012 Golden Lines / Kavei Zahav - spamhaus with a long history of absolutely ignoring complaints. Null routed! [62.128.55.0 - 62.128.60.255], [80.178.0.0 - 80.179.255.255], [212.199.0.0 - 212.199.255.255]: Null routed! === One of the last evidences. Spammers host on corporate IPs, too?.. === Newsgroups: news.admin.net-abuse.blocklisting Path: uni-berlin.de!fu-berlin.de!logbridge.uoregon.edu!newsfeed.stanford.edu!zorac!blocklisting.com!robomod!not-for-mail From: "Giblet - USA Resident" Subject: [PING SPEWS/SBL]Re: Please Remove The Block On IL.Goldenlines Approved: NANAB Moderators Content-Type: text/plain; charset="iso-8859-1" X-Postfilter: 1.1 X-Complaints-To: abuse@bright.net X-Newsreader: Microsoft Outlook Express 6.00.2800.1158 X-Abuse-And-Dmca-Info: Otherwise we will be unable to process your complaint properly X-Dmca-Complaints-To: abuse@bright.net X-Mimeole: Produced By Microsoft MimeOLE V6.00.2800.1165 Sender: nanab@zorch.sf-bay.org (Charlie Root) NNTP-Posting-Host: 216.114.194.20 Content-Transfer-Encoding: 7bit Nntp-Posting-Date: Sat, 20 Mar 2004 23:58:15 -0600 X-Authentication-Warning: serv1.gc.ash.giganews.com: news set sender to poster@giganews.com using -f Organization: Collocated; Los Angeles, CA Message-ID: X-Msmail-Priority: Normal X-Spamscanner: mailbox6.ucsd.edu (v1.4 Mar 2 2004 11:47:57, 1.0/5.0 2.63) References: <148981b1.0403161547.4c19d369@posting.google.com> X-Spam-Level: Level * X-Trace: sv3-q7yJR8fIzmzcq4t/KVN3n6eKS1q4sCiwM0QypgzhgfLw2HiNxy8lfefhOH8k4GNcotlonB3h6zDxdwm!nQ9c9uHf/+bjpaUhmShiTDAEqbyVlFVvwkh9os4nsZ5SKPgttQmap9A+xpesHv02TyX43keDKg== X-Priority: 3 Mime-Version: 1.0 X-Mailscanner: PASSED (v1.2.8 238 i2L5wGLW005960 mailbox6.ucsd.edu) Date: Sun, 21 Mar 2004 07:12:36 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 124 Xref: uni-berlin.de news.admin.net-abuse.blocklisting:5511 Giblet - USA Resident wrote: >> >> Reports were sent to goldenlines.net.il / 012.net on the 31st >> January, >> the 5th of February and the 8th of March. >> > > > For a background on the activity in my proxypot, See: > http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&c2coff=1&q=giblet+goldenlines&sa=N&tab=wg > > These IPs are/were hosting the e-m-g/eglobal spamware vermin. > -- > Gib Unbelievably, Proxy hijacking has AGAIN been detected in one of my honeypots from 212.199.212.0/24. I am at this very moment watching the exact same IP addresses I caught in December 2003 *again* hijacking my honeypot on 4/21/2004 - Several days AFTER goldenlines/012.net.il posted to NANAE/NANABl asking for removal. Furthermore, the EMG proxy-hijacking spamware is *still* being hosted on these same IPs. For a background of EMG being a proxy-hijacking spamware service, see the SBL record, which quotes one of my December posts: "eglobal.co.il a division of E-M-G.com is an opt-in email International Marketing Firm who's opt-in email network of newsletter publishers and email list owners can reach millions of consumers through advertising." The SMTP banner being returned by a couple of the 212.199.212.x IPs clearly shows that EMG is still in control of this netblock - BUT also shares this netblock with 012.net.il administrative pages as well. It is pretty apparent that EMG is being hosted directly within an 012.net.il administrative subnet!: 212.199.212.5 answers as "emg1up": #> telnet 212.199.212.5 25 Trying 212.199.212.5... Connected to 212.199.212.5. Escape character is '^]'. 220 emg1up Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Sun, 21 Mar 2004 07:xx:xx -0900 (timestamp munged by me) quit 221 2.0.0 emg1up Service closing transmission channel =================================== 212.199.212.10 answers as "emg2dn" #> telnet 212.199.212.10 25 Trying 212.199.212.10... Connected to 212.199.212.10. Escape character is '^]'. 