XSServer / Taking down a spam friendly provider
Hello I run a few Wordpress sites here and there, but I'm amazed at the amount of spam that comes from xsserver.eu's clients. Their abuse department is non-responsive: they do not even have auto responders to emails and the offending IP addresses keep spamming weeks after my email. I have CC'd my abuse complaints to Hurricane Electric, with no luck either, so I'm stuck Before somebody screams the path of least resistance of "just install Akismet or (insert spam plugin here)", that type of thinking just makes spam even worse because we just keep large, possibly stale, databases of IP addresses that may or may not be active spammers and does not address the issue. Does anyone have any recommendations of where to go next because I'm just limited to doing a whois on the IP address, emailing the abuse contact and tracerouting. Examples of the offending IPs are: 109.230.216.225 109.230.220.34 109.230.217.166 109.230.220.95 A prime offender is hellomotow.net, who provides "SEO" services with automated spamming tools. hellomotow.net has spammed me in the past from IP addresses like this so I believe XSServer is becoming the new McColo / AlphaRed / ThePlanet (back in the day, their abuse dept is very responsive now) I'm not asking for you to do the footwork for me, unless you want, but just needed some advice from folks more knowledgeable than myself. -- --C "The dumber people think you are, the more surprised they're going to be when you kill them." - Sir William Clayton
On Wed, Oct 26, 2011 at 10:12:33AM -0400, Chris wrote:
Before somebody screams the path of least resistance of "just install Akismet or (insert spam plugin here)", that type of thinking just makes spam even worse because we just keep large, possibly stale, databases of IP addresses that may or may not be active spammers and does not address the issue.
Does anyone have any recommendations
Examples of the offending IPs are: 109.230.216.225 109.230.220.34 109.230.217.166 109.230.220.95
All four addresses are in the Spamhaus sbl-xbl list. It would take ~10 lines of python in your cgi program to work this out. Nicolai
For folks who do not understand, I'm trying to "McColo" XSServer so their lack of response in regards to abuse is gone rather than the suggestions of scripting (guess you didn't read the full text of the email) or you pushing a product on me because you work for the ISP that the product is hosted on. Everybody remembers McColo going down and being dropped from uplinks in 2008 then all the spam disappeared, right? On Wed, Oct 26, 2011 at 10:12 AM, Chris <caldcv@gmail.com> wrote:
Hello
I run a few Wordpress sites here and there, but I'm amazed at the amount of spam that comes from xsserver.eu's clients. Their abuse department is non-responsive: they do not even have auto responders to emails and the offending IP addresses keep spamming weeks after my email.
I have CC'd my abuse complaints to Hurricane Electric, with no luck either, so I'm stuck
Before somebody screams the path of least resistance of "just install Akismet or (insert spam plugin here)", that type of thinking just makes spam even worse because we just keep large, possibly stale, databases of IP addresses that may or may not be active spammers and does not address the issue.
Does anyone have any recommendations of where to go next because I'm just limited to doing a whois on the IP address, emailing the abuse contact and tracerouting.
Examples of the offending IPs are: 109.230.216.225 109.230.220.34 109.230.217.166 109.230.220.95
A prime offender is hellomotow.net, who provides "SEO" services with automated spamming tools. hellomotow.net has spammed me in the past from IP addresses like this so I believe XSServer is becoming the new McColo / AlphaRed / ThePlanet (back in the day, their abuse dept is very responsive now)
I'm not asking for you to do the footwork for me, unless you want, but just needed some advice from folks more knowledgeable than myself.
-- --C
"The dumber people think you are, the more surprised they're going to be when you kill them." - Sir William Clayton
On Wed, 26 Oct 2011 13:47:03 -0400 Chris <caldcv@gmail.com> wrote:
For folks who do not understand, I'm trying to "McColo" XSServer so their lack of response in regards to abuse is gone rather than the suggestions of scripting (guess you didn't read the full text of the email) or you pushing a product on me because you work for the ISP that the product is hosted on. Everybody remembers McColo going down and being dropped from uplinks in 2008 then all the spam disappeared, right?
McColo and Atrivo were disconnected for much larger sins than spamming someone's wordpress blog. William
McColo and Atrivo were disconnected for much larger sins than spamming someone's wordpress blog.
