Is CB3ROB a champion of free speech? Or a spammer?

The alleged arrest of Sven Olaf Kamphuis (aka CB3ROB) of CyberBunker and the eponymous CB3ROB Ltd has thrown Anonymous into a tizzy, with a #freecb3rob campaign running on Twitter.

The arrest was made because of a suspicion that Kamphius might be behind a massive DDoS attack on Spamhaus that also impacted Cloudflare. I don't have any evidence that CB3ROB or any of his business associates are behind the DDoS attack, but there's a well-known public spat between Spamhaus (who accuse Cyberbunker of being spammers) and Cyberbunker (who accuse Spamhaus of being vigilantes who want to stifle free speech).

It's hard to see why Anon is pro-CB3ROB and so anti-Spamhaus. Yes, it has been reported that CyberBunker has helped to host the Pirate Bay and Wikileaks in the past, both favourites of Anon and not necessarily bad things in themselves. And Spamhaus doesn't actually block anything - it provides a reputation scoring system that others can use to see if they want to accept or reject email, but Spamhaus's very assertive actions against CyberBunker seem to have been the trigger.

But perhaps the critical question is this - what does CyberBunker (and CB3ROB Ltd) actually host?

I identified 866 websites in the large 84.22.96.0/19 block (84.22.96.0 - 84.22.127.255) allocated to both CyberBunker and CB3ROB, although this list is probably not comprehensive. This is what I discovered:

• 74% of them are flagged as spam domains by multi.surbl.org
• 39% are flagged as spam on more than one blacklist
• 0.9% of them are flagged as malware domains by Google
• 78% of them have a poor WOT reputation

You can download the complete set of results from here [csv]. This data includes the domain name, IP, decimalised IP (good for sorting in Excel), WOT rankings, Google Safe Browsing diagnostic and SURBL prognosis.


Given the high level of domains flagged for spam, the obvious conclusion is that CyberBunker has a serious spam problem and a less serious malware problem mostly centered on 84.22.104.244 and also 84.22.104.246 (more info here) Perhaps there are some legitimate sites in this list who have been caught up in the crossfire, although nothing seems to stand out. I'd love to know who is using CyberBunker for anything other than spam and malware.

You can look at the evidence yourself and decide if CB3ROB is a champion of free speech or someone who supports spammers. I know what my conclusion is though.

Cyberbunker fake pharma spam / 84.22.104.123

Crime-friendly host Cyberbunker strikes again, this time hosting more fake pharma sites on 84.22.104.123, being promoted through this suspicious looking spam:

Date:      Tue, 19 Feb 2013 22:58:26 +0000 (GMT)
From:      Apple [noreply@bellona.wg.saar.de]
To:      [redacted]
Subject:      Your Apple ID was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5

   
Dear Customer,
Your Apple ID ([redacted]) was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5.
If you have not recently set up an iPhone with your Apple ID, then you should change your Apple ID password. Learn More.
   
Privacy Policy
Copyright 2013 Apple Inc. 1 Infinite Loop, Cupertino CA 95014 - All Rights Reserved.

The spam has a link to an illegally hacked legitimate site that then bounces to drugstorepillstablets.ru hosted on 84.22.104.123 along with these following spammy sites:

medicalhealthcaretab.com
washealthcare.com
presenthiring.com
prescriptionfiscal.com
salelindahl.com
pillcarney.com
healthviagraobesity.com
sdewyuvze.net
lxie.ru
ongy.ru
drugstorepillstablets.ru

Cyberbunker is nothing but bad news. Blocking 84.22.96.0/19 is an exceptionally good idea.

Godless Eastern bloc commie athiests

Honestly, who sends this sort of crap out on Christmas day? Umm.. equally, who checks their spam filter on Christmas day. Anyway, this is what the godless eastern bloc pinko commies athiests spammers are sending out today.

Date:      Tue, 25 Dec 2012 22:56:51 -0700
From:      "Ticket Support"
Subject:      Password Assistance

Thank you for your letter of Dec 25, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

If we can help in any way, please do not hesitate to contact us.

Regards, Yuonne Ferro, Support Team manager.

Some variants of the body text:
"Thank you for contacting us, your information arrived today."
"Thank you for your letter regarding our products and services, your information arrived today."
"Thank you for considering our products and services, your information arrived today."

Some alternative sender names:
"Jonie Gunther", "Noreen Macklin", "Bonny Oconnell"

The spamvertised site is hosted on 84.22.104.123, which is Cyberbunker. Given their awful reputation, I am surprised that they haven't been de-peered. Yet.

There's certainly nothing of value at all in the 84.22.96.0/19 range, blocking the whole lot will cause you no harm. These are the other spammy domains on the same IP:

bloodgenerics.com
canadapharmcanadian.net
canadawelnesscent.com
comprisingmeds.pl
dietwelness.com
drugherbalpills.com
drugstorebp.com
drugtoretabletsfitness.ru
eijmnssh.net
ewggesaj.net
garciniaherbal.com
healthcaremedprescription.com
herbalwelgarcinia.net
isvlhnvo.com
jozejhyqn.com
kbcbhgdw.com
kidneyprescriptiondiet.com
labwydehyj.com
levitrakbw.com
medsbp.com
medsmedicinedisease.com
medsprotein.com
mydrugstorerx.com
outlooklnessasale.com
patientswelnesshealthcare.com
pharmacycialismeningitis.net
pharmacydrugstablets.ru
pharmacyhealthpharmacy.ru
pillmedshealth.ru
pillscarehealthcare.com
pillsdrugstoredrugs.ru
pillsdrugstorepills.ru
pillspharmacyrx.ru
pillstabletshealthdrugstore.ru
pilltabletsfitness.ru
reliablerxpillstablets.ru
remedycutrxpills.ru
retailersmeds.com
romneyrx.net
rxcatholic.com
rxdiscounttabletspharmacy.ru
rxdrugstoremedicines.ru
rxdrugstoretreatments.ru
rxpharmacycaremeds.ru
rxpharmacytabletspharmacy.ru
rxpharmacytechmeds.ru
rxpharmacytreatments.ru
rxwellbeing.ru
sabonatabmed.com
swissrxpharmacy.ru
tabdisease.nl
tabletdropsrx.ru
tabletdrugsfitness.ru
tabletdrugstorehealth.ru
tabletgenerics.com
tablethealthphysicians.net
tabletlevitripad.com
tabletpillsdrugs.ru
tabletpillspills.ru
tabletrxdrugs.ru
tabletrxtreatments.ru
tsunamipill.com
viagraherbaltea.com

Apple "Account Info Change" spam / welnessmedical.com

Not malware this time, but Pharma spam.. the links in this fake Apple message lead to welnessmedical.com.

From: Apple [mailto:appleid@id.arcadiadesign.it]
Sent: Tue 06/11/2012 18:30
Subject: Account Info Change

Hello,

The following information for your Apple ID [redacted] was updated on 11/06/2012:

Date of birth
Security question(s) and answer(s)

If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately by going to iforgot.apple.com.

To review and update your security settings, sign in to appleid.apple.com.

This is an automated message. Please do not reply to this email. If you need additional help, visit Apple Support.

Thanks,
Apple Customer Support



TM and copyright © 2012 Apple Inc. 1 Infinite Loop, MS 96-DM, Cupertino, CA 95014.
All Rights Reserved / Keep Informed / Privacy Policy / My Apple ID 

The fake pharma site (welnessmedical.com) is hosted on 84.22.127.43 along with a bunch of other ones, plus some additional sites one IP over at 84.22.127.44:

medmedsepub.com
newpharmsale.com
virustrapill.com
medicalmedprescription.com
medpillprescription.com
walgreensprescription.com
pilldrugstoregroup.com
medicineonlinephysic.ru
zkflwf.ru
ytti.ru
healthtabstablets.ru
healthcaremedstablets.ru
fitnesspillspharmacy.ru
mycareviagra.pl
diseasepillsmedicine.com
medicareryan.com
cialiswiladen.com
pharmvitamins.com
crashtab.net
healthtabsdrugstore.ru
ghem.ru
jium.ru
epoo.ru
ghas.ru
buymedicinepharmacy.ru
pillpillspharmacy.ru
onlinepharmabuy.ru

