RE: [sniffer] Spam blocks loading me up with spam
Title: Message Gotta catch 'em all (not Pokemon, spam)... Sniffer caught all of them today: gawk "$0 ~ /.+From: .+To: .+IP: 200\.49\.[3|4|5]/ {print $3}" dec0617.log >temp.txt fgrep -ftemp.txt dec0617.log | fgrep "Total weight" If your volume is quite high, that second line, instead of showing all the total weights for the netblocks in question, could instead show which lines sniffer didn't hit on: fgrep -ftemp.txt dec0617.log | fgrep "Total weight" | fgrep -v "SNIFFER" Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Thursday, June 16, 2005 4:20 PMTo: sniffer@SortMonster.comSubject: Re: [sniffer] Spam blocks loading me up with spam I'm also taking out the: 200.49.32.xxx to 200.49.47.xxx addresses with my IPFILE. Most of them were taken out in Feb with SBL 17983. The trouble on this spammer for me, is they aren't listed anywhere (with the 299.49.50.XXXs and are probably burning through domain names faster than the SURBLs can really be effective. So unless I get an SURBL hit or a Sniffer hit they are leaking through. Hopefully with Pete's new rules, this will be stopped. 200.49.32.0/24 200.49.32.0/24 moved 06-15-05 SBL17983200.49.33.0/24 200.49.33.0/24 starsoftmails.com added 02-17-05 SBL17983200.49.34.0/24 200.49.34.0/24 moved 06-15-05 SBL17983200.49.35.0/24 200.49.35.0/24 moved 06-15-05 SBL17983200.49.36.0/24 200.49.36.0/24 moved 06-15-05 SBL17983200.49.37.0/24 200.49.37.0/24 afdtc.com added 02-17-05 SBL17983200.49.38.0/24 200.49.38.0/24 afdtc.com added 02-17-05 SBL17983200.49.39.0/24 200.49.39.0/24 afdaa.com added 02-17-05 SBL17983200.49.40.0/24 200.49.40.0/24 moved 06-15-05 SBL17983200.49.41.0/24 200.49.41.0/24 moved 06-15-05 SBL17983200.49.42.0/24 200.49.42.0/24 moved 06-15-05 SBL17983200.49.43.0/24 200.49.43.0/24 awwsc.com added 02-17-05 SBL17983200.49.44.0/24 200.49.44.0/24 arvvv.com moved 05-29-05 SBL17983200.49.45.0/24 200.49.45.0/24 starofferzone.com added 02-17-05 SBL17983200.49.46.0/24 200.49.46.0/24 fdcmm.com added 02-17-05 SBL17983200.49.47.0/24 200.49.47.0/24 bicsc.com added 02-17-05 SBL17983 - Original Message - From: Darrell ([EMAIL PROTECTED]) To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:44 PM Subject: Re: [sniffer] Spam blocks loading me up with spam Scott, Not to many incoming for me - about 200 out of about 125K messages. One thing to note is the ones I am getting are around that block but even lower like 200.49.44.x. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Scott Fisher To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:04 PM Subject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24 200.49.48.0/24 200.49.49.0/24 200.49.49.0/24 mowz2.com 200.49.50.0/24 200.49.50.0/24 qckcstmr.com 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com 200.49.52.0/24 200.49.52.0/24 aahtv.com 200.49.53.0/24 200.49.53.0/24 aakai.com 200.49.54.0/24 200.49.54.0/24 aakib.com 200.49.55.0/24 200.49.55.0/24 aakli.com 200.49.56.0/24 200.49.56.0/24 aafix.com 200.49.57.0/24 200.49.57.0/24 e.com 200.49.58.0/24 200.49.58.0/24 200.49.59.0/24 200.49.59.0/24 Domain names and links seem to be five chars beginning with aa. They also seem to be progressing through the IP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
Re: [sniffer] Spam blocks loading me up with spam
