On Wed, Nov 01, 2023 at 01:55:42PM +0100, John Levine wrote: > It appears that ? ngel Gonzalez Berdasco via anti-abuse-wg > <angel.gonza...@incibe.es> said: > >> Just block their network 80.94.95.0/24 and forget about it. > > >organisation: ORG-BA1515-RIPE > >org-name: BtHoster LTD > >country: GB > >org-type: OTHER > >address: 26, New Kent Road, London, SE1 6TJ, UNITED KINGDOM > > If you look at that address on Google stret view, you will see a late > 2022 picture of a construction site. > > Unless you care enough to contact their transit providers and try > and get them disconnected, I wouldn't waste more time on it.
BtHoster is indeed a well known bulletproof hoster, and nothing good can be expected also from the other two blocks announced by AS204428, 87.246.7.0/24 and 212.70.149.0/24 (4media.bg/4vendeta.com, who also have much cleaner ranges directly behind their own AS50360). BtHoster also has AS198465, today announcing 45.129.14.0/24 and 77.90.185.0/24. Sending abuse reports to these places is - how to say? - a bit naive. Abuse is their core business. You can see for instance BtHoster's ad in https://bitcointalk.org/index.php?topic=5407833.0 : RDP FOR SCAN/BRUTE - PRICE 10 $ /MONTH WHM FOR PISHING WITH UNLIMITED DOMAIN LICENSE -PRICE 130 $ /MONTH RESELLER FOR RDP WITH PANEL -PRICE 150 $ + IP /MONTH SERVER FOR SCAN/BRUTE 32 GB RAM -PRICE 130 $ /MONTH So the "ignoring" is fully expected, it is a feature of their hosting offer. The best action is to completely prevent their packets from entering your networks through protection at the network edge. This is precisely what our DROP/EDROP/ASN-DROP free datasets are for: block all packets on the edge router. Of course, like it or not, the people behind this are members of this community, read these lists, make posts, etc, and of course they would not be connected to the Internet if there weren't facilitating ISPs between them and backbones - in this case the operators of AS47890, AS202425 and the abovementioned AS50360. These are also part of the abuse ecosystem. The two-layered approach is essential for the stability of their connectivity - otherwise the backbones would just cut them off. When pressure from backbones becomes excessive and the intermediary is forced to disconnect them, they change intermediary or they create a new company, get a new ASN and move the operation so that reputation restarts from zero. These patterns are very established, and cause a considerable ASN turnaround. RIPE NCC apparently noted a high number of ASNs being abandoned [https://www.ripe.net/ripe/mail/archives/address-policy-wg/2023-June/013757.html] but does not seem to note the relation with abuse that should explain a fraction of them. Natale M Bianchi Spamhaus Project -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
