dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1103
share rss forum feed


Noah Vail
Son made my Avatar
Premium
join:2004-12-10
Lorton, VA
kudos:3
Reviews:
·Bright House

1 edit

Reporting Spam Abuse to webair.com

edit: I later posted this same complaint on webhostingtalk.com, which seemed to be a bit better venue for this sort of issue.

Fifteen minutes after that, the spam-bombing ceased and all is well.

As of this writing, Webair hasn't responded directly, so I can only guess at cause/effect.

NV

OP: Some nitwit on a /24 under Webair is making 900 spam attempts every hour to our mail server.
He's @ 208.96.172.0/24.

I sent a note off to abuse@webair along with a screen cap of our router log.
In case webair isn't all that responsive to my complaint (as others seem to experience) can anyone recommend what a good next step might be?

Thanks.
NV

--
Adopting other people's animosity is The New Stupid.


MxxCon

join:1999-11-19
Brooklyn, NY
(i used to work at webair 3 years ago)
they try to handle spam complaints as best as they can, but the volume of complaints and staffing limitations sometimes takes them a while to go through the queue.
also 208.96.172.0/24 is a bit too wide of a range. it looks like it covers a bunch of their shared hosting servers »www.senderbase.org/senderbase_qu···rs=%2F24
--
[Sig removed by Administrator: signature can not exceed 20GB]


Noah Vail
Son made my Avatar
Premium
join:2004-12-10
Lorton, VA
kudos:3
Reviews:
·Bright House
My Webair hosted jackass is back tonight.

said by MxxCon:

(i used to work at webair 3 years ago)
they try to handle spam complaints as best as they can, but the volume of complaints and staffing limitations sometimes takes them a while to go through the queue.

Can I translate that to:
They've so much abusive traffic originating from their network, they can't manage it properly?

I realize they're no McColo, but one would think this much spam traffic (1k attempts/hour - to each victim) would get someone's attention.

said by MxxCon:

also 208.96.172.0/24 is a bit too wide of a range. it looks like it covers a bunch of their shared hosting servers

What do you want to bet all of those domains are all registered by the same guy? They all seem to be registered on the same day. I'm betting that isn't a wild coincidence.
Looks to me like someone bought up the /24.

Thanks for responding. The senderbase link is helpful.

NV
--
Adopting other people's animosity is The New Stupid.


MxxCon

join:1999-11-19
Brooklyn, NY
said by Noah Vail:

My Webair hosted jackass is back tonight.

said by MxxCon:

(i used to work at webair 3 years ago)
they try to handle spam complaints as best as they can, but the volume of complaints and staffing limitations sometimes takes them a while to go through the queue.

Can I translate that to:
They've so much abusive traffic originating from their network, they can't manage it properly?

I realize they're no McColo, but one would think this much spam traffic (1k attempts/hour - to each victim) would get someone's attention.

They are not McColo. But some of their clientele is in the "adult entertainment" business. And you can imagine that some of those are less than "upstanding citizens".

said by MxxCon:

also 208.96.172.0/24 is a bit too wide of a range. it looks like it covers a bunch of their shared hosting servers

What do you want to bet all of those domains are all registered by the same guy? They all seem to be registered on the same day. I'm betting that isn't a wild coincidence.
Looks to me like someone bought up the /24.

It's possible that this is some "VIP" client that bought the whole /24.
It's also possible that one of those servers got compromised and the owner doesn't even know about it. Many larger clients are "self-managed", ie client has root access to the server and webair techs don't even have access to it. If one of those servers gets compromised or even intentionally start spamming, they can't do anything directly to it other than escalating to cut off its network access. But if it is some big VIP client, they don't want to have an incident with the client and lose their business so they take time to personally contact the client and work w/ them on this issue.

Fighting spam doesn't directly generate profit to the business. It takes up time and resources from other more business critical processes, so it is not always #1 task during their daily routines.

If that spammer is really hammering your mail server, perhaps look into a firewall approach. Block known/obvious spammers at the firewall stage rather than MTA stage.
--
[Sig removed by Administrator: signature can not exceed 20GB]


Noah Vail
Son made my Avatar
Premium
join:2004-12-10
Lorton, VA
kudos:3
Reviews:
·Bright House
First up: Sagi contacted me this morning and promised prompt and direct action.
That's all the response I could ask for.

said by MxxCon:

It's also possible that one of those servers got compromised and the owner doesn't even know about it. Many larger clients are "self-managed", ie client has root access to the server and webair techs don't even have access to it. If one of those servers gets compromised or even intentionally start spamming, they can't do anything directly to it other than escalating to cut off its network access. But if it is some big VIP client, they don't want to have an incident with the client and lose their business so they take time to personally contact the client and work w/ them on this issue.

In this case, it wasn't exploit related. The domain-names that rDNS to those IPs are in line with a typical spam operation. They were all registered on 3-21-2011.

And to quote another user:
quote:
network:IP-Network-Block:208.96.172.0-208.96.172.255
network:Organization;I : Progresivehosting INC
network:Created:20110816

If rwhois is right, they just signed up less than a month ago and are already spamming.

The http 'server:' header is pretty much exclusively by spam and progresivehosting's domain is using a false address on WHOIS.

The odds are overwhelming that we're discussing a scumbag.
Is he a VIP scumbag? I don't think so.

I suspect the event was due to a mismanaged spam app.
One thing was the bizarrely high freq of attempts.
Another was that the attacks stopped at 11:05:30 both nights. It was cron'd or something.

It also smacks of incompetence - so prob not a VIP.

said by MxxCon:

If that spammer is really hammering your mail server, perhaps look into a firewall approach. Block known/obvious spammers at the firewall stage rather than MTA stage.

I was doing that already - this was filling up my firewall logs.
My routers have a lot on their plate. I aim to keep their RAM/CPU usage around 33%. Stuff like this pushes it up. Better to deal with these guys promptly and not wind up with a several at one time.

NV
--
Adopting other people's animosity is The New Stupid.