Blocking poneytelecom.eu [#poneytelecom]
You may have found this page because your getting hacked from a rev.poneytelecom.eu address or your receiving spam from this address range, you may even have found it due to it hosting malicious content.
Poney Telecom is an internet server company run from France has been at the centre of multiple allegations of organised international criminal activity for a few years with all warnings, court summons and legal demands to be closed ignored.
I personally have have seen portscans that come from a rev.poneytelecom.eu address, I have also seen malware that has been hosted via them also.
Just take a look at the chat on Twitter againt the hashtage #poneytelecom here it is mostly people complaining about hacking attempts.
There is more info here and here
How To Block
In regards to this issue, we get a lot of messages asking how to block this, and other similar sites. There is no easy way to answer this because every users situation is different, every router has a different way to block IP’s, every web host has a different way to block them. The best thing we can say is to search the web for block IP addresses and then however you want to block them such as Apache webserver, IIS web server, cPanel, host file, htaccess file and so on.
Hosts To Block
Although there maybe many genuine users on this system, I have taken action and blocked all their ranges.
62.210.0.0/16
195.154.0.0/16
212.129.0.0/18
62.4.0.0/19
212.83.128.0/19
212.83.160.0/19
212.47.224.0/19
163.172.0.0/16
51.15.0.0/16
151.115.0.0/16 (Added 29-08-2017)
51.158.0.0/15 (Added 19-03-18)
2001:bc8::/32
This page was last updated 4th July 2018
Blogger at www.systemtek.co.uk
Poneytelecom have added 151.115.0.0/16 to their ip blocks according to their website.
Thanks for the info Simon.
Many thanks for the info
has almost endless SIP connection attempts to my PBX from there ranges for months
have been blocking them bit by bit,
now blocke the lot
Poneytelecom is a service provider for dedicated servers /VPS and seedboxes .
My site has been hacked by them and they are also using ip of 51.15.157.216
Thanks for the info, I found an additional IPv6 block being used:
2001:41d0::/32
I’ve compiled a larger list which covers all OVH’s public IPv4 ranges:
https://pastebin.com/WgjgBN77
great, but how do you block it. I need more specific instructions as to how and where to set up the block. It would be appreciated as they flood my email with crap. Thanks
How do you block it? I am not bad with computers just not great either I do have a college education (for what that’s worth in vhemichemand took comocompsxiend and am a huge nerd who has the addiction where you Google everything to learn as much as you can sbaboas nuch as you can so can figure it out…hopef hopebut do have a brain injury from a car wreck so something’s are harder to remember and do then others
yeahow do you block it? please answer anyone. 11/14/18
If you have access to your own DNS settings you can set DMARC DKIM and SPF for your own email domain. If all Domain admins do this we can fight against the Spoofing.
You’d block it either at the WAN level on your firewall or at the system level using a system firewall such as firewalld (redhat) or ipfilter (most other NIX). Otherwise you’d need to modify your deny list in postfix (assuming your mail system is running that).
They are still active, and have also entered the field of black market VPN’s sold on hacking forums (used to anonimize the real IP of cybercriminal individuals). Something is the vector of that, it’s not just cybercriminals with a dedi from poneytelecom that use it for a personal tunnel and such things
Worst is that unsuspecting sysadmins will mistake the hostname as looking like a typical, legitimate home internet ISP line. It is not a telecom company from France, but a bulletproof hoster that extends all the way to individuals internetting through such a black market VPN, as well.
Pingback: Whitepaper – Discovery of Weasel Injection Ad Fraud – Kubient