The IP range for DSL users

schermafdruk website

The silence surrounding spam coming from the network of Megaprovider – save a stray posting on amongst others – isn’t due to Megaprovider laying low. In fact, Megaprovider has been extremely busy, being a facilitator for the abuse of so called open proxies and hosting spamvertised websites.

Dull, but interesting

This text is long and dull. That is due to Megaprovider’s spam related activities. However, of interest are: the precursor, a bit of more recent spam related activity stemming from the Megaprovider network, a network fingerprint of the traffic actually abusing open proxies, tracing the source of the open proxies, the eluding of blocklists by Megaprovider and the end of it all (at least, for now).

This is not all the information that’s been uncovered. To protect the sources and ongoing investigations a lot of information has been left out or munged. See the Credits section for the attribution. Original text in dutch.


Ronald F. Guilmette’s “Who’s spamming you?” showed that during the summer of 2003 Megaprovider had earned itself a permanent spot in the Top 40 open proxies abusers (usually just plain zombies). Each and every time the same /24 IP range showed up in the Top 40: (ORG-MPB1-RIPE). That range had been a “dirty block” of sorts for a while. The timing however was remarkable, right in the midst of the whole saga.

Ronald reported that proxies were being abused from inside that range of IP addresses since as far back as early July 2003. The IP range had been used for spam related activities a couple of times before that. From August 11th through September 16th 2002 was used to send spam (apparently spammers were unaware of open proxies), from August 31st through September 24th 2002 was used to host websites being advertised in spam, and at September 23rd and 24th 2002 was used for the same.

On March 8th 2004 Giblet reports that spam is being sent out for “all your Paris Hilton movies”, through open proxies which are being simultaneously abused from 6 IP addresses residing in the IP range:,,,,,

Webwereld wrote an article and Megaprovider threatens once again with a lawsuit. Business as usual.

March 17th 2004 Webwereld wrote another article based upon Ronald’s “Who’s spamming you?” about the whole period in which open proxies had been abused by IP’s belonging to Megaprovider. Megaprovider explains the abuse saying that the IP range is used for customers with a DSL connection, a couple of customers had apparently been cracked. Perhaps all the attention this IP range was getting was a bit too much, after these events no further activity was seen from the range.

Megaprovider somewhat disappeared from the (corporate) radar.

Recent spam related activities by Megaprovider

June 11th and 12th 2004 spam is sent out for the domain It was sent through open proxies. The abuse originated from Megaprovider’s IP space, specifically the following IP addresses:,,,,,,,,,,,,,

The spams themselves advertise a website which offers (most likely fake) Viagra pills.

August 25th 2004 large quantities of spam are being sent out for Which redirects to a form on, hosted on (NL-MEGAPROVIDER-20010606).

On August 27th 2004, August 31st 2004 and September 3rd 2004 (and most likely also all the days in between) spam is being sent out for, which leads to, which is hosted on A webbug points to

September 4th 2004 spam is being sent out for This one leads to, which is also being hosted on In this case a webbug also points to

September 13th 2004 spam is still being sent out for sites hosted on, but the webserver isn’t reachable anymore.

September 14th 2004 (extra sample) spam is being sent out for It features a popup for, a redirect (“clicktrough”) to, which at first (through an “A record” [wikipedia]) points to, but later to The webserver on was unreachable. Creditcard data could be left on a site which was pointing towards, hosted on and equally unreachable.

Between September 18th and 20th 2004, and possibly a couple of days surrounding that period, spam is being sent out originating from the infamous “DSL” IP range of Megaprovider utilizing open proxies. A number of times a proxypot is hit. Summaries of all the IP’s belonging to Megaprovider which hit the proxypots can be found in the proxypot of Alan Curry, Feike Hacquebord, Christopher Layne and someone who prefers to remain anonymous. The spams advertise Viagra. From the spams which got trapped in the proxypots (sample) the following list of active IP addresses is distilled:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Amongst the domainnames advertised through the spam are:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

The spamruns also advertise Which originates amongst others from these IP’s:,,,,,,,,,,,,,,,

These spams are for an affiliate named “jpeg”. A name we run into again later. Between October 15th and 23rd 2004 spam is sent out for amongst others, again for the affiliate “jpeg” (sample). The abusing IP’s:,,,,,,,,,,,,,,

There are also other people who sent out their garbage through Megaprovider’s IP space. In the early morning of October 21st 2004 (sample) spam is sent out for From the spamvertised pages another referral can be found, called “bleume”. The IP’s involved during that hour:,,,,