I'm also taking out the: 200.49.32.xxx to 200.49.47.xxx addresses with my IPFILE. Most of them were taken out in Feb with SBL 17983. The trouble on this spammer for me, is they aren't listed anywhere (with the 299.49.50.XXXs and are probably burning through domain names faster than the SURBLs can really be effective. So unless I get an SURBL hit or a Sniffer hit they are leaking through. Hopefully with Pete's new rules, this will be stopped. 200.49.32.0/24 200.49.32.0/24 moved 06-15-05 SBL17983200.49.33.0/24 200.49.33.0/24 starsoftmails.com added 02-17-05 SBL17983200.49.34.0/24 200.49.34.0/24 moved 06-15-05 SBL17983200.49.35.0/24 200.49.35.0/24 moved 06-15-05 SBL17983200.49.36.0/24 200.49.36.0/24 moved 06-15-05 SBL17983200.49.37.0/24 200.49.37.0/24 afdtc.com added 02-17-05 SBL17983200.49.38.0/24 200.49.38.0/24 afdtc.com added 02-17-05 SBL17983200.49.39.0/24 200.49.39.0/24 afdaa.com added 02-17-05 SBL17983200.49.40.0/24 200.49.40.0/24 moved 06-15-05 SBL17983200.49.41.0/24 200.49.41.0/24 moved 06-15-05 SBL17983200.49.42.0/24 200.49.42.0/24 moved 06-15-05 SBL17983200.49.43.0/24 200.49.43.0/24 awwsc.com added 02-17-05 SBL17983200.49.44.0/24 200.49.44.0/24 arvvv.com moved 05-29-05 SBL17983200.49.45.0/24 200.49.45.0/24 starofferzone.com added 02-17-05 SBL17983200.49.46.0/24 200.49.46.0/24 fdcmm.com added 02-17-05 SBL17983200.49.47.0/24 200.49.47.0/24 bicsc.com added 02-17-05 SBL17983 - Original Message - From: Darrell ([EMAIL PROTECTED]) To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:44 PM Subject: Re: [sniffer] Spam blocks loading me up with spam Scott, Not to many incoming for me - about 200 out of about 125K messages. One thing to note is the ones I am getting are around that block but even lower like 200.49.44.x. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Scott Fisher To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:04 PM Subject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24 200.49.48.0/24 200.49.49.0/24 200.49.49.0/24 mowz2.com 200.49.50.0/24 200.49.50.0/24 qckcstmr.com 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com 200.49.52.0/24 200.49.52.0/24 aahtv.com 200.49.53.0/24 200.49.53.0/24 aakai.com 200.49.54.0/24 200.49.54.0/24 aakib.com 200.49.55.0/24 200.49.55.0/24 aakli.com 200.49.56.0/24 200.49.56.0/24 aafix.com 200.49.57.0/24 200.49.57.0/24 e.com 200.49.58.0/24 200.49.58.0/24 200.49.59.0/24 200.49.59.0/24 Domain names and links seem to be five chars beginning with aa. They also seem to be progressing through the IP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
Re: [sniffer] Spam blocks loading me up with spam
Scott, Not to many incoming for me - about 200 out of about 125K messages. One thing to note is the ones I am getting are around that block but even lower like 200.49.44.x. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Scott Fisher To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:04 PM Subject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24 200.49.48.0/24 200.49.49.0/24 200.49.49.0/24 mowz2.com 200.49.50.0/24 200.49.50.0/24 qckcstmr.com 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com 200.49.52.0/24 200.49.52.0/24 aahtv.com 200.49.53.0/24 200.49.53.0/24 aakai.com 200.49.54.0/24 200.49.54.0/24 aakib.com 200.49.55.0/24 200.49.55.0/24 aakli.com 200.49.56.0/24 200.49.56.0/24 aafix.com 200.49.57.0/24 200.49.57.0/24 e.com 200.49.58.0/24 200.49.58.0/24 200.49.59.0/24 200.49.59.0/24 Domain names and links seem to be five chars beginning with aa. They also seem to be progressing through the IP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
Re: [sniffer] Spam blocks loading me up with spam
Scott, Not to many incoming for me - about 200 out of about 125K messages. One thing to note is the ones I am getting are around that block but even lower like 200.49.44.x. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Scott Fisher To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:04 PM Subject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24 200.49.48.0/24 200.49.49.0/24 200.49.49.0/24 mowz2.com 200.49.50.0/24 200.49.50.0/24 qckcstmr.com 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com 200.49.52.0/24 200.49.52.0/24 aahtv.com 200.49.53.0/24 200.49.53.0/24 aakai.com 200.49.54.0/24 200.49.54.0/24 aakib.com 200.49.55.0/24 200.49.55.0/24 aakli.com 200.49.56.0/24 200.49.56.0/24 aafix.com 200.49.57.0/24 200.49.57.0/24 e.com 200.49.58.0/24 200.49.58.0/24 200.49.59.0/24 200.49.59.0/24 Domain names and links seem to be five chars beginning with aa. They also seem to be progressing through the IP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
