From rezaf at mindspring.com Tue Jan 7 23:59:14 2014 From: rezaf at mindspring.com (Reza Farzan) Date: Tue, 7 Jan 2014 17:59:14 -0500 (GMT-05:00) Subject: [anti-abuse-wg] Bezeq International - bezeqint.net Message-ID: <5436287.1389135554944.JavaMail.root@elwamui-polski.atl.sa.earthlink.net> Hello! Does anyone in this group knows ?BEZEQINT.NET?, or has information about this secretive ISP in Israel? In recent weeks, I received countless Spam messages [mostly sent by African/Nigerian criminals] that were originated from ?BEZEQINT.NET? servers. I report each and every one of them, but to date I have not heard anything from this ISP, and Spam messages continue to arrive on a daily basis. I have copied their contacts, as well as Israel CERT just see if any of them would respond about this on-going violations coming via their servers. Thank you! Reza Farzan From peter at hk.ipsec.se Wed Jan 8 16:36:47 2014 From: peter at hk.ipsec.se (peter h) Date: Wed, 8 Jan 2014 16:36:47 +0100 Subject: [anti-abuse-wg] Bezeq International - bezeqint.net In-Reply-To: <5436287.1389135554944.JavaMail.root@elwamui-polski.atl.sa.earthlink.net> References: <5436287.1389135554944.JavaMail.root@elwamui-polski.atl.sa.earthlink.net> Message-ID: <201401081636.48319.peter@hk.ipsec.se> On Tuesday 07 January 2014 23.59, you wrote: > Hello! > > Does anyone in this group knows ?BEZEQINT.NET?, or has information about this secretive ISP in Israel? > > In recent weeks, I received countless Spam messages [mostly sent by African/Nigerian criminals] that were originated from ?BEZEQINT.NET? servers. > > I report each and every one of them, but to date I have not heard anything from this ISP, and Spam messages continue to arrive on a daily basis. > > I have copied their contacts, as well as Israel CERT just see if any of them would respond about this on-going violations coming via their servers. > > Thank you! > > Reza Farzan bezeqint is a wellknown spamnest. They don't seem to care, best action is block. The current ranges used by them is ( efter removing duplicates ) : 109.64.0.0/14 109.65.0.0/16 109.66.0.0/16 109.67.0.0/16 192.115.104.0/22 192.115.128.0/21 192.117.232.0/21 212.179.160.0/19 212.179.80.0/20 212.25.64.0/19 62.219.0.0/16 62.219.112.0/20 62.219.128.0/19 62.219.192.0/19 62.219.224.0/19 62.219.32.0/19 62.219.96.0/20 79.176.0.0/16 79.176.128.0/20 79.176.136.0/21 79.176.32.0/20 79.177.0.0/16 79.177.192.0/20 79.177.224.0/20 79.177.32.0/20 79.178.0.0/16 79.179.0.0/16 79.179.0.0/20 79.179.112.0/20 79.179.16.0/20 79.179.192.0/20 79.179.64.0/20 79.180.0.0/16 79.180.0.0/20 79.180.112.0/20 79.180.96.0/19 79.181.0.0/16 79.182.0.0/16 79.182.112.0/20 79.182.176.0/20 79.182.96.0/20 79.183.0.0/16 79.183.0.0/20 79.183.112.0/20 79.183.224.0/20 79.183.64.0/20 81.218.128.0/19 81.218.160.0/19 82.80.0.0/15 84.108.0.0/14 84.108.0.0/16 84.109.0.0/16 84.109.208.0/20 84.109.96.0/20 84.110.112.0/20 84.110.128.0/20 84.110.16.0/20 84.110.192.0/20 84.110.208.0/20 84.110.240.0/20 84.110.64.0/20 84.110.80.0/20 84.111.0.0/18 84.111.112.0/20 84.111.16.0/20 85.130.224.0/20 > > > -- Peter H?kanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det ?r billigare att g?ra r?tt. Det ?r dyrt att laga fel. ) From nvrom at 013netvision.co.il Wed Jan 8 09:34:21 2014 From: nvrom at 013netvision.co.il (Rom Shahak) Date: Wed, 8 Jan 2014 08:34:21 +0000 Subject: [anti-abuse-wg] Bezeq International - bezeqint.net In-Reply-To: <5436287.1389135554944.JavaMail.root@elwamui-polski.atl.sa.earthlink.net> References: <5436287.1389135554944.JavaMail.root@elwamui-polski.atl.sa.earthlink.net> Message-ID: Hello Reza, We have working relationship with them and if you will send me some technical details such as meta data of the spam and your contact details I will ask our abuse department to give them a call and forward to them this info. Thanks Rom -----Original Message----- From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of Reza Farzan Sent: Wednesday, January 08, 2014 12:59 AM To: anti-abuse-wg at ripe.net Cc: hostmaster at bezeqint.net; Israel CERT; abuse at web.com; abuse at bezeqint.net Subject: [anti-abuse-wg] Bezeq International - bezeqint.net Hello! Does anyone in this group knows ?BEZEQINT.NET?, or has information about this secretive ISP in Israel? In recent weeks, I received countless Spam messages [mostly sent by African/Nigerian criminals] that were originated from ?BEZEQINT.NET? servers. I report each and every one