Register Of Known Spam Operations (ROKSO) Spam Operation: Yambo Financials 24.232.33.129/32 is listed on the SBL as being assigned to, being under the control of, or being otherwise connected with a known spam operation listed on the ROKSO database as: Yambo Financials Yambo botnet webhosts/nameservers (compromised systems) For a Canadian Health+Care Mall Yambo pharmacy hostname I found a nameserver listed at 24.232.33.129. As every Yambo nameserver will resolve each of their hostnames, let me check this by querying it for the IP address of the more recently spamvertized Yambo hostname, hrwifg.tlyldihkis.com. : dig @24.232.33.129 hrwifg.tlyldihkis.com A +norec +noqu +noadd +noauth : ;; flags: qr aa ra; <-- AUTHORITATIVE AND NON-RECURSIVE : hrwifg.tlyldihkis.com 600 IN A 59.44.110.238 : NOTE: While the response was to a non-recursive query, today :::: *all* the Yambo nameservers I checked support recursive :::: queries. Usually they do not. Have the backends from :::: which they proxy results been reconfigured for some :::: reason? While almost all Yambo webhosts also serve as namservers, many nameservers do NOT serve as webhosts/proxies. Does this one also serve as a web host? Let me force hrwifg.tlyldihkis.com to resolve to 24.232.33.129 (each Yambo pharmacy webhost/proxy will provide the data for all the pharmacy sites). * Connected to 24.232.33.129 : GET / HTTP/1.1 : Host: hrwifg.tlyldihkis.com : HTTP/1.1 200 OK : Server: Apache/2.2.2 (Fedora) : [title]My Canadian Pharmacy - Viagra, CIALIS or Super Viagra, Generic Viagra, Cialis[/title] It is a nameserver and web host/proxy. IP address 24.232.33.129 ------------------------ 24.232.33.129 is found in sbl.spamhaus.org : Lists "known spammers, spam gangs or spam support services." inetnum: 24.232.33.128/25 owner: Cablevision S.A. country: AR e-mail: [omitted]@FIBERTEL.COM.AR address: Fibertel TCI country: AR Address 24.232.33.129 maps to OL129-33.fibertel.com.ar [whois.abuse.net] spamming@fibertel.com.ar (for fibertel.com.ar) noc@fibertel.com.ar (for fibertel.com.ar) postmaster@fibertel.com.ar (for fibertel.com.ar) ------------------------

Notes for fibertel.com.ar Abuse/Security

A listing in the ROKSO database means that this entity has already been terminated by a minimum of 3 Internet networks for serious AUP violations. ROKSO spammers are professional spammers who will use every trick to try to stop you from terminating them. You can not issue "warnings" to ROKSO spammers, they treat warnings as simply opportunities to get even more spam out before the account is gone. To protect your network it is important that you read the ROKSO records of your customer now. See: ROKSO records for Yambo Financials

Removal Procedure

As this listing is of part of a known ROKSO spam operation, Spamhaus can not remove this SBL listing if there is any functioning web site, mail server or DNS server still serving the spam operation in 24.232.33.129/32.

To have record SBL75942 (24.232.33.129/32) removed from the SBL, the Abuse/Security representative of fibertel.com.ar (or the Internet Service Provider responsible for supplying connectivity to 24.232.33.129/32) needs to contact the SBL Team by email (use this link) to explain how the spam problem has been terminated (we need to know exactly how you have terminated the problem). If the spam problem that caused this listing has been verifiably terminated we will normally remove the listing from the SBL without delay.

It is essential that emails to the SBL Team about this SBL listing include this exact ticket information in the Subject: