Is MWEB a Spammers Haven?

Aug 12

Posted by


MWEB IPs used by Spammers and Hackers

mweb spam ips icon

Checking an IP record for 41.133.8.155 after noticing a minor offence this morning – the ubiquitous and quite stupid practice of adding “/undefined” to the end of actual URLs – brought up a list of IPs in the neighbourhood. All the IP’s included below belong to MWEB. (whois.domaintools.com IP lookup records.)

MWEB, a South African Internet Service Provider, has previously had IP’s under their control listed in several databases as a source of spam e-mails. According to Project Honeypot  a range of IP’s managed by MWEB is (or was) used by Spammers and Dictionary Attackers.

inetnum:          41.133.0.0 – 41.133.63.255
netname:         MWEB-NET-41-133-0-0
descr:               MWEB CONNECT (PROPRIETARY) LIMITED
descr:               100 Fairway close
descr:                N1 City
descr:               South Africa
country:           ZA
org:                  ORG-MA20-AFRINIC
admin-c:           GP4-AFRINIC
tech-c:              NOC1327-AFRINIC
tech-c:              EF1-AFRINIC
status:              ASSIGNED PA

ADSL Clients

The IPs listed are assigned dynamically to ADSL subscribers for internet connectivity. The ISP (MWEB) will of course state their client’s are abusing the service; but what do they do about it? Last year MWEB was accused of blocking Gmail messages as there was “too much e-mail spam” being sent from Gmail accounts. Read More

Where does an ISP draw the line on multiple e-mail addresses in a single mail, or the number of mails sent in a space of time? Client’s sending a single mail to multiple recipients will quickly result in a listing in a Spam list somewhere. Even if the mails sent are only to willing subscribers, the monitoring services cannot know this. Should e-mail recipients be limited to five or ten per message? Should business clients with big mailing lists be forced to use a dedicated IP?

I think the dedicated IP is the only real answer. At least no other user of a shared dynamically assigned IP will be affected when the dedicated IP is listed in a spam database.

Dictionary Attackers:

While spam e-mail is annoying, it is often relatively harmless in most cases. Spam mail is sent mainly as advertising. Dictionary Attacks on the other hand is not harmless, and is only used by hackers. A dictionary attack is an attempt to access website administration or server admin by submitting bulk user name and password combinations trying to find a combination that will allow the hacker access to the site.

Dictionary attackers should have their accounts suspended and their activities investigated, if necessary by legal authorities.

What the Project Honeypot Status ID Means

Project Honeypot uses a system of alphabetic lettering to describe the status of an IP in the database. S means the IP has been used by Comment Spammers. D is for Dictionary Attackers. SD combines the two – Spammers and Dictionary Attackers.

Some of the reports are historical, with no bad activity seen in the past three months.

Honeypot List of MWEB IP’s

The Project Honeypot report for 41.133.8.155 includes the  following list of IPs in the neighbourhood

  • 41.133.7.187 | SD
  • 41.133.7.188 | SD
  • 41.133.7.189 | SD
  • 41.133.7.191 | S
  • 41.133.7.192 | SD
  • 41.133.7.198 | S
  • 41.133.7.202 | S
  • 41.133.7.204 | S
  • 41.133.7.210 | S
  • 41.133.7.214 | D
  • 41.133.7.215
  • 41.133.7.219 | S
  • 41.133.7.220 | S
  • 41.133.7.227 | S
  • 41.133.7.230 | S
  • 41.133.7.231 | S
  • 41.133.7.236 | S
  • 41.133.7.237 | S
  • 41.133.7.239
  • 41.133.7.243 | SD
  • 41.133.7.246 | S
  • 41.133.7.247 | SD
  • 41.133.7.252
  • 41.133.8.12 | S
  • 41.133.8.20 | S
  • 41.133.8.24 | SD
  • 41.133.8.27 | S
  • 41.133.8.43
  • 41.133.8.55
  • 41.133.8.61 | SD
  • 41.133.8.64 | S
  • 41.133.8.67
  • 41.133.8.92
  • 41.133.8.96 | SD
  • 41.133.8.103 | SD
  • 41.133.8.107
  • 41.133.8.109 | S
  • 41.133.8.112 | S
  • 41.133.8.116 | SD
  • 41.133.8.117 | S
  • 41.133.8.124 | SD
  • 41.133.8.127 | SD
  • 41.133.8.142 | S
  • 41.133.8.147
  • 41.133.8.156 | S
  • 41.133.8.163 | S
  • 41.133.8.199 | S
  • 41.133.8.206
  • 41.133.8.214 | S
  • 41.133.8.222 | S
  • 41.133.8.228
  • 41.133.8.237 | S
  • 41.133.8.238 | D
  • 41.133.8.240
  • 41.133.8.244 | D
  • 41.133.8.255 | S
  • 41.133.9.0 | S
  • 41.133.9.1 | S
  • 41.133.9.7
  • 41.133.9.20 | D
  • 41.133.9.30 | S
  • 41.133.9.36 | S
  • 41.133.9.43
  • 41.133.9.58 | SD
  • 41.133.9.65 | S
  • 41.133.9.66
  • 41.133.9.67 | SD
  • 41.133.9.72 | SD
  • 41.133.9.74 | SD
  • 41.133.9.75
  • 41.133.9.76 | S
  • 41.133.9.80 | S
  • 41.133.9.84 | S
  • 41.133.9.86 | S
  • 41.133.9.91 | S
  • 41.133.9.105 | SD
  • 41.133.9.106 | S
  • 41.133.9.112 | D
  • 41.133.9.114
Related articles

About Mike

Web Developer and Techno-geek Saltwater fishing nut Blogger

Posted on August 12, 2012, in Internet and tagged , , , , , , , , , . Bookmark the permalink. Leave a comment.

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: