[RFCI-Discuss] What if abuse@... is deaf and mute ?
csmailreport
csmailreport at googlemail.com
Wed Sep 27 07:15:39 EDT 2006
On 9/27/06, Alex van den Bogaerdt <alex at ergens.op.het.net> wrote:
> What if mail to abuse at proxad.net is apparently /dev/null'ed ?
> One particular box is allowed, by proxad, to keep trying to abuse
> open relays. No response and no action from abuse at proxad.net
> The spammer's box is at 88.191.27.185
> http://www.spamhaus.org/sbl/sbl.lasso?query=SBL46975
>
[I apologize in advance for this email, outside the scope of this mailing
list]
proxad.net = free.fr = low cost French ISP with near 2 million DSL
subscribers at up to 24 Mbit/s.
They are also the 2d to 7th largest zombie network on the planet according
to senderbase.org
( depending on when you look at http://www.senderbase.org/ )
They are notoriously known for having a customer service organization
impossible to reach
for their own customers, and indeed abuse at proxad.net or abuse at free.fr ends
up into a blackhole.
What's interesting in this case is that all of their official SMTPs are
declared with reverse DNS (PTR RR)
under the "free.fr" domain: they are listed here:
http://www.senderbase.org/search?searchString=free.fr
which means that everything listed under domain proxad.net by senderbase is
a spamming zombie
(a residential DSL customer): there are about 60.000 such zombies listed on
http://www.senderbase.org/?searchString=proxad.net&searchBy=domain
I solved the proxad/free spam "problem" long ago by refusing any email from
*.proxad.net.
That blocks *.fbx.proxad.net, *.adsl.proxad.net, *.dial.proxad.net
while still letting legit emails, sent through their official smtp*.free.fr,
reach us.
People who want to run their own mail server at the end of their DSL line
can easily change/customize
their reverse DNS out of the proxad.net domain by using this page:
http://adsl.free.fr/admin/reverse.html
Unfortunately this army of zombies can still be used for other illegal
activities, such
as portscans, hosting fake bank/phish websites, etc. but at least it solved
the spam problem for me...
PS: the IP address you're mentionning (88.191.27.185 = sd-4489.dedibox.fr.),
or the range 88.160.0.0/11, is actually proxad's own datacenter, and dedibox
is a 29.99 euros/month dedicated Linux hosted appliance with 100 Mbit/s
unlimited connectivity, cf. http://www.dedibox.fr/
so it's probably a hacked linux server/appliance.
Their DSL "home" zombie lusers are usually found around
62.147.0.0/16
82.64.0.0/14
81.56.0.0/15
82.224.0.0/11
213.228.16.0 - 213.228.59.255
Hope this helps
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.megacity.org/pipermail/rfci-discuss/attachments/20060927/d224875c/attachment.html
More information about the RFCI-Discuss
mailing list