What does a spam network look like? How do I tell if a host is a spam operation?
Often a spam network will have a front that looks to be something legitimate. Not always, but often. I've found a great example of how spam networks can be hiding in plain sight, and wanted to share: https://xsserver.eu/
What you see here, XSServer GmbH, is in fact a completely spam network. Don't be fooled into thinking this is just a host with a spam problem. Were that true, there might be some good traffic coming from the network.
Take a look at some of these:
https://bgp.he.net/net/85.209.121.0/24#_dns
https://bgp.he.net/net/185.225.24.0/24#_dns
https://bgp.he.net/net/185.240.226.0/24#_dns
https://bgp.he.net/net/45.142.182.0/24#_dns
Some of them look more questionable like this one:
https://bgp.he.net/net/195.62.32.0/24#_dns
But even that /24 is entirely spam, zero legitimate email going out of it.
When you're looking at a network to see if it's somewhere you might want to host, the DNS tabs at bgp.he.net are very revealing. Look for huge lines of PTR records with "mail" or "mta" in the subdomain, and look for a lot of newer/cheap TLDs like .xyz, .online, and .casa.
The next time you're looking at a new hosting provider, keep this in mind. Be sure to not accidentally support a spam operation.
Comments
It would be easier if you had one thread with companies that @jar thinks suck today
Give a man a fish and you feed him for a day. Teach him how to catch a fish and he'll be fed for life.
Isn't that spam operators are aware of what they are doing and adapting to the blockades? Xss seems very passive provider which doesn't care about such problem. Their subnets almost all blacklisted to the death.
Spam operators would change ips frequently and usually are involved in some bgp hijacking.
After I listed their ranges they announced another and the spam started right away. They're a spam operation. At best facilitating and ignoring, which is equivalent in every way that matters.
No doubt. I would say that they are illegal streaming service operator more than spammers. But hey, why not both
https://krebsonsecurity.com/wp-content/uploads/2016/08/Spamhaus-2013-DDoS-chat-log1.txt
He's definitely got the connections, but seems to have the self awareness about legal consequences. I'd have thought he might have pivoted into something else not spam related after what went down in 2013, but rDNS says otherwise.
He is marceledler in the log, referenced at the very start only.
Make a man a fire, he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life.
Marcel Edler. Interesting. He is related to that datacenter in Eygelshoven that @GameTownProjects use. I think he stopped doing spam quite some time ago and invested the money in cryptomining.
"We were treated like royalty. I was amazed at the quality of MXroute Spam Plan. MXroute Spam Plan has got everything I need. It's incredible." - Wojciech .
"I will refer everyone I know. Needless to say we are extremely satisfied with the results. MXroute Spam Plan is worth much more than I paid. MXroute Spam Plan saved my business." - Maia S.
"Needless to say we are extremely satisfied with the results. Not able to tell you how happy I am with MXroute Spam Plan. Since I invested in MXroute Spam Plan I made over 100,000 dollars profits." - Fredelia A.
Black Friday ruined!
I completely believed these were legitimate testimonials until I came to the name "Fredelia".
Fredo's sister? perhaps?
Damn @cociu gets in every thread.
Quoted for truth