To the brain donors posting comment spam from the IP addresses 217.164.214.91, 110.206.98.78, and 116.54.231.5:

Would you like to know one of the best ways to get someone to dedicate themselves to having your site shut down and reporting it to as many relevant authorities as possible? Create a site that promotes child pornography, and then spam a hosting/IT company’s blog with links to it.

Due to the large number IP addresses in this, please click the “More” link to view the details.

(more…)

Today’s new additions to our blacklist:

Broken bots
N/A

WordPress Comment spam
219.142.99.29
177.71.154.87
177.71.146.78
177.71.138.48
159.224.85.113
111.144.222.181
117.79.232.163
94.242.237.58
111.15.59.56
121.20.60.145
122.156.23.16

Contact form spam
46.119.113.106
142.4.127.20

CPanel brute-force attempts
N/A

EMail spam
108.160.150.63
123.58.177.172
212.227.17.22
110.252.4.246
209.85.160.51
77.75.35.20
197.2.17.32

Today’s new additions to our blacklist:

Broken bots
N/A

WordPress Comment spam
120.203.245.167
222.37.215.164
54.232.35.126
168.61.54.235
176.31.80.167

Contact form spam
46.118.125.69
120.194.22.114
218.85.48.199

CPanel brute-force attempts
N/A

EMail spam
108.62.42.38
209.85.160.51
208.115.196.54

Today there are 4 new additions to our blacklist:

Broken bots
123.151.148.158

WordPress Comment spam
61.183.65.181
116.228.235.5
123.183.171.247
122.11.38.17
178.151.179.14
5.199.130.252
213.154.203.148
117.21.190.51

Contact form spam
94.19.191.183
79.133.217.242
221.120.227.235

CPanel brute-force attempts
N/A

EMail spam
105.229.43.244
204.232.190.243
49.128.177.73
209.239.113.8
108.62.42.37
208.91.199.206
212.227.17.22

 

Today there are 4 new additions to our blacklist:

WordPress Comment spam
54.232.22.12
171.5.148.22
213.154.203.148

Contact form spam
N/A

CPanel brute-force attempts
N/A

EMail spam
192.162.137.62

 

Today there are 5 new additions to our blacklist:

WordPress Comment spam
212.33.216.66
122.76.247.83
84.200.8.117

Contact form spam
N/A

CPanel brute-force attempts
93.186.115.188
204.93.196.86:

 

At Smartypants.com, we take a zero-tolerance policy towards network abuse. In practice, this means that we maintain a server-wide blacklist of IP addresses and IP ranges – when malicious traffic is detected from an IP address, that IP is added to our blacklist. We also check if there are already other blacklisted IPs in the same range – if so, we blacklist the entire range.

There are three main types of malicious traffic that will earn someone a spot in our blacklist: attempts to use brute-force to break into a hosting control panel account, sending spam (unsolicited commercial EMail), and sending contact form spam (or comment spam, for blog sites). There are, of course, many other types of malicious traffic, but these are the most common.

We’ve decided to start publishing regular updates, so that others may benefit from the information that we’ve collected.

Today there are 11 new additions to our blacklist:

WordPress Comment spam
101.109.246.9
116.48.136.7
200.28.4.131
201.47.129.194
91.185.40.225
109.239.38.168

Contact form spam
142.4.117.121
173.199.116.235
37.59.151.193

CPanel brute-force attempts
60.173.10.166
190.120.228.227

In an earlier post, I mused about finding the list of IP addresses that bulk emailer Constant Contact uses to send out their email messages. So today, I went looking.

Among the first results is an article with the title ‘The Battle of the Inbox’ on the Constant Contact site that talks about how to get around those pesky people and companies who don’t want their inbox attacked every time a Constant Contact customer has the urge to send out some earth-shatteringly important missive about a new way for them to get at your money.

No IP ranges listed there, though. So I kept looking and lo and behold, the St. Lawrence Seaway is one of several places to find the answer. Ironically, it’s part of a post on the Seaway site about how to get those pesky systems administrators who do their best to keep your inbox safe to let let down the barriers so that Constant Contact’s digital warriors can get through and, I presume, win the battle.

The list is often part of a form letter – there are various examples online – created by Constant Contact to send to system administrators who are blocking Constant Contact emails from entering their networks.

