Minneapolis, MN)
23. 66.205.219	cetnetworks.com (Redwood City, CA)
24. 207.164.251	jet2.net (Windsor, ON, CA)
25. 63.246.135	unitedcolo.com aka sagonet.com (San Francisco, CA)
26. 216.81.218	lh.net (Des Moines, IA)
27. 66.118.142	sagonet.com - argobroadcast.com (Tampa, FL)
28. 64.180.125	telus.net - "Trinity Prof-Soho" (Vancouver, BC, CA)
29. 216.8.169	mnsi.net (Windsor, ON, CA)
30. 66.230.228	level3.com - city-guide.com/neucom.com/candidhosting.net (Tampa)
31. 64.228.134	bell.ca/sympatico.ca (Montreal, QB, CA)
32. 66.111.40	unitedcolo.com aka sagonet.com (San Francisco, CA)
33. 207.101.233	algx.net (Dallas, TX)
34. 216.54.223	twtelecom.net - ozline.net (Clearwater, FL)
35. 63.247.65	gnax.net/dv2.net - burtonhosting.com (North Yorkshire, GB)
36. 66.135.15	broadbandip.net (Baton Rouge, LA)
37. 67.8.179	cfl.rr.com (RR - Florida)
38. 38.117.14	cogentco.com - sagonet.com (Tampa, FL)
39. 64.23.55	affinity.com - skynetweb.com (Baltimore, MD)
40. 64.70.45	exodus.net - nrsoftware.com (Santa Monica, CA)
41. 64.159.76	level3.com - city-guide.com/neucom.com/candidhosting.net (Tampa)
42. 216.58.92	igs.net (Kanata, ON, CA)
43. 66.118.180	sagonet.com (Tampa, FL)
44. 63.246.131	unitedcolo.com aka sagonet.com (San Francisco, CA)
45. 69.0.240	dialtone.com/dialtoneinternet.net (Davie, FL)
46. 203.98.177	newworldtel.com (Hong Kong)
47. 203.98.164	newworldtel.com (Hong Kong)
48. 66.176.226	attbb.net (Chelmsford, MA)
49. 64.237.34	mfnx.net - netlabs.net - "AdultBouncer" (Hazlet, NJ)
50. 69.28.206	peer1.net (Vancouver, BC, CA)
51. 202.181.236	hkcix.com (Hong Kong)
52. 66.70.114	datapipe.com (Hoboken, NJ)
52. 216.128.72	band-x.com - sxpress.com (Hackensack, NJ)
53. 162.42.131	cybertrails.com - atjeu.com (Phoenix, AZ)
54. 216.67.251	pwebtech.com (Parsippany, NJ)
55. 207.180.3	ici.net (Tulsa, OK)
56. 216.232.165	telus.net - "Consumer ADSL" (New Westminster, BC, CA)
57. 66.36.98	burlee.com (Toronto, ON, CA)
58. 65.34.198	attbb.net (Chelmsford, MA)
59. 38.114.4	cogentco.com - 800hosting.com (Dalas, TX)
60. 62.205.161	corbina.net (Moscow, RU)


Before getting in to the commentary, I should perhaps mention that all
of the above /24 blocks, as well as the companies that provide connectivity
to them are now subject to the new listing criteria for the Monkeys.Com
Unsecured Proxies List:

    http://www.monkeys.com/upl/listing-policy.html

(Please see criteria #2, which was just recently added.)

** COMMENTARY FOLLOWS **
** PERSONAL OPINIONS ONLY **
** USE AT YOUR OWN RISC **

Note:  I have already been posting `Top 40' lists of the worst and most
proxy-hijacker friendly networks to news.admin.net-abuse.email and SPAM-L
for about two weeks now.  Some of you may have seen those prior lists
and thus may be all too familiar with many of the networks listed above,
especially in the topmost few positions.  My comments about specific
networks follow:

cogentco.com:  What can I say?  The facts speak for themselves.  This is
now the #1 most criminal-friendly network on the Internet.  They have
been hosting the criminal open proxy hijackers that are attached to the
net via the following downstream customers for a long while now, and they
know exactly what's going on here, because I told them, several times.
I can only infer that they prefer to keep on accepting money from criminals:

	daicahosting.com/daica.com (previously throw off 2 other networks)
	tailoredservers.com (totally unreachable & bullet-proof)
	applicationx.net (caught red-handed with a web page full of proxies)
	infinology.com
	sagonet.com  (Has some blocks suspiciously SWIPed to Cogentco.)

Cogent's `tailoredservers.com' customer is THE perfect false front for
spamming activities.  No phone numbers on the web site.  False/disconnected
phone number in their WHOIS, and no need for them to ever take any call
from any disgruntled folks whose servers they (or their customers) have
hijacked.

Level3:  These people have been hosting a ``mystery'' major-league criminal
proxy hijacker in their 166.90.206/24 block for MONTHS, and if they don't
know that then it is only because they don't want to know.  (I've already
told them myself, several times.) And they were informed that this criminal
activity was going on from their network all the way back as far as March:

   http://news.spamcop.net/pipermail/spamcop-help/2003-March/028053.html

Note that the criminal in question is located someplace in the Detroit
area and has been rumored to most likely be none other than Alan Ralsky,
known mega-spammer who bragged in this article:

    http://www.freep.com/money/tech/mwend22_20021122.htm

that he's got 20 spam pumping machines in his basement going 24/7.  And
the evidence suggests that he does, and that they are all busy hijacking
other people's poorly secured proxies, all courtesy of the kind folks at
Level3.  Note: The SpamHaus Project describes Ralsky as a "convicted
fraudster" and has an extensive file on him:

    http://www.spamhaus.org/rokso/search.lasso?evidencefile=1290

Oh!  And lest I forget, Level3 also continues to provide bandwidth to
the criminal open proxy hijackers that are working out of the notorious
spam-friendly outfit called `CandidHosting'.

sagonet.com:  Sagonet.com and its west coast subsidiary, unitedcolo, seem
to have more criminal open proxy hijackers per square inch than any other
network or company on the net.  A few days ago, they had no fewer than
9 different /24s listed in my Top 60 list of open proxy hijacking origi-
nation points.  I've seen some signs in the past 24 hours that they may
perhaps finally be getting their act together, but then again, maybe not.
Time will tell.  (I have been told that the owner is just plain greedy,
and that he does really understand why spam is bad.)

savanti.net:  Finally got kicked off sterlingnetwork.net within the past
24 hours.  Will be looking for a new home, I'm sure.  BE ON THE LOOKOUT
FOR THESE GUYS as they wander around, in search of new connectivity.
(This is as least the second strike for them, or so I'm told.  They
were kicked off another network before sterlingnetwork.net.)

kdd.net.hk:  Seems to be approaching the density of lead.  No response
whatsoever to hijacking reports.  The lights are on but nobody's home.
Does anybody know anybody who can explain to these people what proxy
hijacking is and why it's bad?

servint.com:  Sounds familiar.  These guys have been in trouble before,
haven't they?

nutnbut.net:  Could be renamed to Nothin' But /dev/null


P.S.  My special thanks to verio.net, rr.com, algx.net, and jet2.net, all
of whom seem to be able to kill these blasted proxy hijackers just about
as fast as I can report them.

• Previous message (by thread): Anyone from geocities or yahoo on the list?
• Next message (by thread): dcom worm released
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]