That last one sends out the spam with a URL that – due to a typo – doesn’t make the intended domain clear (at least to a casual bystander). The other IP’s sent out the correct spam. The same spam is being sent from other IP ranges at the same time through open proxies. That abuse originates from amongst others (from the IP range RACETECH belonging to and (from the IP range PEER1-PRIORITYCOLO-02 belonging to

Between October 23rd and November 30th 2004 (over a month!), again spam is sent out on an almost daily basis (sample). This time again the affiliate “jpeg” and again the domain surfaces. During this period the following IP’s can be fingered as the source:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

The very same spam also gets caught in another proxypot, originating from exactly the same IP addresses (and some other IP’s not belonging to Megaprovider). From the logs of this proxypot it becomes clear that the run has had an even longer duration: from October 25th up to December 4th 2004.

Between January 19th and 21st 2005 spam is sent out from the Megaprovider network for a very diverse multitude of products, like dating spam (sample, sample), Viagra (sample) and porn. The domainnames spamvertised are:,,,,,,,,,,,,, hassofrassfey.coms,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

This spam is ofcourse also sent through open proxies. At least 5 IP’s belonging to the Megaprovider IP space are used:,,,,,,

A few days later, on January 28th and 29th 2005, spam is sent out for a product similar to Viagra. The domain is advertised in the spam and the IP addresses which got caught in the proxypot are:,,

Starting January 28th 2005 spam is sent out (sample) for another domain which sells Viagra pills: The IP addresses involved in this run belonging to the Megaprovider network are:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

More dating spam is sent out from Megaprovider IP’s on February 3rd and 4th 2005 (sample). The IP’s involved:,,,,,,

In those runs the domains spamvertised are:,,,,,,,,,

In the same timeframe, between February 26th and March 13th 2005, spam is sent out for a Viagra selling domain: By combining the logs of two proxypots the following IP’s from Megaprovider’s network surface:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

From March 13th 2005 (up to March 18th), the Viagra spam continues, but another domain is used: The IP addresses in use are almost identical to the ones used in the previous run.

After March 18th 2005 the Viagra spam disappears for a bit, but up till March 23rd 2005 spam is sent out for replica’s of watches. The domain used is and the IP’s involved:,,,,,,,,,,,,,,

After a day of rest, from March 25th till April 5th 2005 the Viagra spams (sample) continue. The domain used this time is: The IP’s which got caught in proxypots:,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Between April 1st and 6th 2005 the IP’s are also logged for spam tied to “jpeg” and the domains,, and (sample). It seems likely that multiple servers are used. The following IP’s are involved in sending these spams through open proxies:,,,,,,,,,,,,,,,,

Also starting April 1st 2005, but continuing up till April 14th 2005, “jpeg” is also sending out Viagra spam for and (sample). Where as the other run is being sent from the first 128 IP addresses of that range (, this run is sent from the second set of 128 IP addresses of that range (,,,,,,,,,,,,,,

After the Viagra spam, “jpeg” switches again to the replica watches, and so on April 15th and April 16th 2005 spam for them is sent out. The spams for (sample) originate from:,,,,

The spams for (sample) originate from:,,,,

The spams for (sample) originate from:,,,,

These spamruns were all sent by a spammer using the referral “jpeg”. By sheer luck it became clear where exactly this spammer was getting his open proxies from.

April 11th 2005 mentions 16 IP addresses in that same IP range that were involved with the sending of spam through open proxies:,,,,,,,,,,,,,,,,,,,

Rule #4 in effect?

And then. Out of the blue, on May 23rd 2005, from my command line prompt:

rejo@bottebijl:~> ping
PING ( 56(84) bytes of data.
--- ping statistics ---
83 packets transmitted, 0 received, 100% packet loss, time 81992ms

Also May 23rd 2005, from one my IRC logs:

16:55 < $nick > hmm, what would bevelander have to discuss with telecity? a pissed-off lawyer for martijn, was standing at the front desk, and demanded that “the meeting wouldn’t start without her”

Telecity 1 is one of the datacenters in Amsterdam. An e-mail sent to me by a friend explained some more:

As far as Bevelander is concerned: I heard that near the end of May or the beginning of June there was a raid at his barplace in Haarlem. This raid (most likely by the [munged]) was related to Bevelander’s spam activities. Computer equipment was allegedly seized.

That barplace cannot be anything else then Delirium (a bar that is owned by Martijn Bevelander, the address of the bar is shared by Megaprovider).

Would Rule #4 be finally be in e ffect again?

