RE: [sniffer] Spam blocks loading me up with spam
Title: Message
Gotta
catch 'em all (not Pokemon, spam)...
Sniffer caught all of them today:
gawk
"$0 ~ /.+From: .+To: .+IP: 200\.49\.[3|4|5]/ {print $3}" dec0617.log
>temp.txt
fgrep
-ftemp.txt dec0617.log | fgrep "Total weight"
If
your volume is quite high, that second line, instead of showing all the total
weights for the netblocks in question, could instead show which lines sniffer
didn't hit on:
fgrep
-ftemp.txt dec0617.log | fgrep "Total weight" | fgrep -v
"SNIFFER"
Andrew 8)
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Scott FisherSent: Thursday, June 16, 2005 4:20
PMTo: sniffer@SortMonster.comSubject: Re: [sniffer] Spam
blocks loading me up with spam
I'm also taking out the: 200.49.32.xxx to
200.49.47.xxx addresses with my IPFILE. Most of them were taken out in Feb
with SBL 17983.
The trouble on this spammer for me, is they
aren't listed anywhere (with the 299.49.50.XXXs and are probably burning
through domain names faster than the SURBLs can really be
effective.
So unless I get an SURBL hit or a Sniffer hit
they are leaking through. Hopefully with Pete's new rules, this will be
stopped.
200.49.32.0/24 200.49.32.0/24 moved
06-15-05 SBL17983200.49.33.0/24 200.49.33.0/24 starsoftmails.com added
02-17-05 SBL17983200.49.34.0/24 200.49.34.0/24 moved
06-15-05 SBL17983200.49.35.0/24 200.49.35.0/24 moved
06-15-05 SBL17983200.49.36.0/24 200.49.36.0/24 moved
06-15-05 SBL17983200.49.37.0/24 200.49.37.0/24 afdtc.com added
02-17-05 SBL17983200.49.38.0/24 200.49.38.0/24 afdtc.com added
02-17-05 SBL17983200.49.39.0/24 200.49.39.0/24 afdaa.com added
02-17-05 SBL17983200.49.40.0/24 200.49.40.0/24 moved
06-15-05 SBL17983200.49.41.0/24 200.49.41.0/24 moved
06-15-05 SBL17983200.49.42.0/24 200.49.42.0/24 moved
06-15-05 SBL17983200.49.43.0/24 200.49.43.0/24 awwsc.com added
02-17-05 SBL17983200.49.44.0/24 200.49.44.0/24 arvvv.com moved
05-29-05 SBL17983200.49.45.0/24 200.49.45.0/24 starofferzone.com added
02-17-05 SBL17983200.49.46.0/24 200.49.46.0/24 fdcmm.com added
02-17-05 SBL17983200.49.47.0/24 200.49.47.0/24 bicsc.com added
02-17-05 SBL17983
- Original Message -
From:
Darrell
([EMAIL PROTECTED])
To: sniffer@SortMonster.com
Sent: Thursday, June 16, 2005 6:44
PM
Subject: Re: [sniffer] Spam blocks
loading me up with spam
Scott,
Not to many incoming for me - about 200 out of
about 125K messages. One thing to note is the ones I am getting are
around that block but even lower like 200.49.44.x.
Darrell
---Check out http://www.invariantsystems.com
for utilities for Declude And Imail. IMail Queue Monitoring, Declude
Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log
Parsers.
- Original Message -
From:
Scott Fisher
To: sniffer@SortMonster.com
Sent: Thursday, June 16, 2005 6:04
PM
Subject: [sniffer] Spam blocks
loading me up with spam
Am I the only one getting blasted by these
spam from these IP blocks? Sniffer seems a little behind on catching
these.
200.49.48.0/24 200.49.48.0/24
200.49.49.0/24 200.49.49.0/24 mowz2.com 200.49.50.0/24 200.49.50.0/24 qckcstmr.com
200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com 200.49.52.0/24 200.49.52.0/24 aahtv.com 200.49.53.0/24 200.49.53.0/24 aakai.com
200.49.54.0/24 200.49.54.0/24 aakib.com 200.49.55.0/24 200.49.55.0/24 aakli.com 200.49.56.0/24 200.49.56.0/24 aafix.com 200.49.57.0/24 200.49.57.0/24 e.com
200.49.58.0/24 200.49.58.0/24 200.49.59.0/24 200.49.59.0/24
Domain names and links seem to be five
chars beginning with aa. They also seem to be progressing
through the IP blocks.
i think they started in on the June 15th and
have been spamming pretty
consistantly.