Many of you do not understand the scope of "just spamming a Wordpress blog". This is a huge business. Shady "SEO" companies are charging individuals at least $250 per month to use their spam tools of choice to spam forums and Wordpress blogs. I got one of the major players on the run right now because he cannot seem to keep his "business page" hosted with a company longer than a few weeks and I keep playing whack-a-mole with him. Guess what? Innocent people's websites are being deranked on Google for hiring these guys with their shady backlink services and their money is being taken. Yes I know they got what they deserved, but it's so obvious with these backlink guys using cheap virtual private servers for a month, getting shutdown and getting a new IP address that something needs to be done. XSServer could have simply amused me with a default auto reply to make it look like they are doing something.
Will your host allow you to block IP ranges?
Not the solution I was looking for because blocking IP ranges and using scripts / services / etc like Akismet or others is simply ignoring the problem, not solving it. For folks who say hosting companies are not helpful: Linode, Amazon, BurstNET, Ubiquity Servers and others are extremely responsive to abuse complaints. -- --C "The dumber people think you are, the more surprised they're going to be when you kill them." - Sir William Clayton
On Wed, 26 Oct 2011 20:22:53 -0400 Chris <caldcv@gmail.com> wrote:
McColo and Atrivo were disconnected for much larger sins than spamming someone's wordpress blog.
Many of you do not understand the scope of "just spamming a Wordpress blog".
I do understand the scope of shady SEO companies.
This is a huge business. Shady "SEO" companies are charging individuals at least $250 per month to use their spam tools of choice to spam forums and Wordpress blogs. I got one of the major players on the run right now because he cannot seem to keep his "business page" hosted with a company longer than a few weeks and I keep playing whack-a-mole with him.
McColo and Atrivo were not terminated because of spam. If you believe they are, then you are simply misinformed. Atrivo and McColo were terminated over their network being used extensively for botnet control centers. Really! Not spam!
Guess what? Innocent people's websites are being deranked on Google for hiring these guys with their shady backlink services and their money is being taken.
Bummer. Indeed, it sucks to be them. Newsflash: only morons hire "SEO companies." Perhaps Google is just working on increasing relevance quality by penalizing them for being morons. I would say it is a brilliant strategy, myself.
Yes I know they got what they deserved, but it's so obvious with these backlink guys using cheap virtual private servers for a month, getting shutdown and getting a new IP address that something needs to be done.
Ok, and when they go to another budget VPS provider other than XSServer? I am just wondering if you have a strategy for that scenario. Will you come and whine on NANOG about that provider too?
XSServer could have simply amused me with a default auto reply to make it look like they are doing something.
Wow, thanks for the pro tip. You're telling me that if I just replace my abuse@systeminplace.net contact with an autoresponder that most people will just assume that we are "doing something" and I can go and spend all my time on hookers and booze instead of terminating spammers? Shit. Why didn't anyone tell me earlier?
Will your host allow you to block IP ranges?
Not the solution I was looking for because blocking IP ranges and using scripts / services / etc like Akismet or others is simply ignoring the problem, not solving it.
For folks who say hosting companies are not helpful: Linode, Amazon, BurstNET, Ubiquity Servers and others are extremely responsive to abuse complaints.
William
On Thu, Oct 27, 2011 at 1:52 AM, William Pitcock <nenolod@systeminplace.net> wrote:
On Wed, 26 Oct 2011 20:22:53 -0400 Chris <caldcv@gmail.com> wrote:
This is a huge business. Shady "SEO" companies are charging individuals at least $250 per month to use their spam tools of choice to spam forums and Wordpress blogs. I got one of the major players on the run right now because he cannot seem to keep his "business page" hosted with a company longer than a few weeks and I keep playing whack-a-mole with him.
McColo and Atrivo were not terminated because of spam. If you believe they are, then you are simply misinformed. Atrivo and McColo were terminated over their network being used extensively for botnet control centers.