The originating systems and the size of the spamruns

By analyzing the simultaneous connections, network fingerprints of Linux and Windows systems surface:

[timestamp][port] - Linux 2.4/2.6 >= 2.6.7 (up: 942 hrs)
[timestamp][port] - Linux 2.4/2.6 >= 2.6.7 (up: 943 hrs)
[timestamp][port] - Linux 2.4/2.6 >= 2.6.7 (up: 943 hrs)
[timestamp][port] - Linux 2.4/2.6 >= 2.6.7 (up: 942 hrs)
[timestamp][port] - Linux 2.4/2.6 >= 2.6.7 (up: 942 hrs)
[timestamp][port] - Linux 2.4/2.6 >= 2.6.7 (up: 941 hrs)
[timestamp][port] - Linux 2.4/2.6 >= 2.6.7 (up: 941 hrs)
[timestamp][port] - Linux 2.4/2.6 >= 2.6.7 (up: 941 hrs)
[timestamp][port] - Linux 2.4/2.6 >= 2.6.7 (up: 941 hrs)
[timestamp][port] - Linux 2.4/2.6 >= 2.6.7 (up: 941 hrs)
[timestamp][port] - Linux 2.4/2.6 >= 2.6.7 (up: 941 hrs)
[timestamp][port] - Linux 2.4/2.6 >= 2.6.7 (up: 941 hrs)
[timestamp][port] - Linux 2.4/2.6 >= 2.6.7 (up: 920 hrs)
[timestamp][port] - Linux 2.4/2.6 >= 2.6.7 (up: 919 hrs)
[timestamp][port] - Linux 2.4/2.6 >= 2.6.7 (up: 43 hrs)
[timestamp][port] - Linux 2.4/2.6 >= 2.6.7 (up: 199 hrs)
[timestamp][port] - Linux 2.4/2.6 >= 2.6.7 (up: 198 hrs)
[timestamp][port] - Windows 2000 SP4, XP SP1
[timestamp][port] - Windows 2000 SP4, XP SP1
[timestamp][port] - Windows 2000 SP4, XP SP1
[timestamp][port] - Windows 2000 SP4, XP SP1
[timestamp][port] - Windows 2000 SP4, XP SP1
[timestamp][port] - Windows 2000 SP4, XP SP1
[timestamp][port] - Windows 2000 SP4, XP SP1
[timestamp][port] - Windows 2000 SP4, XP SP1
[timestamp][port] - Windows 2000 SP4, XP SP1
[timestamp][port] - Windows 2000 SP4, XP SP1
[timestamp][port] - Windows 2000 SP4, XP SP1
[timestamp][port] - Windows 2000 SP4, XP SP1
[timestamp][port] - Windows 2000 SP4, XP SP1
[timestamp][port] - Windows 2000 SP4, XP SP1
[timestamp][port] - Windows 2000 SP4, XP SP1

This doesn’t offer conclusive evidence in regard to the number of systems used, a single server can have an almost limitless number of IP’s assigned to it’s network interface card. By using virtual machines the network traffic analysis can turn up a Windows fingerprint, whilst in reality the server is running Linux. Still it is likely that indeed two or more systems were used.

The server with the Linux network fingerprint sent out spam advertising amongst others, and between April 1st and April 6th 2005. The server with the Windows network fingerprint sent out spam advertising amongst others during that same period.

The displayed uptime is only an estimate, it can be as far off as a factor 10 when looking at the actual uptime.

The open proxies were also being tested from within the /24 IP range belonging to Megaprovider. This is being done to check that an open proxy indeed will open up the desired connection. The tests which were intercepted show a correlation with IP’s and, through the hijacked proxy, back towards port 8655 on both the IP addresses.

Just one of the proxypots, saw attempts being made to send out spam to no less than 1,000,000 addresses during four consecutive days. It’s within reason to presume the actual number of sent spams to be much, much higher and only a fraction got caught in the proxypot.

At any given time a spammer uses several open proxies at once. It has occurred that two or more proxypots where contacted simultaneously from within the same range of IP addresses. This substantiates the belief that dozens of open proxies were used simultaneously. Any serious spammer wouldn’t break a sweat pumping out 20,000,000 spams headed for a multitude of e-mail addresses in less then 24 hours. The proxypot data suggests about four to six addresses per message, but research has showed this could easily be 10 to 100 addresses per message.

The source of the abused open proxies

To keep sending out his millions of spams “jpeg” needs thousands of open proxies. He could quench his need for proxies by actively searching for them, but he could also “just” buy or rent them from others.

By matter of coincidence one of “jpeg”‘s proxy suppliers has been discovered. April 15th 2005 “jpeg” was sending spams through a computer which turned out to be infected with a trojan belonging to the aka aka botnetwork.

