Herr Bischoff

Blocking MAROSNET Spam

As an update to my previous post regarding ColoCrossing, we’re back again to prohibit a related company from sending us their floods of crap. This time it’s MAROSNET, aka AS48666. Consistently, spam email arrives from their networks, with wildly different IP addresses within their range. The links inside those emails point to domains hosted by ColoCrossing. Their abuse department is non-responsive and this appears to have been going on for quite some time. Additionally, none of my email servers is legitimately communicating with Russian email addresses. Particularly interesting is the fact that only email addresses involved in data breaches and ones exclusively used on eBay appear to be affected.

Well, that’s another candidate for the firewall’s IP blocklist.

whois -h whois.radb.net -- "-i origin AS48666" | grep '^route:' | awk '{print $2}'
whois -h whois.radb.net -- "-i origin AS48666" | grep '^route6:' | awk '{print $2}'