Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

WHO'S SPAMMING YOU? Top 60 Proxy-Hijacker-Friendly Nets 2003-08-06

  • From: Ronald F. Guilmette
  • Date: Wed Aug 06 22:47:57 2003

What follows below is a volume-ranked list of the most prolific /24
IP address blocks with respect to open proxy hijacking activity over
the past 2 days.  These ranking are based on data collected by my
extensive open proxy honeypot network for the 48 hour period from
5 PM Pacific Daylight Time, August 4th, 2003 through 5 PM Pacific
Daylight Time August 6th, 2003.

Some brief commentary material follows the list.  If you or someone
you know owns or operates any of the networks listed below, please
contact me off-list so that we may arange for the timely cremation
of the relevant criminal spammers and open proxy hijackers, and
the scattering of their ashes in some suitable garbage dump.  (Note
that mass open proxy hijacking of the kind being originated from
all of the /24 blocks listed below is quite clearly a criminal act
within these United States.  The criminals doing this stuff are
violating the federal Computer Fraud and Abuse Act in so many dif-
ferent ways it isn't even funny.)

** NOTICE ** I will provide the specific IP addresses that are actually
engaged in the proxy hijacking activities within each of these blocks
upon request.  What I positively WILL NOT DO is to provide detailed
log files from my proxy honeypot machines to any party, PERIOD.  (DON'T
EVEN ASK unless you enjoy being verbally abused.)  Doing so would
only tend to give the spammers info that they could use to deduce the
locations of my honeypot machines, which they would then carefully
avoid.)  I will provide date/time stamps to relevant network admini-
strators, but ONLY in cases involving clearly dynamic IP addresses.

 1. 38.112.197 - (Tampa, FL)
 2. 66.44.228 (Tucson, AZ)
 3. 202.177.23 (Hong Kong)
 4. 66.205.223 - (New Orleans, LA)
 5. 38.114.11 - (Frisco, TX)
 6. 66.44.231 (Tucson, AZ)
 7. 209.50.253 (McLean, VA)
 8. 66.111.39 aka (San Francisco, CA)
 9. 38.114.3 - (Frisco, TX)
10. 66.250.125 - (Alpha, NJ)
11. 166.90.206 - ?Alan Ralsky? (Detroit area, MI)
12. 206.47.187 - "Datatech Communications" (Windsor, ON, CA)
13. 38.112.199 - (Tampa, FL)
14. 38.118.143 - (Goleta, CA)
15. 216.99.99 (Hazelwood, MO)
16. 63.246.136 aka (San Francisco, CA)
17. 66.118.189 (Tampa, FL)
18. 64.5.51 (Dallas, TX)
19. 66.118.187 (Tampa, FL)
20. 69.33.1 (Pleasanton, CA)
21. 62.219.50 (Petach Tikva, Israel)
22. 146.82.135 - (Minneapolis, MN)
23. 66.205.219 (Redwood City, CA)
24. 207.164.251 (Windsor, ON, CA)
25. 63.246.135 aka (San Francisco, CA)
26. 216.81.218 (Des Moines, IA)
27. 66.118.142 - (Tampa, FL)
28. 64.180.125 - "Trinity Prof-Soho" (Vancouver, BC, CA)
29. 216.8.169 (Windsor, ON, CA)
30. 66.230.228 - (Tampa)
31. 64.228.134 (Montreal, QB, CA)
32. 66.111.40 aka (San Francisco, CA)
33. 207.101.233 (Dallas, TX)
34. 216.54.223 - (Clearwater, FL)
35. 63.247.65 - (North Yorkshire, GB)
36. 66.135.15 (Baton Rouge, LA)
37. 67.8.179 (RR - Florida)
38. 38.117.14 - (Tampa, FL)
39. 64.23.55 - (Baltimore, MD)
40. 64.70.45 - (Santa Monica, CA)
41. 64.159.76 - (Tampa)
42. 216.58.92 (Kanata, ON, CA)
43. 66.118.180 (Tampa, FL)
44. 63.246.131 aka (San Francisco, CA)
45. 69.0.240 (Davie, FL)
46. 203.98.177 (Hong Kong)
47. 203.98.164 (Hong Kong)
48. 66.176.226 (Chelmsford, MA)
49. 64.237.34 - - "AdultBouncer" (Hazlet, NJ)
50. 69.28.206 (Vancouver, BC, CA)
51. 202.181.236 (Hong Kong)
52. 66.70.114 (Hoboken, NJ)
52. 216.128.72 - (Hackensack, NJ)
53. 162.42.131 - (Phoenix, AZ)
54. 216.67.251 (Parsippany, NJ)
55. 207.180.3 (Tulsa, OK)
56. 216.232.165 - "Consumer ADSL" (New Westminster, BC, CA)
57. 66.36.98 (Toronto, ON, CA)
58. 65.34.198 (Chelmsford, MA)
59. 38.114.4 - (Dalas, TX)
60. 62.205.161 (Moscow, RU)