220 emg2dn Microsoft ESMTP MAIL Service, Version: 6.0.3790.0 ready at Sat, 20 Mar 2004 21:20:21 -0800 quit 221 2.0.0 emg2dn Service closing transmission channel ================================== Now the even more interesting part.... visiting http://212.199.212.20/ is some kind of internal 012.net.il administrative IP lookup/Dig tool, referencing http://212.199.212.20//cgi-bin/dig.pl - and proudly displaying the 012.net.il logo http://212.199.212.20/012.gif. ================================== And more interesting yet: http://212.199.212.21/ simply displays a test website with the text "test.012.net.il" ================================== It is my (STRONG) personal opinion that administrators at 012.net.il have been corrupted - paid off by the EMG proxy spamware spammers. I come to this conclusion after witnessing 012.net.il internal administrative/test pages intermingled among EMG proxy spammer IPs, coupled with the fact that both Goldenlines.net.il AND 012.net.il administrators have been made fully aware of the activity from this netblock on numerous occasions over the course of several months, and have been reading this NANAE thread, which has also explained the rampant criminal activity and proxy hijacking. The response I received several months ago from WHOIS contact lir(AT)goldenlines.net.il asking me to contact abuse@012.net.il is absolute proof that 012.net.il/Goldenlines.net.il administrators have recieved the previous complaints and honeypot logs I sent on multiple occasions. For my previous documented futile efforts attempting to notify 012.net.il/goldenlines.net.il of the 212.199.212.x activity, see: http://groups.google.com/groups?q=giblet+hijacking+nest&hl=en&lr=&ie=UTF-8&oe=UTF-8&c2coff=1&selm=H_ednUblfsrnKk2iRVn-sw%40bright.net&rnum=2 http://groups.google.com/groups?q=giblet+decision-making&hl=en&lr=&ie=UTF-8&oe=UTF-8&c2coff=1&selm=EJidnVFl6pcCyU6iRVn-iw%40bright.net&rnum=1 This game is getting very, VERY old. I hereby propose expanding the blocklisting to include the 012.net.il corporate mailservers. I also feel that the groundwork is being laid for an IDP proposal against 012.net.il for knowingly harboring proxy hijacking spam gangs on machines within their internal administrative subnets. -- Gib -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === And they are aware of the problems === Newsgroups: news.admin.net-abuse.blocklisting Path: uni-berlin.de!fu-berlin.de!headwall.stanford.edu!newsfeed.stanford.edu !zorac!blocklisting.com!robomod!not-for-mail From: "Dick Cardy" Subject: Message For Gib re the clowns at 012 Approved: NANAB Moderators X-Orig-X-Trace: news.uni-berlin.de 1079870802 75619192 I 217.22.114.19 ([195806]) X-Newsreader: Microsoft Outlook Express 6.00.2800.1158 X-Mimeole: Produced By Microsoft MimeOLE V6.00.2800.1165 Sender: nanab@zorch.sf-bay.org (Charlie Root) Organization: Collocated; Los Angeles, CA Message-ID: X-Msmail-Priority: Normal X-Spamscanner: mailbox6.ucsd.edu (v1.4 Mar 2 2004 11:47:57, 0.8/5.0 2.63) X-Spam-Level: Level X-Priority: 3 X-Orig-Nntp-Posting-Host: 217.22.114.19 X-Mailscanner: PASSED (v1.2.8 88767 i2LC6i48096340 mailbox6.ucsd.edu) Date: Sun, 21 Mar 2004 16:17:31 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 24 Xref: uni-berlin.de news.admin.net-abuse.blocklisting:5514 Gib I have 1. Forwarded your NG post to them 2. Got my ISP, who has a business relationship with 012, to get on their case So far I have received the standard 012 auto-ack I am trying to talk to Raz on the phone Will update you. Dick -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting.