terriko: (Pi)
[personal profile] terriko
I maintain a couple of blogs outside of this one, and the most popular one I'm involved with gets a lot of spam. There seemed to be a particular uptick about a month back, and I went to look into it.

What I discovered is that quite a lot of our spam (around 80%) was coming from one company called IPTelligent LLC. There's no easy way for me to tell if they are a legit company who simply have the worst IT staff in the history of IT staffs and all of their machines are compromised, or if they are, in fact, evil jerks who are repeatedly attempting to pollute the internet with really terrible spam. Given a short websearch, it seems pretty likely that IPTelligent is intentionally evil. I suppose one could argue that the level of incompetence displayed by someone who not only runs that many compromised machines but also serves up malware consistently is a form of evil even if it wasn't intentional. Whatever.

Either way, they are responsible for a rather large percentage of the spam we were receiving, and not responsible for any legit visits that we could see.

Since this particular blog uses Wordpress, solving the problem was pretty simple. Wordpress has built in lists for blocking comments, but they simply send to the moderation queue, as does popular plugin Akismet. Since we were seeing hundreds of messages per day from IPTelligent, I needed something that banned them more completely so our moderators wouldn't even see the messages and have to scan through them. Thankfully, there are lots of plugins for this. I settled on one called wp-ban that seems to be working well for my needs.

Once that's installed, the settings are under Settings->Ban. At the top of my list, I now have

# IPTelligent owns these ips, and they seem to be a spam company
96.47.225.*
173.44.37.*
96.47.224.*


Which covers the majority of the IP that were hitting us with spam. A glance at a more specific list of IPTelligent IPs suggests that those lines are good enough right now, although it's possible that they'll buy more IP blocks eventually. (We also have a longer list of other ips that appear to be compromised and were causing problems, but they look more like temporary compromises than intentional, long-term malice so I'm not listing those IPs here).

Of course, it would be better if someone took the company to court for this. I am not a lawyer, but it seems to me that the Computer Fraud and Abuse Act must cover at least some portion of their activities. I mean, the things they charged Aaron Swartz with under that act seem less sketchy than what IPTelligent is doing. But court cases take time and money, and banning them right now is pretty easy, so I figured I'd share the short-term solution in case it's useful to anyone who'd like to get a little less spam right away. (We are indeed getting ~80% less spam since the bans went into place.)

For the record, here's the company info as I get from the whois database right now:

OrgName:        IPTelligent LLC
OrgId:          IPTEL-1
Address:        2115 NW 22nd Street
Address:        #C110
City:           Miami
StateProv:      FL
PostalCode:     33142
Country:        US
RegDate:        2009-03-31
Updated:        2012-07-16
Ref:            http://whois.arin.net/rest/org/IPTEL-1

ReferralServer: rwhois://rwhois.iptelligent.com:4321

OrgNOCHandle: NOC3572-ARIN
OrgNOCName:   Network Operations Center
OrgNOCPhone:  +1-888-638-5893
OrgNOCEmail:  sysop@iptelligent.com
OrgNOCRef:    http://whois.arin.net/rest/poc/NOC3572-ARIN

Date: May 6th, 2013 08:46 pm (UTC)
From: [personal profile] fg4fc07p
There's no easy way for me to tell if they are a legit company...or if they are, in fact, evil jerks who are repeatedly attempting to pollute the internet with really terrible spam.


I stopped bothering with discerning intent quite a while ago, and just skip directly to countermeasures against the effect: access denied, egregious offenders named and reported, apologies neither expected nor given. I doubt the EPA cares whether one intended to pollute a town's water supply, only that one did.

Thanks for the info

Date: January 3rd, 2014 09:42 pm (UTC)
From: (Anonymous)
Hi, I sysadmin a school web and shell account server and we saw an enormous number of bogus requests to */exam.php. We blocked the IPs you listed at the packet filter level. Good riddance. Thanks --Louis

Theres an even better plugin

Date: July 12th, 2013 02:34 pm (UTC)
From: (Anonymous)
It checks against the Stop Forum Spam DB, and also swings the ban-hammer against the usual suspects (FDC, Nobis, etc.)

Stop Spammer Registrations Plugin

I got through to them

Date: February 20th, 2014 07:29 am (UTC)
From: (Anonymous)
After a little digging I found that QuadraNet acquired IPTelligent in February 2011.
http://www.linkedin.com/company/iptelligent

I found their abuse@quadranet.com address. But there was no response.
I Googled some more, and found LinkedIn pages and Facebook pages from QuadraNet.
When I wrote them on Facebook, they replied.
I got another mail address for a guy called Jordan Goldman <j.goldman@quadranet.com>

Their answer was: "This has been forwarded to our client to remove the abusive user."

Hope it helps

Profile

terriko: (Default)
terriko

October 2014

S M T W T F S
   1234
5678 91011
12131415161718
1920 2122232425
262728293031 

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Oct. 25th, 2014 09:26 am
Powered by Dreamwidth Studios