Oddly, 84.22.127.43 doesn't seem to be registered at RIPE. No matter, we know who the owner of 84.22.127.0 is:

inetnum:         84.22.127.0 - 84.22.127.7
netname:         A84-22-127-0
descr:           BLACK OPERATIONS
admin-c:         CBMT1-RIPE
tech-c:          CBMT1-RIPE
country:         NL
status:          ASSIGNED PA
mnt-by:          MNT-CB3ROB
mnt-lower:       MNT-CB3ROB
mnt-routes:      MNT-CB3ROB
source:          RIPE # Filtered

role:            Ministery of Telecommunications
address:         One CyberBunker Avenue
address:         CB-31337
address:         CyberBunker-1
address:         Republic CyberBunker
mnt-by:          MNT-CB3ROB
admin-c:         CBMT1-RIPE
tech-c:          CBMT1-RIPE
nic-hdl:         CBMT1-RIPE
source:          RIPE # Filtered

route:          84.22.96.0/19
descr:          R84-22-96-0
origin:         AS34109
mnt-by:         MNT-CB3ROB
source:         RIPE # Filtered

It's our old friends Cyberbunker again, who have registered the block with fake details. How RIPE lets them get away with this I don't know. If you can, I recommend blocking the entire 84.22.96.0/19 range as almost everything here is pretty seedy. You can read more about Cyberbunker's very dark grey hat activities over at Wikipedia if you want more information.

Craiglist spam / fionadix.ru

This fake Craiglist spam leads to malware on fionadix.ru:

Date:      Tue, 30 Oct 2012 06:26:07 +0600
From:      Tai Seals [AntonyHaugland@fibermail.hu]
Subject:      POST/EDIT/DELETE : "tattoos tattoos tattoos" (talent)


IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!

FOLLOW THE WEB ADDRESS BELOW TO:

    PUBLISH YOUR AD
    EDIT (OR CONFIRM AN EDIT TO) YOUR AD
    VERIFY YOUR EMAIL ADDRESS
    DELETE YOUR AD

If not clickable, please copy and paste the address to your browser:

Click here

PLEASE KEEP THIS EMAIL - you may need it to manage your posting!

Your posting will expire off the site 7 days after it was created.

Thanks for using craigslist!

==========



Date:      Tue, 30 Oct 2012 06:23:41 -0500
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      POST/EDIT/DELETE : "Appliance repair" (financial)

IMPORTANT - FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!

FOLLOW THE WEB ADDRESS BELOW TO:

    PUBLISH YOUR AD
    EDIT (OR CONFIRM AN EDIT TO) YOUR AD
    VERIFY YOUR EMAIL ADDRESS
    DELETE YOUR AD

If not clickable, please copy and paste the address to your browser:

Click here

PLEASE KEEP THIS EMAIL - you may need it to manage your posting!

Your posting will expire off the site 7 days after it was created.

Thanks for using craigslist!

The malicious payload is at [donotclick]fionadix.ru:8080/forum/links/column.php (report here) hosted on some familiar IPs:
68.67.42.41 (Fibrenoire, Canada)
203.80.16.81 (MYREN, Malaysia)
209.51.221.247 (eNET, United States)

Additional name server IPs:
50.22.102.132 (Softlayer, United States)
62.76.186.190 (Clodo-Cloud, Russia)
84.22.100.108 (Cyberbunker, Netherlands)
213.251.171.30 (OVH, France)

Plain list for copy-and-pasting:
50.22.102.132
62.76.186.190
68.67.42.41
84.22.100.108
203.80.16.81
209.51.221.247
213.251.171.30
manekenppa.ru
kiladopje.ru
lemonadiom.ru
finitolaco.ru
fidelocastroo.ru
ponowseniks.ru
dianadrau.ru
windowonu.ru
panalkinew.ru
fionadix.ru

Sendspace spam / onlinebayunator.ru

I haven't seen Sendspace spam before.. but here it is, leading to malware on onlinebayunator.ru:

Date:      Mon, 1 Oct 2012 10:40:29 +0300
From:      Twitter
To:      [redacted]
Subject:      You have been sent a file (Filename: [redacted]-9038870.pdf)

Sendspace File Delivery Notification:

You've got a file called [redacted]-56.pdf, (133.8 KB) waiting to be downloaded at sendspace.(It was sent by CHIQUITA Caldwell).