Before getting in to the commentary, I should perhaps mention that all
of the above /24 blocks, as well as the companies that provide connectivity
to them are now subject to the new listing criteria for the Monkeys.Com
Unsecured Proxies List:

(Please see criteria #2, which was just recently added.)


Note:  I have already been posting `Top 40' lists of the worst and most
proxy-hijacker friendly networks to and SPAM-L
for about two weeks now.  Some of you may have seen those prior lists
and thus may be all too familiar with many of the networks listed above,
especially in the topmost few positions.  My comments about specific
networks follow:  What can I say?  The facts speak for themselves.  This is
now the #1 most criminal-friendly network on the Internet.  They have
been hosting the criminal open proxy hijackers that are attached to the
net via the following downstream customers for a long while now, and they
know exactly what's going on here, because I told them, several times.
I can only infer that they prefer to keep on accepting money from criminals: (previously throw off 2 other networks) (totally unreachable & bullet-proof) (caught red-handed with a web page full of proxies)  (Has some blocks suspiciously SWIPed to Cogentco.)

Cogent's `' customer is THE perfect false front for
spamming activities.  No phone numbers on the web site.  False/disconnected
phone number in their WHOIS, and no need for them to ever take any call
from any disgruntled folks whose servers they (or their customers) have

Level3:  These people have been hosting a ``mystery'' major-league criminal
proxy hijacker in their 166.90.206/24 block for MONTHS, and if they don't
know that then it is only because they don't want to know.  (I've already
told them myself, several times.) And they were informed that this criminal
activity was going on from their network all the way back as far as March:

Note that the criminal in question is located someplace in the Detroit
area and has been rumored to most likely be none other than Alan Ralsky,
known mega-spammer who bragged in this article:

that he's got 20 spam pumping machines in his basement going 24/7.  And
the evidence suggests that he does, and that they are all busy hijacking
other people's poorly secured proxies, all courtesy of the kind folks at
Level3.  Note: The SpamHaus Project describes Ralsky as a "convicted
fraudster" and has an extensive file on him:

Oh!  And lest I forget, Level3 also continues to provide bandwidth to
the criminal open proxy hijackers that are working out of the notorious
spam-friendly outfit called `CandidHosting'. and its west coast subsidiary, unitedcolo, seem
to have more criminal open proxy hijackers per square inch than any other
network or company on the net.  A few days ago, they had no fewer than
9 different /24s listed in my Top 60 list of open proxy hijacking origi-
nation points.  I've seen some signs in the past 24 hours that they may
perhaps finally be getting their act together, but then again, maybe not.
Time will tell.  (I have been told that the owner is just plain greedy,
and that he does really understand why spam is bad.)  Finally got kicked off within the past
24 hours.  Will be looking for a new home, I'm sure.  BE ON THE LOOKOUT
FOR THESE GUYS as they wander around, in search of new connectivity.
(This is as least the second strike for them, or so I'm told.  They
were kicked off another network before  Seems to be approaching the density of lead.  No response
whatsoever to hijacking reports.  The lights are on but nobody's home.
Does anybody know anybody who can explain to these people what proxy
hijacking is and why it's bad?  Sounds familiar.  These guys have been in trouble before,
haven't they?  Could be renamed to Nothin' But /dev/null

P.S.  My special thanks to,,, and, all
of whom seem to be able to kill these blasted proxy hijackers just about
as fast as I can report them.

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.