IP Delegations for Forum Spammers and Invalid Whois info
I assume the ongoing problems that forum administrators have with people randomly signing up to forums - even closed ones requiring admin approval for all accounts - for the purpose of spamming their web urls around the place is an old one. I run such a forum and have started implementing /16 level bans to try to slow them down. Obviously not the best solution. The forum in question is phpBB (I know - whos isn't) and i'm yet to have time to actually start digging into whether there are better ways of responding to this issue. (Volume isnt prohibitive - yet.) In the most recent case the IP address space that the website concerned points back to is in the Ukraine and the listed abuse contact is on a domain which is canned due to invalid contact details provided. My question then is - what happens now? The IP address space is essentially 'untraceable' except perhaps through bandwidth-supplier-agreements or somesuch. Shouldn't IP's with similarly invalid contact details be 'suspended' after being given opportunity to provide updated, correct details? The IP range in question is 195.225.176.0 - 195.225.179.255 and a snippet of the whois info provided is as follows: remarks: **************************************** remarks: * Abuse contacts: abuse@netcathost.com * remarks: **************************************** person: Vsevolod Stetsinsky address: 01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 206. phone: +38 050 6226676 e-mail: vs@netcathost.com nic-hdl: VS1142-RIPE source: RIPE # Filtered Forgive the relative noobishness of the question, but I've not had to deal with this sort of situation before. Should I be forwarding to RIPE?
On Monday 03 Jul 2006 06:16, you wrote:
Forgive the relative noobishness of the question, but I've not had to deal with this sort of situation before. Should I be forwarding to RIPE?
I don't think RIPE will be that interested. The address range gets connectivity from someone. I suggest reporting upstream. Oh dear upstream is ISPrime -- anyone here think they are anything but a spam house? Is not then why are they still in NY?
Hello, On Jul 3, 2006, at 3:53 AM, Simon Waters wrote:
On Monday 03 Jul 2006 06:16, you wrote:
Forgive the relative noobishness of the question, but I've not had to deal with this sort of situation before. Should I be forwarding to RIPE?
I don't think RIPE will be that interested.
The address range gets connectivity from someone. I suggest reporting upstream.
Oh dear upstream is ISPrime -- anyone here think they are anything but a spam house? Is not then why are they still in NY?
We are very much anti-spam and I will look into Mark's issue - I'm looking through the tickets for abuse@ and there is no email sent in from blakjak@blakjak.net ... Mark - Please email me off list with whatever issue you're having and I'll have it dealt with, please cc: abuse@isprime.com. Thanks, --Phil
On Monday 03 Jul 2006 16:26, Phil Rosenthal wrote:
We are very much anti-spam and I will look into Mark's issue - I'm looking through the tickets for abuse@ and there is no email sent in from blakjak@blakjak.net ...
I suspect he tried abuse@netcathosting.com which seems to be in rfc-ignorant. Looks like the server; 195.225.177.31 Has been spewing guest book spam (and wiki spam) out, as a quick google of "195.225.177.31 nice site" will show hundreds of links, although quite a lot of it just looks bizarre, and Dshield shows 80,000 odd reports port 80 probes in the last month from this address. We've just cleaned up a lot of address book spam promoted sites, so I know it is relentless and tedious thing to squash.
This is a known problem with known solutions. There are RBL's, bayesian filters, behaviour filters, and what not. For a phpbb forum I'd suggest a captcha, although that's extremely annoying. This is becoming the next (last) spamvertising medium and Google poisoning medium. I and others spend hours on this issue every day. We even have a mailing list for this. Good luck, Gadi. On Mon, 3 Jul 2006, Mark Foster wrote:
I assume the ongoing problems that forum administrators have with people randomly signing up to forums - even closed ones requiring admin approval for all accounts - for the purpose of spamming their web urls around the place is an old one.
I run such a forum and have started implementing /16 level bans to try to slow them down. Obviously not the best solution.
The forum in question is phpBB (I know - whos isn't) and i'm yet to have time to actually start digging into whether there are better ways of responding to this issue. (Volume isnt prohibitive - yet.)
In the most recent case the IP address space that the website concerned points back to is in the Ukraine and the listed abuse contact is on a domain which is canned due to invalid contact details provided.
My question then is - what happens now? The IP address space is essentially 'untraceable' except perhaps through bandwidth-supplier-agreements or somesuch. Shouldn't IP's with similarly invalid contact details be 'suspended' after being given opportunity to provide updated, correct details?
The IP range in question is 195.225.176.0 - 195.225.179.255 and a snippet of the whois info provided is as follows:
remarks: **************************************** remarks: * Abuse contacts: abuse@netcathost.com * remarks: ****************************************
person: Vsevolod Stetsinsky address: 01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 206. phone: +38 050 6226676 e-mail: vs@netcathost.com nic-hdl: VS1142-RIPE source: RIPE # Filtered
Forgive the relative noobishness of the question, but I've not had to deal with this sort of situation before. Should I be forwarding to RIPE?
participants (4)
-
Gadi Evron
-
Mark Foster
-
Phil Rosenthal
-
Simon Waters