RE: [sniffer] Spam blocks loading me up with spam
We have been seeing these. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, June 16, 2005 4:04 PM To: sniffer@SortMonster.com Subject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24 200.49.48.0/24 200.49.49.0/24 200.49.49.0/24 mowz2.com 200.49.50.0/24 200.49.50.0/24 qckcstmr.com 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com 200.49.52.0/24 200.49.52.0/24 aahtv.com 200.49.53.0/24 200.49.53.0/24 aakai.com 200.49.54.0/24 200.49.54.0/24 aakib.com 200.49.55.0/24 200.49.55.0/24 aakli.com 200.49.56.0/24 200.49.56.0/24 aafix.com 200.49.57.0/24 200.49.57.0/24 e.com 200.49.58.0/24 200.49.58.0/24 200.49.59.0/24 200.49.59.0/24 Domain names and links seem to be five chars beginning with aa. They also seem to be progressing through the IP blocks. i think they started in on the June 15th and have been spamming pretty consistantly. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam blocks loading me up with spam
Title: Message Hey Andrew, Are you sending your logs to a UNIX box, or running a ported version of grep/egrep for windows? Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Thursday, June 16, 2005 17:34To: sniffer@SortMonster.comSubject: RE: [sniffer] Spam blocks loading me up with spam I haven't noticed this spam leaking through, but at your prompting I did a: egrep ".+From: .+To: .+IP: 200\.49\." dec0616.log and saw about 46. A glance through these to:from:ip: lines definitely shows messages that fit your description, along with messages that don't (I'm deliberately looking at the 16 bit subnet) and I see messages today from: 200.49.37.0/24 200.49.44.0/24 in addition to the blocks you listed, and a spot check of two of them did not turn up any hits with sniffer. Total volume was low, at less than 50 messages. One other interesting comment that I can add is that I'm seeing them use VERP like MAILFROM addresses, e.g.: [EMAIL PROTECTED] Of course, jsmith and example.com are not the actual text, but the recipient at my domain. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Thursday, June 16, 2005 3:04 PMTo: sniffer@SortMonster.comSubject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24 200.49.48.0/24 200.49.49.0/24 200.49.49.0/24 mowz2.com 200.49.50.0/24 200.49.50.0/24 qckcstmr.com 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com 200.49.52.0/24 200.49.52.0/24 aahtv.com 200.49.53.0/24 200.49.53.0/24 aakai.com 200.49.54.0/24 200.49.54.0/24 aakib.com 200.49.55.0/24 200.49.55.0/24 aakli.com 200.49.56.0/24 200.49.56.0/24 aafix.com 200.49.57.0/24 200.49.57.0/24 e.com 200.49.58.0/24 200.49.58.0/24 200.49.59.0/24 200.49.59.0/24 Domain names and links seem to be five chars beginning with aa. They also seem to be progressing through the IP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
RE: [sniffer] Spam blocks loading me up with spam
Title: Message Also, the domains in the body text are not hitting on SURBL tests. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Thursday, June 16, 2005 3:34 PMTo: sniffer@SortMonster.comSubject: RE: [sniffer] Spam blocks loading me up with spam I haven't noticed this spam leaking through, but at your prompting I did a: egrep ".+From: .+To: .+IP: 200\.49\." dec0616.log and saw about 46. A glance through these to:from:ip: lines definitely shows messages that fit your description, along with messages that don't (I'm deliberately looking at the 16 bit subnet) and I see messages today from: 200.49.37.0/24 200.49.44.0/24 in addition to the blocks you listed, and a spot check of two of them did not turn up any hits with sniffer. Total volume was low, at less than 50 messages. One other interesting comment that I can add is that I'm seeing them use VERP like MAILFROM addresses, e.g.: [EMAIL PROTECTED] Of course, jsmith and example.com are not the actual text, but the recipient at my domain. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Thursday, June 16, 2005 3:04 PMTo: sniffer@SortMonster.comSubject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24 200.49.48.0/24 200.49.49.0/24 200.49.49.0/24 mowz2.com 200.49.50.0/24 200.49.50.0/24 qckcstmr.com 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com 200.49.52.0/24 200.49.52.0/24 aahtv.com 200.49.53.0/24 200.49.53.0/24 aakai.com 200.49.54.0/24 200.49.54.0/24 aakib.com 200.49.55.0/24 200.49.55.0/24 aakli.com 200.49.56.0/24 200.49.56.0/24 aafix.com 200.49.57.0/24 200.49.57.0/24 e.com 200.49.58.0/24 200.49.58.0/24 200.49.59.0/24 200.49.59.0/24 Domain names and links seem to be five chars beginning with aa. They also seem to be progressing through the IP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
RE: [sniffer] Spam blocks loading me up with spam
Title: Message I haven't noticed this spam leaking through, but at your prompting I did a: egrep ".+From: .+To: .+IP: 200\.49\." dec0616.log and saw about 46. A glance through these to:from:ip: lines definitely shows messages that fit your description, along with messages that don't (I'm deliberately looking at the 16 bit subnet) and I see messages today from: 200.49.37.0/24 200.49.44.0/24 in addition to the blocks you listed, and a spot check of two of them did not turn up any hits with sniffer. Total volume was low, at less than 50 messages. One other interesting comment that I can add is that I'm seeing them use VERP like MAILFROM addresses, e.g.: [EMAIL PROTECTED] Of course, jsmith and example.com are not the actual text, but the recipient at my domain. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Thursday, June 16, 2005 3:04 PMTo: sniffer@SortMonster.comSubject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24 200.49.48.0/24 200.49.49.0/24 200.49.49.0/24 mowz2.com 200.49.50.0/24 200.49.50.0/24 qckcstmr.com 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com 200.49.52.0/24 200.49.52.0/24 aahtv.com 200.49.53.0/24 200.49.53.0/24 aakai.com 200.49.54.0/24 200.49.54.0/24 aakib.com 200.49.55.0/24 200.49.55.0/24 aakli.com 200.49.56.0/24 200.49.56.0/24 aafix.com 200.49.57.0/24 200.49.57.0/24 e.com 200.49.58.0/24 200.49.58.0/24 200.49.59.0/24 200.49.59.0/24 Domain names and links seem to be five chars beginning with aa. They also seem to be progressing through the IP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
Re: [sniffer] Spam blocks loading me up with spam
On Thursday, June 16, 2005, 6:04:18 PM, Scott wrote: SF> SF> Am I the only one getting blasted by these spam from these SF> IP blocks? Sniffer seems a little behind on catching these. SF> SF> 200.49.48.0/24 200.49.48.0/24 SF> 200.49.49.0/24 200.49.49.0/24 mowz2.com SF> 200.49.50.0/24 200.49.50.0/24 qckcstmr.com SF> 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com SF> 200.49.52.0/24 200.49.52.0/24 aahtv.com SF> 200.49.53.0/24 200.49.53.0/24 aakai.com SF> 200.49.54.0/24 200.49.54.0/24 aakib.com SF> 200.49.55.0/24 200.49.55.0/24 aakli.com SF> 200.49.56.0/24 200.49.56.0/24 aafix.com SF> 200.49.57.0/24 200.49.57.0/24 e.com SF> 200.49.58.0/24 200.49.58.0/24 SF> 200.49.59.0/24 200.49.59.0/24 SF> SF> Domain names and links seem to be five chars beginning with SF> aa. They also seem to be progressing through the IP blocks. SF> SF> i think they started in on the June 15th and have been spamming pretty consistantly. We haven't been seeing these (specifically) but we have seen some of them and more like them. I'm going to add rules for this list (not the IPs because I need to research that). Have you submitted these? -- I would have expected to catch them if so, that is, unless some other rule trapped them on the way in. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html