of them, but to date I have not heard anything from this ISP, and Spam messages continue to arrive on a daily basis. I have copied their contacts, as well as Israel CERT just see if any of them would respond about this on-going violations coming via their servers. Thank you! Reza Farzan From rezaf at mindspring.com Mon Jan 13 18:45:37 2014 From: rezaf at mindspring.com (Reza Farzan) Date: Mon, 13 Jan 2014 12:45:37 -0500 (GMT-05:00) Subject: [anti-abuse-wg] Bezeq International - bezeqint.net Message-ID: <15766260.1389635138427.JavaMail.root@elwamui-polski.atl.sa.earthlink.net> Hello Rom, Thank you for response here. This past weekend, I forwarded you two more Spam messages with their complete headers that had come from "bezeqint.net" e-mail servers. And here is another one, sent by Nigerian criminals, that came this morning: --- Return-Path: Received: from samuel.mail.atl.earthlink.net ([207.69.200.65]) by mdl-raibs.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1w2IKm1Xd3Nl36y0; Mon, 13 Jan 2014 09:44:10 -0500 (EST) Received: from sa10.bezeqint.net ([192.115.104.24]) by samuel.mail.atl.earthlink.net (EarthLink SMTP Server) with ESMTP id 1w2IKk6Ed3Nl3pv0 for ; Mon, 13 Jan 2014 09:44:09 -0500 (EST) Received: from User (bzq-79-179-14-87.red.bezeqint.net [79.179.14.87]) by sa10.bezeqint.net (Bezeq International SMTP out Mail Server) with SMTP id B9D051C286; Mon, 13 Jan 2014 15:12:06 +0200 (IST) Reply-To: From: "Mrs. Carman Lapointe-Young." Subject: With Trust Date: Mon, 13 Jan 2014 14:12:12 +0100 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <201401130944.1w2IKk6Ed3Nl3pv0 at samuel.mail.atl.earthlink.net> X-ELNK-Received-Info: spv=1; X-ELNK-AV: 0 --- As you see, this Spam had come "from User (bzq-79-179-14-87.red.bezeqint.net [79.179.14.87])". These fraudsters, have created an Ukraine-based e-mail address, , to manage their scam. In every instance that I have reported so far, these African based criminals have direct access to "bezeqint.net" e-mail servers. and are able to send anything that they want, and this ISP does not do anything to prevent or stop these criminals from using its e-mail servers. Perhaps you could use your good working relationship with Bezeq International and remind them that if they continue providing such an easy access to criminals, other networks and ISPs will block all their IP addresses and will block any traffic coming from their servers, if they have not done already. Thank you, Reza Farzan +++++ -----Original Message----- >From: Rom Shahak >Sent: Jan 8, 2014 3:34 AM >To: Reza Farzan , "anti-abuse-wg at ripe.net" >Cc: Israel CERT >Subject: Re: [anti-abuse-wg] Bezeq International - bezeqint.net > >Hello Reza, > >We have working relationship with them and if you will send me some technical details such as meta data of the spam and your contact details I will ask > >our abuse department to give them a call and forward to them this info. > >Thanks > >Rom > >-----Original Message----- >From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of Reza Farzan >Sent: Wednesday, January 08, 2014 12:59 AM >To: anti-abuse-wg at ripe.net >Cc: hostmaster at bezeqint.net; Israel CERT; abuse at web.com; abuse at bezeqint.net >Subject: [anti-abuse-wg] Bezeq International - bezeqint.net > >Hello! > >Does anyone in this group knows ?BEZEQINT.NET?, or has information about this secretive ISP in Israel? > >In recent weeks, I received countless Spam messages [mostly sent by African/Nigerian criminals] that were originated from ?BEZEQINT.NET? servers. > >I report each and every one of them, but to date I have not heard anything from this ISP, and Spam messages continue to arrive on a daily basis. > >I have copied their contacts, as well as Israel CERT just see if any of them would respond about this on-going violations coming via their servers. > >Thank you! > >Reza Farzan From h.lu at anytimechinese.com Thu Jan 23 21:06:58 2014 From: h.lu at anytimechinese.com (Lu Heng) Date: Thu, 23 Jan 2014 21:06:58 +0100 Subject: [anti-abuse-wg] So now spam on v6? Message-ID: Hey Guys: Just receive following today, wonder how trillions of address only worth 2000USD:): Hi, We are media company specializing in PPC and high-traffic campaigns. For our email operations we are looking to lease a IPv6 space. We guarantee that our marketing operation does not generate any complaints. If you have a /29 or few /32 available that you could lease then let me