I do not like spam in my inbox sometimes I let them build up so I can blast through some patterns and dig up some badguys.

So I start off just looking at some auto insurance spam headers and see:

autoraste.com     188.229.19.202
Reported by dns5.registrar-servers.com

That IP address is not on blacklists and I have no other spam from that domain name BUT… a lookup of the mx records.

This is a lot of mail servers – so more that likely there is s shared hosting mass mail service here. or some unmanaged colo.

  • 10 eforward1.registrar-servers.com
    Blacklists: None
  • 10 eforward2.registrar-servers.com 38.101.213.202
    Blacklists: None
  • 10 eforward3.registrar-servers.com 205.251.134.191
    Blacklists: None
  • 15 eforward4.registrar-servers.com 69.160.33.74 30
    Blacklists: None
  • 20 eforward5.registrar-servers.com 50.30.32.27 30

    Blacklists:

    • BACKSCATTERER
    • MAILSPIKE-BL
    • SPAMCANNIBAL

Reported by dns2.registrar-servers.com

Next I search for registrar-servers.com in the headers of the email in my inbox reveals 88 spams from those servers THIS MONTH!

A search for 188.229.19.202 in the headers of the email in my inbox reveals only ONE THIS MONTH!

A search for 188.229.19. in the headers of the email in my inbox reveals only 33 THIS MONTH – so what IP address are the rest coming from?

The one that got me looking here was:188.229.19.202

  1. 188.229.19.202
    Return-Path:
    X-Spam-Relay-Countries: EU **
    X-Spam-ASN: AS50915 188.229.19.0/24
  2. [10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com.]
    [188.229.19.196]
  3. X-Spam-RBL-Report: [10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com.]
    [188.229.19.233]
  4. X-Spam-RBL-Report: [188.229.19.208]
    [10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com.]
  5. X-Spam-RBL-Report: [20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com.]
    [188.229.19.124]
  6. X-Spam-RBL-Report: [10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com.]
    [95.64.32.244]
  7. X-Spam-RBL-Report: [10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com.]
    [188.229.19.176]
  8. X-Spam-RBL-Report: [188.229.19.154]
    [20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com.]
  9. X-Spam-RBL-Report: [15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com.]
    [188.229.19.167]
  10. X-Spam-RBL-Report: [20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com.]
    [95.64.32.235]
  11. X-Spam-RBL-Report: [95.64.32.203]
    [10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com.]
  12. X-Spam-RBL-Report: [188.229.19.191]
    [10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com.]
  13. X-Spam-RBL-Report: [188.229.19.220]
    [20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com.]
  14. X-Spam-RBL-Report: [20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com.] [188.229.19.173]
  15. X-Spam-RBL-Report: [10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com.]
    [69.64.42.191]
  16. X-Spam-RBL-Report: [15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com.]
    [188.229.19.195]
  17. X-Spam-RBL-Report: [15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com.]
    [188.229.19.180]
  18. X-Spam-RBL-Report: [20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com.]
    [95.64.32.247]
  19. X-Spam-RBL-Report: [188.229.19.44]
    [20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com.]
  20. X-Spam-RBL-Report: [10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com.]
    [95.64.32.245]
  21. X-Spam-RBL-Report: [188.229.19.64]
    [10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com.]
  22. X-Spam-RBL-Report: [10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com.]
    [188.229.19.54]
  23. X-Spam-RBL-Report: [188.229.19.2]
    [10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com.]
  24. X-Spam-RBL-Report: [95.64.32.234]
    [15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com.]
  25. X-Spam-RBL-Report: [95.64.32.230]
    [10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com.]
  26. X-Spam-RBL-Report: [95.64.32.253]
    [15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com.]
  27. X-Spam-RBL-Report: [10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com.]
    [188.229.19.14]
  28. X-Spam-RBL-Report: [95.64.32.226]
    [10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com.]
  29. X-Spam-RBL-Report: [95.64.32.226]
    [10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com.]
  30. X-Spam-RBL-Report: [15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com.]
    [188.229.19.4]
  31. X-Spam-RBL-Report: [188.229.19.7]
    [10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com.]
  32. X-Spam-RBL-Report: [15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com.]
    [188.229.19.48]
  33. X-Spam-RBL-Report: [15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com.]
    [188.229.19.49]
  34. X-Spam-RBL-Report: [10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com.]
    [188.229.19.9]
  35. X-Spam-RBL-Report: [95.64.32.13]
    [15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com.]
  36. X-Spam-RBL-Report: [15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com.]
    [173.233.75.44]
  37. X-Spam-RBL-Report: [130.93.43.70]
    [10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com.]

Ok there are more but I am bored!

Check out the patterns

  • [95.64.32.*] 18 spams in 30 days
  • [188.229.19.*] 23 Spams in 30 days
  • [173.233.75.*] 7 Spams in 30 days
  • [130.93.43.*] 7 Spams in 30 days

NetRange: 173.233.64.0 – 173.233.95.255
CIDR: 173.233.64.0/19
OriginAS: AS40244
NetName: TURNKEY-INTERNET
NetHandle: NET-173-233-64-0-1

so after I pull all of those I decide to whittle it down and search for eforward – and I find another 33 spams in the last 30 days!

  1. X-Spam-RBL-Report: [10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com.]
    [69.64.42.191]
  2. X-Spam-RBL-Report: [20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com.]
    [212.117.161.231]
  3. X-Spam-RBL-Report: [10 eforward2.registrar-servers.com., 10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com.]
    [130.93.40.5] (26 spams 130.93.40.*)
  4. X-Spam-RBL-Report: [130.93.42.90] (6 spams 130.93.42.*)
    [10 eforward3.registrar-servers.com., 15 eforward4.registrar-servers.com., 20 eforward5.registrar-servers.com., 10 eforward1.registrar-servers.com., 10 eforward2.registrar-servers.com.]

Pattern matching:

  • [130.93.40.*] 26 spams
  • [130.93.42.*] 6 spams
  • [212.117.161.*] 1 spam

When it gets this deep an obfuscated it really does seem pointless to contact the abuse folks managing the servers – I just block them from delivering to our servers. AND THAT MAKES MY DAY!