[SpamCop.net - protecting the internet through technology]

[SpamCop-List] Re: 82.98.235.13

Mike Easter MikeE at ster.invalid
Fri Sep 16 04:51:20 EDT 2005 

Yves Lambert wrote:
> Mike Easter wrote:
>
>> There's no tracker, so we aren't actually talking about any
>> particular spam.
>
> I gave a tracker in my previous message.
>
>
http://www.spamcop.net/sc?id=z805854684zd0c9d4c7f8345c0608eded5337ca70d3z

/That/ is a tracker and I can click on it and access the spam and the
parse thereof.

When you post
http://www.spamcop.net/sc?action=showroute;ip=82.98.235.13;typecodes=17
as you did in the first post, that just shows SC's lookup of the IP, and
when you post
http://www.spamcop.net/mcgi?action=gettrack&reportid=1508090547 as you
did earlier today 10:48:16 +0200 that reportid won't work for anyone but
you, as I recently explained to Firewoman in my post in another thread
news://news.spamcop.net/dgcoei$m78$1@news.spamcop.net

Back to the spam:

  Abbreviated Received lines *comment
  from (mwinf0703.wanadoo.fr) by mwinb0806 *serves you
  from me-wanadoo.net (localhost [127.0.0.1]) by mwinf0703.wanadoo.fr
*serves you
  from ns120.mycyberhosting.com (unknown [82.98.235.13]) by
mwinf0703.wanadoo.fr *sourceline
  from (ns120.mycyberhosting.com [127.0.0.1]) by
ns120.mycyberhosting.com *timestamp 70min, misconfigured line

That item is 'more or less' a 'straightup' spam;  that is, there is no
bogosity in the headers or abuse of a proxied IP.  The item originated
at a mycyberhosting IP, namely an output server for mycyberhosting, and
the only one in that netblock.  mycyberhosting has a 'family' of 7
output servers in another /24 netblock 62.4.83.*

When I say 'more or less' I mean that there is a bogus From which is a
'social engineering' girl's name From namely Valerie at yahoo.ca - but it
isn't sourced from yahoo.ca, so that much is bogus.  Altho' I can't read
French, this appears to be about selling pr0n videos.  That creates
another level of objectionability to the spam, because if opened and
rendered online, the spam will display sex graphics.

Typically the other element of straightup, besides the absence of
bogosity or abuse of proxified IP is when the spamvertiser is the 'same
as' the spamsource, which in this case it 'more or less' is -- that is
the spamvertised site is at a different cybertechnology netblock than
the source, but that is still the same provider.

Sometimes when a spam is straightup, it is because the 'spammer' thinks
you have subscribed to something;  that is, it is possible that there is
bad list management.  Someone signs you up to start getting sex video
promotions and you never get a confirmation and you continue to get them
because the mailings are designed to be 'opt-out'.   The discussion of
poorly managed mailings and optout philosophy is fodder for another
thread, but I suspect that is what is going on here, because of the
straightup-ness.

Sometimes when we are trying to figure out 'who' we are talking about,
it is useful to look at the domainname registrations.  The spamvertiser
domainname is www.web-x-mailing.com which is registered differently than
mycyberhosting.  The domainnames associated with mycyberhosting, which
are mycyberhosting.net  and mycyberhosting.com  are registered in this
way:

Registrant:
 Cyber TechnOlogy SPRL-BVBA
 Waterloo, Brussels 1410
 BE
 Van Loven, Olivier sales at mycyberhosting.net

So, the upshot of this is that the target, both spamsource and
spamvertiser, is the webhost cybertechnology based in Brussels, possibly
to the real person Olivier Van Loven.

The webhost has a website  http://www.mycyberhosting.com/ and that front
page mentions their data center at:

Abovenet INC. Amsterdam, Netherlands

so, our earlier question about whether or not mycyberhosting is actually
a customer of abovenet [ie Metromedia fiber network] has been answered.
In fact, mycyberhosting shows a graphic of MFN's global network, so
communicating with MFN about mycyberhosting's unresponsiveness would be
a very good idea.

>> What exactly do you want to call a 'roach' -- the notify address to
>> which SC extends the courtesy of a notify?  Or something else?
>>
>> Is the IP a roach?  What is the roach?  I'm still not clear.
>
> No ambiguity there else at all. An IP *is not* a roach It may
> *shelter* a roach. An address *is not* a roach either. It may be
> *owned* by a roach. A spam *is not* a roach. A spammer *is* always a
> roach. A hoster. If mycyberhosting closes the account of the spammer
> and dedicate the machine that was previously used by the spammer to
> mirror samspade's or DNSBL the IP will not have anything to do with a
> roach....

In this case the spamsource and the hoster are mycyberhosting.  The
domainname holder of webxmailing is just a customer of mycyberhosting.
So, I would have to say that your 'roach' is Cybertechnology ie
mycyberhosting dot com/net -- Here is their page re acceptable use
http://www.mycyberhosting.com/aup.html "MyCyberHosting maintains a ZERO
tolerance policy in regards to SPAM. We do not tolerate spam mailings
and any account that is used to send such will be terminated without
notice."

> Anyhow the purpose is not to kick the roach (any evidence that we get)
> but to stop its move (to stop spam activity)

In this case, an antispam operation like spews or spamhaus would be more
effective than spamcop.

The spamsource is a different output server than mycyberhosting's
'normal' output servers.  If an organization like spews or spamhaus were
working on this, they would be listing the netblocks for mycyberhosting,
which would include the netblocks where the other mail comes from.  That
is, spews and spamhaus would be listing all of the mycyberhosting
netblocks, and they would be threatening to be listing Metromedia fiber
network.

-- 
Mike Easter
kibitzer, not SC admin

More information about the SpamCop-List mailing list