At any rate, here are the ranges:

IP Range: 208.75.123.0 – 208.75.123.255
CIDR: 208.75.123.0/24
Network/Netmask: 208.75.123.0 255.255.255.0

Specific IPs sending from this range:

208.75.123.1 coi001.confirmedcc.com
208.75.123.2 coi002.confirmedcc.com
208.75.123.3 coi003.confirmedcc.com
208.75.123.103 coi103.confirmedcc.com

208.75.123.130 ccm22.constantcontact.com
208.75.123.131 ccm23.constantcontact.com
208.75.123.132 ccm24.constantcontact.com
208.75.123.133 ccm25.constantcontact.com
208.75.123.134 ccm134.constantcontact.com
208.75.123.135 ccm135.constantcontact.com
208.75.123.161 ccm26.constantcontact.com
208.75.123.162 ccm27.constantcontact.com
208.75.123.163 ccm38.constantcontact.com
208.75.123.164 ccm39.constantcontact.com
208.75.123.165 ccm165.constantcontact.com
208.75.123.166 ccm166.constantcontact.com
208.75.123.167 ccm167.constantcontact.com
208.75.123.168 ccm168.constantcontact.com
208.75.123.169 ccm169.constantcontact.com
208.75.123.170 ccm170.constantcontact.com
208.75.123.171 ccm171.constantcontact.com
208.75.123.172 ccm172.constantcontact.com
208.75.123.173 ccm173.constantcontact.com
208.75.123.174 ccm174.constantcontact.com
208.75.123.175 ccm175.constantcontact.com
208.75.123.176 ccm176.constantcontact.com
208.75.123.177 ccm177.constantcontact.com
208.75.123.178 ccm178.constantcontact.com
208.75.123.179 ccm178.constantcontact.com
208.75.123.180 ccm178.constantcontact.com
208.75.123.181 ccm178.constantcontact.com
208.75.123.182 ccm178.constantcontact.com
208.75.123.193 ccm33.constantcontact.com
208.75.123.194 ccm34.constantcontact.com
208.75.123.195 ccm35.constantcontact.com
208.75.123.196 ccm36.constantcontact.com
208.75.123.197 ccm197.constantcontact.com
208.75.123.198 ccm198.constantcontact.com
208.75.123.200 ccm200.constantcontact.com
208.75.123.201 ccm201.constantcontact.com
208.75.123.202 ccm202.constantcontact.com
208.75.123.225 ccm29.constantcontact.com
208.75.123.226 ccm30.constantcontact.com
208.75.123.227 ccm31.constantcontact.com
208.75.123.228 ccm32.constantcontact.com
208.75.123.245 mail245.nutshellmail.com
208.75.123.250 ccm37.constantcontact.com

And here’s another list of possible legacy email sources:
64.95.77.162     c1.confirmedcc.com
64.95.77.163     c2.confirmedcc.com
64.95.77.164     c3.confirmedcc.com

63.251.135.74     ccm01.constantcontact.com
63.251.135.75     ccm00.constantcontact.com
63.251.135.109     ccm08.constantcontact.com
63.251.135.115     ccm09.constantcontact.com
66.151.234.151     ccm14.constantcontact.com
66.151.234.152     ccm15.constantcontact.com
66.151.234.153     ccm16.constantcontact.com
66.151.234.154     ccm17.constantcontact.com

Your system administrator could use a list like this to reject email from the computers / computer networks at those IP addresses.

I’ve heard from Constant Contact who offered a briefing with their head of compliance. I’m hoping for mid February.

Some organizations use the company’s services for content that recipients requested and actually want. In my experience, the majority of sources of Constant Contact email parachuting into our inboxes didn’t fit into that category.

The dilemma facing system administrators is this: if I let one Constant Contact customer to send mail into my network, then I’m opening the door to all current and future Constant Contact customers.

The company admits a lot of customers tend to let marketing enthusiasm overcome their adherence the rules of war, even offering extensive educational materials about email etiquette and legal requirements, should they care to read it.

With most of us moving to mobile, unwanted junk landing in our inboxes is becoming more expensive. Bulk email marketers seem either blissfully unaware or willfully blind to the fact that unwanted junk mail sent to mobile devices is being paid for by the recipient as part of their data plan.

Imagine if the junk flyers dumped into your physical mailbox came with a Postage Due notice from the Post Office. If that’s wrong, why should it be okay to shift the cost of digital advertising onto the recipient’s mobile phone bill?

-g

 

Three days after we reported to Digiweb.ie that an apparently abandoned web site they host (AskGareth.com) is home to at least three infected directories being used in a global phishing scam aimed at CIBC (Canadian Imperial Bank of Commerce) customers, the malware is still happily infecting anyone duped by the phishing emails to visit the Digiweb server.

Emails sent to Gareth O’Shea at the address listed in his site’s domain name registration bounced.

Emails sent to technical contact John McKenna at Digiweb were ignored, so additional copies were sent to Michael Doyle, Digiweb Ireland’s Chief Financial Officer and the media contact listed on their web site. And ignored.

How do we know they’re ignored? Because overnight, another set of phishing emails pointing to yet another infected file on the AskGareth.com site hosted by Digiweb and apparently abandoned sometime last year. As of the time of writing, ALL of the malware links in the phishing emails pointing to the Digiweb network are still in full operation.

It’s truly unfortunate that given the dramatic rise in identity theft worldwide and the well-documented fact that the vast majority of online identity theft attacks are intended to steal money from existing bank accounts that an ISP calling itself “Ireland’s leading independent telecommunications company” would be so totally cavalier about hosting one of the key elements that cybercriminals need to steal money.

Sad and pathetic.

-g