know. Since IPv6 is experimental I am willing to pay up to $400 for a /32 lease on which I will test 4-5 days. If testing is successful, I will take 2x /32 space and commit to use minimum 6-month. Payment will be like this: 1st month = $2000 x 1 /32s 2,3,4 month = $1500 5,6 month = $1100 Let me know. -- -- Kind regards. Lu This transmission is intended solely for the addressee(s) shown above. It may contain information that is privileged, confidential or otherwise protected from disclosure. Any review, dissemination or use of this transmission or its contents by persons other than the intended addressee(s) is strictly prohibited. If you have received this transmission in error, please notify this office immediately and e-mail the original at the sender's address above by replying to this message and including the text of the transmission received. From rezaf at mindspring.com Thu Jan 23 21:38:02 2014 From: rezaf at mindspring.com (Reza Farzan) Date: Thu, 23 Jan 2014 15:38:02 -0500 (GMT-05:00) Subject: [anti-abuse-wg] So now spam on v6? Message-ID: <17138728.1390509482367.JavaMail.root@elwamui-lapwing.atl.sa.earthlink.net> Hello Lu Heng, Regardless of the Subject matter and Sender's name, please look at the e-mail's complete header, and check the sender's IP address (es). Many of the messages similar to what you have received often come from compromised servers, and they ask you to respond to e-mail strange addresses in a different country, or even continent. For more information about this subject, please see this page: http://en.wikipedia.org/wiki/IPv6 You may also want to visit this site as well: http://www.worldipv6launch.org/ Thank you, Reza Farzan ++++ -----Original Message----- >From: Lu Heng >Sent: Jan 23, 2014 3:06 PM >To: "anti-abuse-wg at ripe.net" >Subject: [anti-abuse-wg] So now spam on v6? > >Hey Guys: > >Just receive following today, wonder how trillions of address only >worth 2000USD:): > >Hi, > > > >We are media company specializing in PPC and high-traffic campaigns. >For our email operations we are looking to lease a IPv6 space. We >guarantee that our marketing operation does not generate any >complaints. > > > >If you have a /29 or few /32 available that you could lease then let >me know. Since IPv6 is experimental I am willing to pay up to $400 for >a /32 lease on which I will test 4-5 days. If testing is successful, I >will take 2x /32 space and commit to use minimum 6-month. Payment will >be like this: > > > >1st month = $2000 x 1 /32s > >2,3,4 month = $1500 > >5,6 month = $1100 > > > >Let me know. > > >-- >-- >Kind regards. >Lu > >This transmission is intended solely for the addressee(s) shown above. >It may contain information that is privileged, confidential or >otherwise protected from disclosure. Any review, dissemination or use >of this transmission or its contents by persons other than the >intended addressee(s) is strictly prohibited. If you have received >this transmission in error, please notify this office immediately and >e-mail the original at the sender's address above by replying to this >message and including the text of the transmission received. > From elvis at velea.eu Thu Jan 23 21:43:33 2014 From: elvis at velea.eu (Elvis Velea) Date: Thu, 23 Jan 2014 21:43:33 +0100 Subject: [anti-abuse-wg] So now spam on v6? In-Reply-To: References: Message-ID: <52E17EF5.90103@velea.eu> Hi Lu, I think the message is a hoax... it costs less to open an LIR and use a /29 for at least a year. cheers, elvis On 23/01/14 21:06, Lu Heng wrote: > Hey Guys: > > Just receive following today, wonder how trillions of address only > worth 2000USD:): > > Hi, > > > > We are media company specializing in PPC and high-traffic campaigns. > For our email operations we are looking to lease a IPv6 space. We > guarantee that our marketing operation does not generate any > complaints. > > > > If you have a /29 or few /32 available that you could lease then let > me know. Since IPv6 is experimental I am willing to pay up to $400 for > a /32 lease on which I will test 4-5 days. If testing is successful, I > will take 2x /32 space and commit to use minimum 6-month. Payment will > be like this: > > > > 1st month = $2000 x 1 /32s > > 2,3,4 month = $1500 > > 5,6 month = $1100 > > > > Let me know. > > From ebais at a2b-internet.com Thu Jan 23 21:50:29 2014 From: ebais at a2b-internet.com (Erik Bais) Date: Thu, 23 Jan 2014 21:50:29 +0100 Subject: [anti-abuse-wg] So