That specific trojan was spread through amongst others an exploit on by the owners of the network. This website was advertised in spams as offering “free young girls pics”. The spam itself was sent out through open proxies. The site was hosted in China, to prevent it’s removal by the local administrator in case of complaints. A page containing a Visual Basic script installed a program on the computer of the unsuspecting visitor, without his knowledge or consent.

The program has a couple of features. The trojan is related to the Troj/Multidr-BP family (other, possibly incorrect or incomplete, descriptions here and here). The trojan has the following features:

  • It will try to disable any firewall(s) and/or virusscanner(s) the user might have installed. This will make the computer more vulnerable to this and newer viruses and trojans.
  • The program installs a backdoor. This backdoor allows the attacker to gain (unauthorized) access to the infected computer at a later time.
  • The program turns the infected computer into an open proxy and registers itself with the administrators of the botnet. In this registration message all kinds of data is sent to this administrator, like the IP address and the open proxy port of the infected computer. The administrator then sells or rents out this proxy to spammers who are in need of open proxies.
  • And finally the trojan has the ability to download another trojan, from It isn’t entirely clear yet if this new trojan was in fact available through

On April 15th 2005 a specially prepared honeypot system was used to simulate a trojan infection. Three spammers were interested in this honeypot: a (most likely) Russian spammer, the “jpeg” spammer from the forementioned Megaprovider IP addresses (the spamruns performed on April 15th and April 16th 2005) and his colleague “ndgs” from the IP address

This specific case makes it very probable that the “jpeg” spammer uses computers infected with a trojan and under control of a botnet network to send out his spam.

Megaprovider’s mailservers in blocklists a problem?

Something I had been wondering about for quite some time, how can Megaprovider keep it’s business up and running without running into the fact that it is being listed in a very large number of private blocklists and DNS blocklists like the SBL (by Spamhaus)? The answer is most likely as predictable as it is simple, Megaprovider (sometimes) simply utilizes mailservers with an IP address outside of their own range(s):

Received: from ( []) by mx1.[munged] (Postfix) with ESMTP for <[munged]@[munged]>; [munged] May 2005 [munged] +0200 (CEST)

This e-mail (complete header), sent by an employee at Megaprovider, was sent from an XS4ALL IP (XS4ALL) through a mailserver in the IP space (SERVEPATH-BLK4) belonging to ServePath. Although recently it would seem to be going better, Servepath does have a history of not objecting to spammers.

I’m assuming that this employee sent this e-mail from his private connection, that would explain the XS4ALL DSL link. But, that would make the mailserver at ServePath all the more interesting. Because, why would a mailinglist server at Megaprovider sent out all it’s mail through this mailserver at ServePath (as “smarthost”) ?

Received: from []:[munged] ( by [munged] with esmtp id [munged] for [munged]; Sun, [munged] Jun 2005 [munged] +0200
Received: from nld99 by with local (Exim 4.24) id [munged] for [munged]; Sun, 26 Jun 2005 [munged] +0200

Van Leuven uses the services provided by Megaprovider. It’s mailinglist server runs on, reachable on IP address That IP address is listed in a number of blocklists, not excluding that of spamhaus. If e-mail would be sent directly from this server, it would not reach that many places. By routing the e-mail through a server outside of the Megaprovider IP range, this block is circumvented.

Megaprovider has been using this specific mailserver for quite some time, according to e-mail from a couple of months back:

Received: from (customer-reverse-entry. [] (may be forged)) by [munged] (8.10.2/8.10.2) with ESMTP id [munged] for [munged]; [munged] Jul 2004 [munged] +0200

Received: from (unknown []) by [munged] (Postfix) with ESMTP id [munged] for [munged]; [munged] Jun 2004 [munged] +0200 (CEST)

Received: from (unknown []) by [munged] ([munged]) with ESMTP id [munged] for [munged]; [munged] Apr 2004 [munged] +0200 (CEST)

Most likely Megaprovider has set up several systems like this one. There are at least two more (Dutch) IP’s outside of Megaprovider IP space that are used for sending e-mail. The server points towards, points towards – both IP addresses are used on the same box.

The name “Zelda” has surfaced before when dealing with Megaprovider, but this could be sheer coincidence ofcourse.

Update 1: Both Servepath IP addresses have been listed by the Spamhaus SBL (SBL28402 and SBL28403), only a few hours after this article has been posted.

Update 2: And 36 hours later, Servepath disconnects their customer.


Large parts of the information was based on the excellent work of mainly Feike Hacquebord. Others that have made contributions are Carel Bitter, Johan Haagsma and several others who rather prefer to not be named.

This butchering of the English language was provided by JPV.