Re: [sniffer] Spam blocks loading me up with spam
I'm also taking out the: 200.49.32.xxx to 200.49.47.xxx addresses with my IPFILE. Most of them were taken out in Feb with SBL 17983. The trouble on this spammer for me, is they aren't listed anywhere (with the 299.49.50.XXXs and are probably burning through domain names faster than the SURBLs can really be effective. So unless I get an SURBL hit or a Sniffer hit they are leaking through. Hopefully with Pete's new rules, this will be stopped. 200.49.32.0/24 200.49.32.0/24 moved 06-15-05 SBL17983200.49.33.0/24 200.49.33.0/24 starsoftmails.com added 02-17-05 SBL17983200.49.34.0/24 200.49.34.0/24 moved 06-15-05 SBL17983200.49.35.0/24 200.49.35.0/24 moved 06-15-05 SBL17983200.49.36.0/24 200.49.36.0/24 moved 06-15-05 SBL17983200.49.37.0/24 200.49.37.0/24 afdtc.com added 02-17-05 SBL17983200.49.38.0/24 200.49.38.0/24 afdtc.com added 02-17-05 SBL17983200.49.39.0/24 200.49.39.0/24 afdaa.com added 02-17-05 SBL17983200.49.40.0/24 200.49.40.0/24 moved 06-15-05 SBL17983200.49.41.0/24 200.49.41.0/24 moved 06-15-05 SBL17983200.49.42.0/24 200.49.42.0/24 moved 06-15-05 SBL17983200.49.43.0/24 200.49.43.0/24 awwsc.com added 02-17-05 SBL17983200.49.44.0/24 200.49.44.0/24 arvvv.com moved 05-29-05 SBL17983200.49.45.0/24 200.49.45.0/24 starofferzone.com added 02-17-05 SBL17983200.49.46.0/24 200.49.46.0/24 fdcmm.com added 02-17-05 SBL17983200.49.47.0/24 200.49.47.0/24 bicsc.com added 02-17-05 SBL17983 - Original Message - From: Darrell ([EMAIL PROTECTED]) To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:44 PM Subject: Re: [sniffer] Spam blocks loading me up with spam Scott, Not to many incoming for me - about 200 out of about 125K messages. One thing to note is the ones I am getting are around that block but even lower like 200.49.44.x. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Scott Fisher To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:04 PM Subject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24 200.49.48.0/24 200.49.49.0/24 200.49.49.0/24 mowz2.com 200.49.50.0/24 200.49.50.0/24 qckcstmr.com 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com 200.49.52.0/24 200.49.52.0/24 aahtv.com 200.49.53.0/24 200.49.53.0/24 aakai.com 200.49.54.0/24 200.49.54.0/24 aakib.com 200.49.55.0/24 200.49.55.0/24 aakli.com 200.49.56.0/24 200.49.56.0/24 aafix.com 200.49.57.0/24 200.49.57.0/24 e.com 200.49.58.0/24 200.49.58.0/24 200.49.59.0/24 200.49.59.0/24 Domain names and links seem to be five chars beginning with aa. They also seem to be progressing through the IP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
Re: [sniffer] Spam blocks loading me up with spam
Scott, Not to many incoming for me - about 200 out of about 125K messages. One thing to note is the ones I am getting are around that block but even lower like 200.49.44.x. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Scott Fisher To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:04 PM Subject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24 200.49.48.0/24 200.49.49.0/24 200.49.49.0/24 mowz2.com 200.49.50.0/24 200.49.50.0/24 qckcstmr.com 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com 200.49.52.0/24 200.49.52.0/24 aahtv.com 200.49.53.0/24 200.49.53.0/24 aakai.com 200.49.54.0/24 200.49.54.0/24 aakib.com 200.49.55.0/24 200.49.55.0/24 aakli.com 200.49.56.0/24 200.49.56.0/24 aafix.com 200.49.57.0/24 200.49.57.0/24 e.com 200.49.58.0/24 200.49.58.0/24 200.49.59.0/24 200.49.59.0/24 Domain names and links seem to be five chars beginning with aa. They also seem to be progressing through the IP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
Re: [sniffer] Spam blocks loading me up with spam
