New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Worth noting, Spamhaus is not only looking at IPs that are the source of send emails.
If spam is send from different sources, but reference you regularly (hosting phishing sites, C2 stuff, and so on) this counts as well.
The Spamhaus listing seems to mostly be related to you hosting snowcore.io, an imo bulletproof hosting company.
2 of your LIR clients, AS199639 (Matej Vallo) and AS199428 (Alvaro Navas) both have abuse contacts ending in *@abusemanagement.xyz. Both are personal ASNs that somehow only have a /24 and a /44, not very typical of hobby ASNs.
You're also listed as mnt- on their IPs, so I'm guessing you at least know about them. Based on the upstreams, I'm also assuming they're your dedicated servers customer in AMS. So clearly not just a one off VPS client that did something shady without you knowing.
abusemanagement.xyzis on serverHold, and has the same Cloudflare NS pair assnowcore.io.snowcore.io is, in my opinion, and probably also Spamhaus's, a bulletproof hoster. I don't believe any legitimate hosting provider needs to have this listed...
They're so legitimate and care about abuse reports that they can't even receive them because their contact domain is suspended... I also don't think it needs to be said that no hosting provider needs 2 different personal ASNs for their operations.
The FDNS records also say plentiful. All of this on IPs you're listed on, and on ASNs you're listed on, and on your dedis.
https://bgp.tools/prefix/87.121.79.0/24#dns
https://bgp.tools/prefix/194.48.251.0/24#dns
I'm starting to see where Spamhaus is coming from...
Also, the /24 currently announced by Alvaro Navas was once announced by AS213725 (03AI LTD - now on Spamhaus ASN drop list, probably why they moved to new ASN), and by AS216078 before that, your upstream in AMS.
I don't know what weird shady German Telegram chat you've gotten yourself in, but this isn't looking too good.
Thank you sillycat detective agency
Fully infested asn and he still has audacity to wine…
they are both ID verified but ill have a look. the IP spaces were purchased by liam who rents them out and if ripe details dont work then they would send me an email. snowcore i am aware. i dont see them as a bulletproof host but if they are ill tell liam. he downstreams them not me. the mnt is set bc liam shares the lir with me. he is invited.
ill stop sponsoring the two asns tho and will contact liam to stop.
if that is a reason i will stop any business with them. the ids were verified by ripe but you never know.
i understand the accusations and new asns will now have a double kyc by me (via veriff) AND ripe (via idenfy). this should stop ANYONE
I'm entertained by the claimed trust pilot profile that does classify them as web hosting company instead of something like telecommunications service provider 😄
We experienced nearly the same. We had an uncountable number of tickets open with Spamhaus.
The thing is you really have to check EVERYTHING. Every domain you have registered for you or your customers, every IP etc. Spamhaus will not give you a single hint, they want you to do the work.
There is also this side which you should check:
https://www.spamhaus.org/reputation-statistics/registrars/spam/
Check every tab, if you are listed check why and monitor if it gets better. If you see improvement you could try to contact them again and tell them that you have the situation under control, they see it when they check the reputation-statistics etc.
Your network seems like a theme park of phishing and malware, the droplists is right where AS211507 belongs, good call on spamhaus' end, hopefully more will follow.
Spamhaus probably stopped caring to reply to you because every time you suspend one customer, a few dozen more appear. At some point it's hard to keep pretending that you have legitimate clientele.
And of course, that Max Verstappen crypto site sitting right on your IPs must be legit, right? By Max Verstappen himself, I'm sure.
http://185.132.53.161/Hi,
putting your name into a search engine delivers results like:
https://fraudguard.io/isp/julian-achter
According to them, you have had a lot of fun in the past fraud wise.
"Peak daily attacks from this ISP
276"
And if i can get this information with a simple search engine call and delivers this on 1. place then i assume spamhaus has access to much more information regarding this.
Place 10 is by the way:
https://fraudguard.io/asn/AS211507
So you are mentioned by your private name and your ASN.
From my humble perspective you have been active in this field of hosting this kind of stuff spamhaus tries to filter.
And, based on what i red here in the thread i assume that spamhaus assumes that this is simply your business model.
As consequence, they do now what they do.
Changing the AS / Name / what ever to hide might help at first but will fastly fire back as your ASN and networks WILL be on special monitoring list. And things will just get worst.
If you changed in the meanwhile your business model, then just keep this up and make sure spamhaus has no reason to believe that you follow your old business model.
And at some point they will start to trust and give another chance.
I had ~ 15 years ago also an encounter with them. Blocking a /18 and /19 network because they wanted to pressure me to disable some customer who was operating in a /24 network.
Recently i leased a /24 network to a customer who turned out to be a problem. They listed the network. The customer ( german company ) handled the issue with them and they delisted it, just to list it again after 1 week or so. Obviously he also continued to do something they dont like.
