I’ve run into a significant problem today with some SPAM.
Messages began pouring into my employer somewhere around two weeks ago, flooding user accounts with crap. I mean flooding, like, can’t delete quick enough, or “no time for love Dr. Jones” flooding. Initially I ignored the report, as we haven’t had a significant spam problem in a long time. Spamassassin coupled with RBL’s and other paid and free resources has done an incredible job over the past 10 years, so I naturally assumed I had a user issue here. But today when people inside my department, who are less likely to fall prey to an accident, started getting slammed like Tabitha Stevens in San Fernando Jones and the Temple of Poon.
I finally started paying attention, and I’m glad I did. Hundreds of thousands of messages per day were pooring into the mail servers, destined for real users and all but a small percentage were being passed by the filters. I dug a bit deeper and found:
64.191.105
64.191.106
64.191.123
64.191.124
64.191.51
66.197.134
66.197.147
66.197.180
66.197.224
66.197.229
66.197.249
66.197.253
Fascinating I thought. Similar class C’s, but two different class B’s. A whois shows more details:
64.191.105
Network Operations Center Inc. HOSTNOC-3BLK (NET-64-191-0-0-1)
64.191.0.0 - 64.191.127.255
Julestynes Services JULESTYNES (NET-64-191-105-0-1)
64.191.105.0 - 64.191.105.255
# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
64.191.106
Network Operations Center Inc. HOSTNOC-3BLK (NET-64-191-0-0-1)
64.191.0.0 - 64.191.127.255
hillside web partners HILLSIDEWEB (NET-64-191-106-0-1)
64.191.106.0 - 64.191.106.255
# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
64.191.123
Network Operations Center Inc. HOSTNOC-3BLK (NET-64-191-0-0-1)
64.191.0.0 - 64.191.127.255
Blue Yellow Web Partners BLUEYELLOWWEB (NET-64-191-123-0-1)
64.191.123.0 - 64.191.123.255
# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
64.191.124
Network Operations Center Inc. HOSTNOC-3BLK (NET-64-191-0-0-1)
64.191.0.0 - 64.191.127.255
qartfz enterprise QARTFZ (NET-64-191-124-0-1)
64.191.124.0 - 64.191.124.255
# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
64.191.51
Network Operations Center Inc. HOSTNOC-3BLK (NET-64-191-0-0-1)
64.191.0.0 - 64.191.127.255
Forest bay net services FORESTBAYNETSVC (NET-64-191-51-0-1)
64.191.51.0 - 64.191.51.255
# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
66.197.134
Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
66.197.128.0 - 66.197.255.255
three g web partners THREEGWEB (NET-66-197-134-0-1)
66.197.134.0 - 66.197.134.255
# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
66.197.147
Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
66.197.128.0 - 66.197.255.255
Sparkspart Industries SPARKSPART (NET-66-197-147-0-1)
66.197.147.0 - 66.197.147.255
# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
66.197.180
Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
66.197.128.0 - 66.197.255.255
Ktgbs Operations KTGBS (NET-66-197-180-0-1)
66.197.180.0 - 66.197.180.255
# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
66.197.224
Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
66.197.128.0 - 66.197.255.255
Saturn Net Services STRNNET (NET-66-197-224-0-1)
66.197.224.0 - 66.197.224.255
# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
66.197.229
Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
66.197.128.0 - 66.197.255.255
Beedolak Networks BEEDOLAK (NET-66-197-229-0-1)
66.197.229.0 - 66.197.229.255
# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
66.197.249
Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
66.197.128.0 - 66.197.255.255
JSBLX Services JSBLXSERVICES (NET-66-197-249-0-1)
66.197.249.0 - 66.197.249.255
# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
66.197.253
Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
66.197.128.0 - 66.197.255.255
DDLSA information systems DDLSA (NET-66-197-253-0-1)
66.197.253.0 - 66.197.253.255
# ARIN WHOIS database, last updated 2008-03-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
So clearly I become keenly interested in “Network Operations Center Inc.” and I kick off an abuse mail:
It would appear that multiple dummy organizations leasing IP space from your
HOSTNOC-2BLK and HOSTNOC-3BLK and potentially others are SPAMing our
organization, rendering some people's accounts practically inaccessible.
All the samples attached originate from class C's you have sold/leased or
otherwise delegated. Were I a gambler, I'd likely bet that this is no
coincidence. Please address the matter.
Interestingly, every single mailhost had an SPF record setup, and all were passing spam checks. I banned both /17 networks from getting to our mailserver, and after a couple hours:
Mar 3 14:40:01 redacted postfix/smtpd[28234]: NOQUEUE: reject: RCPT from
mx-173.tiepart.com[66.197.180.173]: 554 <mx-173.tiepart.com[66.197.180.173]>:
Client host rejected: GO AWAY; from=<e@tiepart.com> to=<REDACT@REDACTED.NET>
proto=ESMTP helo=<mx-173.tiepart.com>
Mar 3 14:40:01 redacted postfix/smtpd[28144]: NOQUEUE: reject: RCPT from
mailserv150.pissmall.com[64.191.123.150]: 554 <mailserv150.pissmall.com[64.191.123.150]>:
Client host rejected: GO AWAY; from=<a@pissmall.com> to=<REDACT@REDACTED.NET>
proto=ESMTP helo=<mailserv150.pissmall.com>
MMMMMM. PISSMALL.COM. About 200,000 of those. Meanwhile, “Network Operations Center Inc.” turns out to be burst.net, an apparently legit company according to their response:
Hello.
Thank you for your report.
We have contacted our direct client regarding your report and expect a prompt response,
including action against the abuser.
If you have any questions, please let us know.
Most sophisticated spamming operation I’ve seen. SPF records, real registered domains, links to those real domains, real email accounts, all hosted here in the US, scattered across multiple class B networks, but seemingly all hosted at a single company.