[Dshield] New spammer tactic...

Jon R. Kibler Jon.Kibler at aset.com
Fri Mar 14 00:17:17 GMT 2003


Thanks for the heads-up. 

However, you have to be VERY careful when you read some of these "who's blacklisted" pages. If you will check the actual information in each of the links below, you will see that our IPs are NOT really in ANY list.

We VERY closely monitor ALL mail activity, and we would know within minutes if our mail system was the object of abuse or if any of our customers were using it to spam. I assure you that all our systems are very secure.

The problem is that some of the DNSBLs will give a high level hit on ANY IP -- simply based upon the ISP that owns the netblock's having any customer that is a well know spammer. 

See comments about each link below.

Again, thanks for the feedback.

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA


Chateauneuf wrote:
> 
> At 04:29 PM 3/13/2003 -0500, Jon R. Kibler authored the following:
> >Greetings:
> You might want to start contacting:
> 
> (127.0.0.7) 207.2.232.139 is DNSbl listed. by
> <http://www.five-ten-sg.com/blackhole.php?ip=207.2.232.139>blackholes.five-ten-sg.com

"IP address 207.2.232.139 is listed here as cw.net spam-support. Please note that the following comments apply to cw.net since 207.2.232.139 seems to be owned or controlled by them."  The site goes on to list several CW netblocks associated with spammers, of which 207.0.0.0/14 which is the top level CW netblock this IP belongs to. In other words, because CW owns the netblock, and this site considers CW to be "bad", all CW customers give hits on this site.

These sites are the ones listed here:
> added 2002-09-28; spam support - transit for AS15331 which is
> 64.57.192.0/19 jtel
> added 2002-09-08; spam support - transit for AS10721 which is 64.251.0.0/19
> infolink
> added 2003-03-08; spam support - transit for AS11938 which is
> wholesalebandwidth.com
> added 2002-11-05; spam support - transit for AS13488 which is
> 216.242.0.0/16 ciberlynx
> added 2002-09-28; spam support - hosting
> <http://www.handbagmonster.com>http://www.handbagmonster.com on 63.137.154.149
The above link is to a spammer's site.

> added 2002-06-14; spam support - hosting imatcher.org - see
> <http://spews.org/html/S355.html>http://spews.org/html/S355.html
The above link is for spews' blocklist for imatcher.org -- a VERY bad spammer.

> added 2002-06-07; spam support - dns server at 209.27.198.228 supporting
> stop.direct2you.bz - see
> <http://www.spews.org/html/S685.html>http://www.spews.org/html/S685.html
The above link is for spews' blocklist for direct2you.biz -- another well know spammer.

> added 2002-12-14; spam support - hosting
> <http://www.dhghost.net>http://www.dhghost.net on 64.70.23.243
The above link is to a spammer's site.

Again, none of this directly has anything to do with our IPs.

By the way, you can "manually" check any DNSBL by reversing the IP address and adding it as a prefix to the DNSBL name.

For example:
   To check 207.2.232.139 on ORDB, you would:
	nslookup 139.232.2.207.relays.ordb.org

Hope this was informative!

Jon Kibler

> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list