The end of the story: Customer gone. IP network listed for ~3-6 months or so ( didnt count it ) with spamhaus ( even i contacted them and told them the customer is gone ).
================
Summary:
If they catch you, make sure to solve the problem finally
If you fail to solve it ( they dont care why ) then be prepared for some longer listing.
-- And at least for our customer he was not listed with any public available website. Nor his ASN. Nor his Name.
Good luck!
http://185.132.53.161/no abuse report received at ALL, now suspendedif you find more feel free to send an abuse report
very good response but the site
IP address Threat Last seen
45.133.73.14 anonymous_tracker 2025-12-14
doesnt seem very active? i think youre on an old page by them. site doesnt look like this anymore. example your most recent ip on the page "https://fraudguard.io/iplookup-v2?ip=45.133.73.14"
Hi,
i was not judging or do what ever and also mentioned that "you have had" <-- past
according to this information.
I just tried to show why spamhaus might not like you and call you liar or what ever.
Anyway, the goal is now to proof to spamhaus if you changed your business model.
So just try to avoid providing customers that will let your IPs / ASN / Name appear in public databases. Worst enough that there are historic entries.
If you can manage to keep things clean ( or at least not found ) then they will delist you for sure. Its then just a matter of time. There is unfortunately no known safe shortcut.
i see my apologies, ill make sure to only have stuff now that im 100% sure is legit. thanks. now going back to watching world cup
abuse system is automatic for anyone who wants to report while i sleep after
thread can legit be closed, i got my info lol
I would like to report abuse done by @emgh
Well, "no abuse report received" is all fine and dandy but when someone is surprised to get drop listed by spamhaus while being tied to stuff like "binance-giveaway" or " 86374coinbase" it's all a little weird.
Sure, there might be no reports but lets be real such domains basically have to be some sketchy garbage and while i'm certainly no big fan of preemptive enforcement having stuff like that around in a want-to-get-off-drop situation is very obviously counter productive.
If you want to stay clean make sure this stuff disappears or if that's not possible make sure there's nothing linking it to you in any way. Employ some monitoring and put the non-intervention absolutism aside for a minute. Nobody outside of actual scammers is going to view you negatively for dropping obvious scams.
This, in particular, is interesting because Novogara, another well-known bulletproof host, used similar wording on their site. It's possible that snowcore.io paraphrased it from Novogara.
Nice find! Seems those snowcore guys are quickly becoming more and more of a hot potato
It's easy to create fake and believable IDs in the current AI era. ID is becoming unreliable for online verification.
well im not sure how i would implement checking of this without having to pay a lot for the apis, i mean rdns is already checked frequently and these sites are usually not up for long and i do receive reports for them. phishing is usually very quick. if someone finds domains that for some reason are still active and linking per dns to me i will suspend. forward dns is just imo not as easy to check as rdns or fcrdns
ripe uses idenfy which is a third party that shouldnt work with this. but since it might be i also added veriff on my side now.
To be honest i don't really see what's the big deal of having IDs verified or not. There's a bunch of quite obvious turds in those networks. If those are run by some known guy or a random identity thief is kinda secondary as far as the overall reputation is concerned.
Well, then proceed to stage 2: Why does this nonsense regularly reappear? Ask questions and if there's no sufficient answers/results it's time to pull a couple plugs. If i remember correctly @MannDude for example filters domain registrations to catch at least the worst bullshit before it happens. If you are a little creative patterns will be found.
Maybe start with monitoring https://nerd.cesnet.cz/. A /24 isn't a whole lot and bigger providers somehow manage to not rack up a single negative scoring over X /24s (for TOR exits this will obviously be kinda impossible but that doesn't seem to be the problem here anyways). If your downstreams can't manage to achieve that even for a single /24 chances are they need a bit of an incentive.
Well, if downstream actually equals those snowcore guys (apologies i didn't really care to look into it too deeply), which seemingly felt the need to copy Novogara you can probably save wasting your time and just drop them but if you truly believe that they aren't blackhats i guess you'll have to put a bit of effort into watching them or deal with the consequences.
I would expect abuse within your own network to be identified and handled internally, rather than being pointed out by third parties on public forums. Given the pattern, you may want to consider leaning into it and operating yet again as a bulletproof host, as that appears to be the type of clientele you are consistently attracting.
Mentally strong people ignore irrelevant blocklists that don't actually cause packet loss.
@aluy. Might as well get another AS for squeky clean stuff.
That's reguarded. So you take someone's cat picture image board, reference it in your spam emails /C2 scripts and get the site nuked. We really need a better system - I propose we call it IDGAF™. Surely between AI and hordes of compsci graduates we can keep the internet safe without blacklists that yoursunny rightly says should be ignored by mentally strong people.
Ah yes, let's let people host malware and botnet without consequences.
There were consequences for that? Which alternate timeline are we in right now? lol
Hosting malware/c2/phishing gets you blacklisted on spamhaus.
Im sure the state sponsored groups are scared. Surely they stopped doing that