William, Atrivo and McColo were terminated _late_. As an industry, might we not consider finding a reasonable way to do a more effective job identifying and dealing with shops who can't seem to keep out the customers who use those facilities to hurt and abuse the rest of us? If we fail to adequately self-regulate, the courts and entities like the U.S. Congress will surely find a way to do it for us. And they won't care nearly as much about the technical constraints as we do. I make no judgment about XSServer and offer no solution. I merely suggest that Chris has posed a legitimate operational problem that our community may wish to redress while the while the details of such a choice are still in our hands. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
I would agree that at the moment, we exist in what is supposed to be a "self-policing" community. How long will it stay so, if livelihoods are jeopardized? Some are paid to move bits, and consider that their only obligation. Others are charged with operating services that are impacted by the aforementioned types of pollution. But each party cannot exist without the other, at the end of the day; the economic relationship between the two, at some level, makes this a shared problem. While bit-movers _may not_ have an explicit and direct business reason to aid in reducing the pollution in the community, as members of the community, is it not our collective responsibility to work against those polluting it? It is disrespectful, IMHO, to those who worked so hard to make this communal resource the shared treasure it is, for us to neglect the duty to protect and care for it. I understand that not everyone feels that it should be policed. I have respect for those who feel this way. To me, this is a complicated ecosystem, and we are its custodians, responsible for its continued health and function. Who among you do not have a custodial relationship with some network or inter-networking? Do none of you feel a responsibility to maintain it for those who will come after you? As a part of ensuring the continued function of our ecosystem, in light of the reality of this pollution, I think ensuring the integrity of our individual administrative domains, and working with others, in some capacity, to ensure the health and integrity of their own, is paramount. I would make a reference to the way we have treated and are treating our planet, but the analogy is tired. I do fear that some day, the 'way we treated the internet' will be a similarly tired metaphor. -k On Oct 27, 2011 8:47 PM, "William Herrin" <bill@herrin.us> wrote:
On Thu, Oct 27, 2011 at 1:52 AM, William Pitcock <nenolod@systeminplace.net> wrote:
On Wed, 26 Oct 2011 20:22:53 -0400 Chris <caldcv@gmail.com> wrote:
This is a huge business. Shady "SEO" companies are charging individuals at least $250 per month to use their spam tools of choice to spam forums and Wordpress blogs. I got one of the major players on the run right now because he cannot seem to keep his "business page" hosted with a company longer than a few weeks and I keep playing whack-a-mole with him.
McColo and Atrivo were not terminated because of spam. If you believe they are, then you are simply misinformed. Atrivo and McColo were terminated over their network being used extensively for botnet control centers.
William,
Atrivo and McColo were terminated _late_.
As an industry, might we not consider finding a reasonable way to do a more effective job identifying and dealing with shops who can't seem to keep out the customers who use those facilities to hurt and abuse the rest of us? If we fail to adequately self-regulate, the courts and entities like the U.S. Congress will surely find a way to do it for us. And they won't care nearly as much about the technical constraints as we do.
I make no judgment about XSServer and offer no solution. I merely suggest that Chris has posed a legitimate operational problem that our community may wish to redress while the while the details of such a choice are still in our hands.
Regards, Bill Herrin
-- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Wed, Oct 26, 2011 at 08:22:53PM -0400, Chris wrote:
For folks who say hosting companies are not helpful: Linode, Amazon, BurstNET, Ubiquity Servers and others are extremely responsive to abuse complaints.
Burstnet is one of the filthiest sewers on the entire Internet. Has been for many years. They are vehemently pro-spam. See, for example: http://groups.google.com/group/news.admin.net-abuse.email/msg/fba14415f70e08... They are thus not a good counterexample to use in this case. ---rsk
On Wed, Oct 26, 2011 at 10:12:33AM -0400, Chris wrote:
Does anyone have any recommendations of where to go next because I'm just limited to doing a whois on the IP address, emailing the abuse contact and tracerouting.
Chris, Can't help much - but can say we find ourselves in a similar boat. As a rule of thumb, we systematically block, log, and report *every* spam, virus & brute force etc attempt we receive against any of our devices. In the past three years, only one company has ever responded to an abuse request (CampaignMonitor to name & honour them), though there are definitely some other good guys out there (a large number of them on this list)! [We don't apply the above logic for spam sent to email destinations, for obvious reasons] G
participants (7)
-
Chris -
Gavin Pearce -
Kyle Creyts -
Nicolai -
Richard Kulawiec -
William Herrin -
William Pitcock