now spam on v6? In-Reply-To: <52E17EF5.90103@velea.eu> References: <52E17EF5.90103@velea.eu> Message-ID: Hi Elvis, Sadly this is not a hoax ... As the renting person isn't mentioned in the registry .. And that is their goal ... They want to abuse the space and move on ... Erik Bais Verstuurd vanaf mijn iPad Op 23 jan. 2014 om 21:43 heeft Elvis Velea het volgende geschreven: > Hi Lu, > > I think the message is a hoax... > > it costs less to open an LIR and use a /29 for at least a year. > > cheers, > elvis > > On 23/01/14 21:06, Lu Heng wrote: >> Hey Guys: >> >> Just receive following today, wonder how trillions of address only >> worth 2000USD:): >> >> Hi, >> >> >> >> We are media company specializing in PPC and high-traffic campaigns. >> For our email operations we are looking to lease a IPv6 space. We >> guarantee that our marketing operation does not generate any >> complaints. >> >> >> >> If you have a /29 or few /32 available that you could lease then let >> me know. Since IPv6 is experimental I am willing to pay up to $400 for >> a /32 lease on which I will test 4-5 days. If testing is successful, I >> will take 2x /32 space and commit to use minimum 6-month. Payment will >> be like this: >> >> >> >> 1st month = $2000 x 1 /32s >> >> 2,3,4 month = $1500 >> >> 5,6 month = $1100 >> >> >> >> Let me know. >> >> > > From me at payam124.com Thu Jan 23 21:58:16 2014 From: me at payam124.com (Payam Poursaied) Date: Thu, 23 Jan 2014 21:58:16 +0100 Subject: [anti-abuse-wg] So now spam on v6? In-Reply-To: <52E17EF5.90103@velea.eu> References: <52E17EF5.90103@velea.eu> Message-ID: <06e201cf187d$d70855a0$851900e0$@payam124.com> Financially very good point, But I believe, RIPE (and/or other RIRs) requests more official documents and signed contract! And spammers may prefer to keep themselves uncaught. -----Original Message----- From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of Elvis Velea Sent: Thursday, January 23, 2014 9:44 PM To: anti-abuse-wg at ripe.net Subject: Re: [anti-abuse-wg] So now spam on v6? Hi Lu, I think the message is a hoax... it costs less to open an LIR and use a /29 for at least a year. From h.lu at anytimechinese.com Thu Jan 23 22:15:22 2014 From: h.lu at anytimechinese.com (H.Lu) Date: Thu, 23 Jan 2014 22:15:22 +0100 Subject: [anti-abuse-wg] So now spam on v6? In-Reply-To: <52E17EF5.90103@velea.eu> References: <52E17EF5.90103@velea.eu> Message-ID: <5A2C586D-E60C-4CBF-913F-2E3A313412D7@anytimechinese.com> Hi guys: Sharing this email here for two reasons 1. It's so funny someone would pay 2000usd for a trillion address. 2. IPv6 already being spammed? How we going to stop it? Block whole /29? Wonder if there is already a good technical solution to this. Kind regards Lu > On 2014?1?23?, at ??9:43, Elvis Velea wrote: > > Hi Lu, > > I think the message is a hoax... > > it costs less to open an LIR and use a /29 for at least a year. > > cheers, > elvis > >> On 23/01/14 21:06, Lu Heng wrote: >> Hey Guys: >> >> Just receive following today, wonder how trillions of address only >> worth 2000USD:): >> >> Hi, >> >> >> >> We are media company specializing in PPC and high-traffic campaigns. >> For our email operations we are looking to lease a IPv6 space. We >> guarantee that our marketing operation does not generate any >> complaints. >> >> >> >> If you have a /29 or few /32 available that you could lease then let >> me know. Since IPv6 is experimental I am willing to pay up to $400 for >> a /32 lease on which I will test 4-5 days. If testing is successful, I >> will take 2x /32 space and commit to use minimum 6-month. Payment will >> be like this: >> >> >> >> 1st month = $2000 x 1 /32s >> >> 2,3,4 month = $1500 >> >> 5,6 month = $1100 >> >> >> >> Let me know. > > From Woeber at CC.UniVie.ac.at Thu Jan 23 22:18:36 2014 From: Woeber at CC.UniVie.ac.at (Wilfried Woeber) Date: Thu, 23 Jan 2014 22:18:36 +0100 Subject: [anti-abuse-wg] So now spam on v6? In-Reply-To: References: Message-ID: <52E1872C.6010702@CC.UniVie.ac.at> Well, if this is *not* a hoax (or some clueless crackpot still thinking in terms of IPv4), then this is actually a good sign :-) It would imply that there are enough IPv6-enabled delivery points already to make spam campaines over v6 commercially feasable. Although - if this is not a crackpot - it may at the same time be an indication that many shops do not have basic safeguards for v6 in place yet. Interesting, Wilfried