Blocking The Big Education (Edu-Junk) Spammers


There are two main organizations that I know must be dishing a thousands or millions of spam a day out to the school community. I have been watching the constant spam spewing from a few sources over the last couple of years and I have finally starting to look at some patterns to alleviate at least some of the junk our teachers are getting specifically from these junk engines. The two organizations I see as massive senders of edu-junk are Mindstreams / Lifetime Learning and Edupartners. I am sure there are many others out there you might be dealing with, but these two sources are prolific in the volume they spew daily.

Both Mindstreams / Lifetime Learning and Edupartners do put unsubscribe links on their junk, but the way they acquire the addresses would mean every single member of your faculty and staff would need to individually unsubscribe. This is not something any of us what to deal with so if you can, it is worth just getting some simple rules in at the server-side to inhibit this as much as possible. They seem to be immune to RBLs for some reason, so you will have to go it alone.

Here are some examples of the kind of junk they have servers pump to the school community.

EDUPartners SPAM

Lifetime Learning / Mindstreams SPAM

Except they pump thousands of these out and insert teacher names from the database, etc. This is nothing different than other spammers out there do daily either, but the difference here is a real volume increase and targeted audience for people that work in schools. They use multiple servers, outside spam vendors and tools like Silverpop Engage and probably a lot of other tools we don’t even know about. I finally had to do something on this.

If you want to inhibit this as well, here are a few items that have worked.

 

Block the entire routable IPs that Lifetime Learning / Mindstreams owns.

They have servers across their Class C ranges that do nothing but send and send. I have currently seen and blocked a couple of their ranges from even being able to send email to our networks. Here are the ranges I have seen and blocked outright because I have seen in the logs spam attacks across the entire ranges.

12.9.130.0/24
12.9.134.0/24

Just block it from even connecting to your network at all or at least at port 25 for SMTP. They are not (yet) doing SSL on port 465.

Here is a log showing a quick round from the second class c trying to send to us.

 

Anything from 208.85.51.183 is bad news.

This is a Silverpop-owned IP address. The whole block can probably be blocked, but I have consistently seen 208.85.51.183 do nothing but spam.

Here is there WHOIS lookup (as of 11/04/11)

#     “n 208.85.51.183”

NetRange:       208.85.48.0 – 208.85.55.255

CIDR:           208.85.48.0/21

OriginAS:       AS19795

NetName:        SILVERPOP-IP

NetHandle:      NET-208-85-48-0-1

Parent:         NET-208-0-0-0-0

NetType:        Direct Assignment

RegDate:        2007-12-03

Updated:        2008-02-22

Ref:            http://whois.arin.net/rest/net/NET-208-85-48-0-1

OrgName:        Silverpop Systems Inc.

OrgId:          SILVE-32

Address:        200 Galleria Pkwy

Address:        Ste 750

City:           Atlanta

StateProv:      GA

PostalCode:     30339

Country:        US

RegDate:        2007-02-22

Updated:        2011-08-03

Ref:            http://whois.arin.net/rest/org/SILVE-32

OrgTechHandle: NETWO1905-ARIN

OrgTechName:   Network Operations

OrgTechPhone:  +1-678-247-0500

OrgTechEmail:  InfrastructureTeam@silverpop.com

OrgTechRef:    http://whois.arin.net/rest/poc/NETWO1905-ARIN

OrgAbuseHandle: ABUSE1713-ARIN

OrgAbuseName:   Abuse Handler

OrgAbusePhone:  +1-678-247-0500

OrgAbuseEmail:  abuse@deliver.silverpop.com

OrgAbuseRef:    http://whois.arin.net/rest/poc/ABUSE1713-ARIN

OrgNOCHandle: NETWO1905-ARIN

OrgNOCName:   Network Operations

OrgNOCPhone:  +1-678-247-0500

OrgNOCEmail:  InfrastructureTeam@silverpop.com

OrgNOCRef:    http://whois.arin.net/rest/poc/NETWO1905-ARIN

RTechHandle: NETWO1905-ARIN

RTechName:   Network Operations

RTechPhone:  +1-678-247-0500

RTechEmail:  InfrastructureTeam@silverpop.com

RTechRef:    http://whois.arin.net/rest/poc/NETWO1905-ARIN

RAbuseHandle: ABUSE1713-ARIN

RAbuseName:   Abuse Handler

RAbusePhone:  +1-678-247-0500

RAbuseEmail:  abuse@deliver.silverpop.com

RAbuseRef:    http://whois.arin.net/rest/poc/ABUSE1713-ARIN

RNOCHandle: NETWO1905-ARIN

RNOCName:   Network Operations

RNOCPhone:  +1-678-247-0500

RNOCEmail:  InfrastructureTeam@silverpop.com

RNOCRef:    http://whois.arin.net/rest/poc/NETWO1905-ARIN

 

Setup rules on your email server

Provided you still run your own email now that most schools seem to be going the Google Apps route while it is currently no charge.) I have a few rules that pick-off the current batches of junk from the Edu-Junk companies.

1. Anything received/sent from or has text string matching mkt5354.com

2. Anything received/sent from or has text string matching edupartners.com

3. Anything that gets a received from text string that has PowerMTA in it. This is a junk email sender they (and many others use constantly.

4. Block 208.85.51.183 outright as well. Crazy how much spam that IP is trying to send on behalf of edupartners.com.

208.85.51.183 Spam Attempts

 

I will continue to update as I can when new patterns emerge. Hope this helps.

One Reply to “Blocking The Big Education (Edu-Junk) Spammers”

Leave a comment or reply