You can use the following link to retrieve your file:

Download Link



The file may be available for a limited time only.

Thank you,



sendspace - The best free file sharing service.



----------------------------------------------------------------------



Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

The malicious payload is at [donotclick]onlinebayunator.ru:8080/forum/links/column.php  hosted on the same IP address as this attack earlier today.

NACHA spam / onlinebayunator.ru

This fake NACHA spam leads to malware on onlinebayunator.ru:

Date:      Mon, 1 Oct 2012 04:16:46 -0500
From:      Bebo Service [service@noreply.bebo.com]
Subject:      Fwd: ACH Transfer rejected

The ACH debit transfer, initiated from your bank account, was canceled.

Canceled transaction:

Transfer ID: FE-764029897226US

Transaction Report: View



Valentino Dickey

NACHA - The Electronic Payment Association



f0c34915-3e624bbb

The malicious payload is at [donotclick]onlinebayunator.ru:8080/forum/links/column.php  (probably a Blackhole 2 exploit kit) hosted on the following familiar IPs that should be blocked:

84.22.100.108 (Republic CyberBunker, Antarctica - Amsterdam more likely)
190.10.14.196 (RACSA, Costa Rica)
203.80.16.81 (Myren, Malaysia)

Of note,  CyberBunker has a long history of spamming and tolerating criminals. Blocking the range 84.22.96.0/19 should afford your network some additional protection.

UPS Spam / sectantes-x.ru

This fake UPS spam leads to malware at sectantes-x.ru:

Date:      Thu, 27 Sep 2012 10:03:27 -0400
From:      Habbo Hotel [auto-contact@habbo.com]
Subject:      UPS Tracking Number H8244648923

    USPS .com Customer Services for big savings!     Can't see images? CLICK HERE.    
    UPS UPS SUPPORT 39    
UPS - UPS TEAM 31 >>
   
    Not Ready to Open

an Account?    
       
    The UPS Store� can help with full service packing and shipping.   
    Learn More >>   
   
       
   
UPS - Your UPS .com Customer Services
Dear, [redacted]

DEAR CUSTOMER , Delivery Confirmation: Failed

Track your Shipment now!

With best wishes , UPS .com Customer Services.
   
                       
Shipping         Tracking         Calculate Time & Cost         Open an Account
                       
@ 2011 United Parcel Service of America, Inc. Your USPS Team, the UPS brandmark, and the color brown are

trademarks of United Parcel Service of America, Inc. All rights reserved.



This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to

Your USPS .US marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.



USPS .com Customer Services, 33 Glenlake Parkway, NE - Atlanta, GA 30580

Attn: Customer Communications Department

The malicious payload is at [donotclick]sectantes-x.ru:8080/forum/links/column.php hosted on the following IP addresses:
84.22.100.108 (Republic CyberBunker, Antarctica - Amsterdam more likely)
190.10.14.196 (RACSA, Costa Rica)
203.80.16.81 (Myren, Malaysia)

The following IPs and domains are all connected and should be blocked:
84.22.100.108
190.10.14.196
203.80.16.81
rumyniaonline.ru
denegnashete.ru
dimabilanch.ru
ioponeslal.ru
soisokdomen.ru
moskowpulkavo.ru
diareuomop.ru
omahabeachs.ru
sectantes-x.ru

In addition, CyberBunker has a long history of spamming and tolerating criminals. Blocking the range 84.22.96.0/19 should afford your network some additional protection.