Scott, Not to many incoming for me - about 200 out of about 125K messages. One thing to note is the ones I am getting are around that block but even lower like 200.49.44.x. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Scott Fisher To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:04 PM Subject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24 200.49.48.0/24 200.49.49.0/24 200.49.49.0/24 mowz2.com 200.49.50.0/24 200.49.50.0/24 qckcstmr.com 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com 200.49.52.0/24 200.49.52.0/24 aahtv.com 200.49.53.0/24 200.49.53.0/24 aakai.com 200.49.54.0/24 200.49.54.0/24 aakib.com 200.49.55.0/24 200.49.55.0/24 aakli.com 200.49.56.0/24 200.49.56.0/24 aafix.com 200.49.57.0/24 200.49.57.0/24 e.com 200.49.58.0/24 200.49.58.0/24 200.49.59.0/24 200.49.59.0/24 Domain names and links seem to be five chars beginning with aa. They also seem to be progressing through the IP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
RE: [sniffer] Spam blocks loading me up with spam
We have been seeing these. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, June 16, 2005 4:04 PM To: sniffer@SortMonster.com Subject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24 200.49.48.0/24 200.49.49.0/24 200.49.49.0/24 mowz2.com 200.49.50.0/24 200.49.50.0/24 qckcstmr.com 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com 200.49.52.0/24 200.49.52.0/24 aahtv.com 200.49.53.0/24 200.49.53.0/24 aakai.com 200.49.54.0/24 200.49.54.0/24 aakib.com 200.49.55.0/24 200.49.55.0/24 aakli.com 200.49.56.0/24 200.49.56.0/24 aafix.com 200.49.57.0/24 200.49.57.0/24 e.com 200.49.58.0/24 200.49.58.0/24 200.49.59.0/24 200.49.59.0/24 Domain names and links seem to be five chars beginning with aa. They also seem to be progressing through the IP blocks. i think they started in on the June 15th and have been spamming pretty consistantly. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam blocks loading me up with spam
Title: Message Hey Andrew, Are you sending your logs to a UNIX box, or running a ported version of grep/egrep for windows? Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Thursday, June 16, 2005 17:34To: sniffer@SortMonster.comSubject: RE: [sniffer] Spam blocks loading me up with spam I haven't noticed this spam leaking through, but at your prompting I did a: egrep ".+From: .+To: .+IP: 200\.49\." dec0616.log and saw about 46. A glance through these to:from:ip: lines definitely shows messages that fit your description, along with messages that don't (I'm deliberately looking at the 16 bit subnet) and I see messages today from: 200.49.37.0/24 200.49.44.0/24 in addition to the blocks you listed, and a spot check of two of them did not turn up any hits with sniffer. Total volume was low, at less than 50 messages. One other interesting comment that I can add is that I'm seeing them use VERP like MAILFROM addresses, e.g.: [EMAIL PROTECTED] Of course, jsmith and example.com are not the actual text, but the recipient at my domain. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Thursday, June 16, 2005 3:04 PMTo: sniffer@SortMonster.comSubject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24 200.49.48.0/24 200.49.49.0/24 200.49.49.0/24 mowz2.com 200.49.50.0/24 200.49.50.0/24 qckcstmr.com 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com 200.49.52.0/24 200.49.52.0/24 aahtv.com 200.49.53.0/24 200.49.53.0/24 aakai.com 200.49.54.0/24 200.49.54.0/24 aakib.com 200.49.55.0/24 200.49.55.0/24 aakli.com 200.49.56.0/24 200.49.56.0/24 aafix.com 200.49.57.0/24 200.49.57.0/24 e.com 200.49.58.0/24 200.49.58.0/24 200.49.59.0/24 200.49.59.0/24 Domain names and links seem to be five chars beginning with aa. They also seem to be progressing through the IP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
RE: [sniffer] Spam blocks loading me up with spam
Title: Message Also, the domains in the body text are not hitting on SURBL tests. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Thursday, June 16, 2005 3:34 PMTo: sniffer@SortMonster.comSubject: RE: [sniffer] Spam blocks loading me up with spam I haven't noticed this spam leaking through, but at your prompting I did a: egrep ".+From: .+To: .