Try searching SenderBase.org for the domains or class C's to verify what is being used currently and then do reverse DNS lookups on the surrounding IP space to see if a similar pattern exists with the other addresses. You might also identify the guy in the event that one block appears on SBL (linked from SenderBase.org) and add in other known blocks to your filter. Here is an example of one of his address spaces:
http://www.senderbase.org/search?searchString=216.9.176.0
Hey, what do you know, SBL does have this guy marked, and he's a ROKSO spammer. Their lists might be incomplete though.
I've found unfortunately that this type of spammer seems to be splitting up some of their space on only portions of netblocks, maybe to avoid detection by perma-listing RBL's like SBL. Places like SpamCop will expire their blocks, so if they jump around like the Pexicom guy, he can keep his space mostly clean and spam from them for a much longer time before he is tagged for the entire netblock.
Please share your findings with the list. I for one am interested in moving spammers with static IP's at least up above my fail weight, and others can save processing by blocking them at the router or in IMail's access control list. Blocking by IP with the ipfile type of filter is also the fastest Declude method and it protects from them changing names to get past your filters. Sounds like you might have already come to that conclusion.
Matt
Dan Geiser wrote:
Hello, All, I am interested in knowing if anyone on this list knows who the spammer is that is registering and using domain names that are basically 2 words put together or 1 word appended with a easily recognizable suffix and that all of the domains are always in all CAPS. I find it so easy to recognize one of these pieces of spam when I see it yet other than the easily recognizable domains they do everything they can to make their e-mail look legit from a header standpoint.
I was just curious to know which of the major spammers is generating all of this stuff as I'd like to break out the IP addresses that they are using and weight them higher than the other IP filters I use.
Anybody familiar with these?
Thanks, Dan
P.S: I've listed a handful of the domains below
.ACREDATA.COM .ALLOYMODE.COM .AMERICAMARCH.COM .APPENDMKTG.COM .ASHMARCH.COM .ATHENAGROUT.COM .ATHENAMARCH.COM .AV1954.COM .AVENUESTAPE.COM .AVOIDMARCH.COM .BARKRATAN.COM .BARNARRIVAL.COM .BASKETFASHION.COM .BASKETMARCH.COM .BATTERYFILL.COM .BLINDSCREAMER.COM .BLOCK456.COM .BUTTONMARCH.COM .CARBMARCH.COM .CARLCLICK.COM .CARRIERRAFT.COM .CEREALZICKY.COM .CHOCOLATEMARCH.COM .CLEANMARCH.COM .CN177.COM .CORPREGULAR.COM .COURT456.COM .CP003.COM .CT1991.COM .DATARATAN.COM .DIGITELBO.COM .DIRECTORYLIGHT.COM .DIRTAIR.COM .DOORMARCH.COM .ELEMENTCOTTON.COM .ELEMENTMARCH.COM .EMAILOFFERSONDEMAND.COM .FEATHERMARCH.COM .FEATHERSUSHI.COM .FIBERMARCH.COM .FIELDCARRIER.COM .FIELDMARCH.COM .FORZICKY.COM .GGTOTAL.COM .GREETINGZICKY.COM .GROUTSHUI.COM .GUILTMARCH.COM .HATCHONLINE.COM .HERATILE.COM .HISTORYLENTIL.COM .INFINDIGIT.COM .INFINRUBY.COM .INFINTOES.COM .INKICECREAM.COM .JAZZFROST.COM .JAZZMARCH.COM .JUIDEONLINE.COM .LABELTHRU.COM .LARYNXARCH.COM .NEWSCIVIC.COM .NEWSOUNCE.COM .OUNCEPLASTIC.COM .PILLZICKY.COM .PLEASANTFEST.COM .PLEASANTISH.COM .PRINTISH.COM .PRODUCTISH.COM .REGULARZICKY.COM .REVIEWFEST.COM .RICEMINT.COM .RIGHTMINT.COM .ROSEFEST.COM .SCOTCHFEATURE.COM .SKILLTEMPER.COM .SKIRTWORKS.COM .SOUTHISH.COM .SOUTHPALMER.COM .SPANDEXISH.COM .SPANDEXWORKS.COM .SPIRALLUCKY.COM .STERLINGISH.COM .STRAWISH.COM .STRAWWINDOW.COM .STRIPESFEST.COM .STRIPEJONES.COM .SUSHIRALPH.COM .SWOPEWORKS.COM .TAPE456.COM .TEENYISH.COM .TEENYPLATFORM.COM .TEENYWORKS.COM .TEMPERPILL.COM .TINMINT.COM .TIPMINT.COM .TIPFEST.COM .TOMATOMINT.COM .TOTALISH.COM .TOTALMINT.COM .TOUCANFEST.COM .TOUCANSALT.COM .TULIPFLOOR.COM .TULIPMINT.COM .TULIPPLATFORM.COM .TUNGSTENBANGLE.COM .TUNGSTENISH.COM .TWEEDFEST.COM .TWEEDISH.COM .TYPECONTAIN.COM .TYPEPLURAL.COM .VIDEOMANICURE.COM .VIDEOISH.COM .VIEWMMMM.COM .VITAMINMINT.COM .VOLCANOPLATFORM.COM .WATCHBOA.COM .WESTMINT.COM .WINDOWFEST.COM .WINDOWISH.COM .WINDOWMINT.COM .WINDOWSTRAW.COM .WORKISH.COM .WORKMINT.COM .WORSHIPMINT.COM .WRINKLEMINT.COM .WRINKLEPLANT.COM .YEEHAFEST.COM .YEEHAISH.COM
-----------------------------------------------------------------------
Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