+IP: 200\.49\." dec0616.log and saw about 46. A glance through these to:from:ip: lines definitely shows messages that fit your description, along with messages that don't (I'm deliberately looking at the 16 bit subnet) and I see messages today from: 200.49.37.0/24 200.49.44.0/24 in addition to the blocks you listed, and a spot check of two of them did not turn up any hits with sniffer. Total volume was low, at less than 50 messages. One other interesting comment that I can add is that I'm seeing them use VERP like MAILFROM addresses, e.g.: [EMAIL PROTECTED] Of course, jsmith and example.com are not the actual text, but the recipient at my domain. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Thursday, June 16, 2005 3:04 PMTo: sniffer@SortMonster.comSubject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24 200.49.48.0/24 200.49.49.0/24 200.49.49.0/24 mowz2.com 200.49.50.0/24 200.49.50.0/24 qckcstmr.com 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com 200.49.52.0/24 200.49.52.0/24 aahtv.com 200.49.53.0/24 200.49.53.0/24 aakai.com 200.49.54.0/24 200.49.54.0/24 aakib.com 200.49.55.0/24 200.49.55.0/24 aakli.com 200.49.56.0/24 200.49.56.0/24 aafix.com 200.49.57.0/24 200.49.57.0/24 e.com 200.49.58.0/24 200.49.58.0/24 200.49.59.0/24 200.49.59.0/24 Domain names and links seem to be five chars beginning with aa. They also seem to be progressing through the IP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
RE: [sniffer] Spam blocks loading me up with spam
Title: Message I haven't noticed this spam leaking through, but at your prompting I did a: egrep ".+From: .+To: .+IP: 200\.49\." dec0616.log and saw about 46. A glance through these to:from:ip: lines definitely shows messages that fit your description, along with messages that don't (I'm deliberately looking at the 16 bit subnet) and I see messages today from: 200.49.37.0/24 200.49.44.0/24 in addition to the blocks you listed, and a spot check of two of them did not turn up any hits with sniffer. Total volume was low, at less than 50 messages. One other interesting comment that I can add is that I'm seeing them use VERP like MAILFROM addresses, e.g.: [EMAIL PROTECTED] Of course, jsmith and example.com are not the actual text, but the recipient at my domain. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Thursday, June 16, 2005 3:04 PMTo: sniffer@SortMonster.comSubject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24 200.49.48.0/24 200.49.49.0/24 200.49.49.0/24 mowz2.com 200.49.50.0/24 200.49.50.0/24 qckcstmr.com 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com 200.49.52.0/24 200.49.52.0/24 aahtv.com 200.49.53.0/24 200.49.53.0/24 aakai.com 200.49.54.0/24 200.49.54.0/24 aakib.com 200.49.55.0/24 200.49.55.0/24 aakli.com 200.49.56.0/24 200.49.56.0/24 aafix.com 200.49.57.0/24 200.49.57.0/24 e.com 200.49.58.0/24 200.49.58.0/24 200.49.59.0/24 200.49.59.0/24 Domain names and links seem to be five chars beginning with aa. They also seem to be progressing through the IP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
Re: [sniffer] Spam blocks loading me up with spam
On Thursday, June 16, 2005, 6:04:18 PM, Scott wrote: SF> SF> Am I the only one getting blasted by these spam from these SF> IP blocks? Sniffer seems a little behind on catching these. SF> SF> 200.49.48.0/24 200.49.48.0/24 SF> 200.49.49.0/24 200.49.49.0/24 mowz2.com SF> 200.49.50.0/24 200.49.50.0/24 qckcstmr.com SF> 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com SF> 200.49.52.0/24 200.49.52.0/24 aahtv.com SF> 200.49.53.0/24 200.49.53.0/24 aakai.com SF> 200.49.54.0/24 200.49.54.0/24 aakib.com SF> 200.49.55.0/24 200.49.55.0/24 aakli.com SF> 200.49.56.0/24 200.49.56.0/24 aafix.com SF> 200.49.57.0/24 200.49.57.0/24 e.com SF> 200.49.58.0/24 200.49.58.0/24 SF> 200.49.59.0/24 200.49.59.0/24 SF> SF> Domain names and links seem to be five chars beginning with SF> aa. They also seem to be progressing through the IP blocks. SF> SF> i think they started in on the June 15th and have been spamming pretty consistantly. We haven't been seeing these (specifically) but we have seen some of them and more like them. I'm going to add rules for this list (not the IPs because I need to research that). Have you submitted these? -- I would have expected to catch them if so, that is, unless some other rule trapped them on the way in. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
