Title: Message
Gotta
catch 'em all (not Pokemon, spam)...
Sniffer caught all of them today:
gawk
"$0 ~ /.+From: .+To: .+IP: 200\.49\.[3|4|5]/ {print $3}" dec0617.log
temp.txt
fgrep
-ftemp.txt dec0617.log | fgrep "Total weight"
If
your volume is quite high, that second line, instead of showing all the total
weights for the netblocks in question, could instead show which lines sniffer
didn't hit on:
fgrep
-ftemp.txt dec0617.log | fgrep "Total weight" | fgrep -v
"SNIFFER"
Andrew 8)
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Scott FisherSent: Thursday, June 16, 2005 4:20
PMTo: sniffer@SortMonster.comSubject: Re: [sniffer] Spam
blocks loading me up with spam
I'm also taking out the: 200.49.32.xxx to
200.49.47.xxx addresses with my IPFILE. Most of them were taken out in Feb
with SBL 17983.
The trouble on this spammer for me, is they
aren't listed anywhere (with the 299.49.50.XXXs and are probably burning
through domain names faster than the SURBLs can really be
effective.
So unless I get an SURBL hit or a Sniffer hit
they are leaking through. Hopefully with Pete's new rules, this will be
stopped.
200.49.32.0/24200.49.32.0/24moved
06-15-05SBL17983200.49.33.0/24200.49.33.0/24starsoftmails.comadded
02-17-05SBL17983200.49.34.0/24200.49.34.0/24moved
06-15-05SBL17983200.49.35.0/24200.49.35.0/24moved
06-15-05SBL17983200.49.36.0/24200.49.36.0/24moved
06-15-05SBL17983200.49.37.0/24200.49.37.0/24afdtc.comadded
02-17-05SBL17983200.49.38.0/24200.49.38.0/24afdtc.comadded
02-17-05SBL17983200.49.39.0/24200.49.39.0/24afdaa.comadded
02-17-05SBL17983200.49.40.0/24200.49.40.0/24moved
06-15-05SBL17983200.49.41.0/24200.49.41.0/24moved
06-15-05SBL17983200.49.42.0/24200.49.42.0/24moved
06-15-05SBL17983200.49.43.0/24200.49.43.0/24awwsc.comadded
02-17-05SBL17983200.49.44.0/24200.49.44.0/24arvvv.commoved
05-29-05SBL17983200.49.45.0/24200.49.45.0/24starofferzone.comadded
02-17-05SBL17983200.49.46.0/24200.49.46.0/24fdcmm.comadded
02-17-05SBL17983200.49.47.0/24200.49.47.0/24bicsc.comadded
02-17-05SBL17983
- Original Message -
From:
Darrell
([EMAIL PROTECTED])
To: sniffer@SortMonster.com
Sent: Thursday, June 16, 2005 6:44
PM
Subject: Re: [sniffer] Spam blocks
loading me up with spam
Scott,
Not to many incoming for me - about 200 out of
about 125K messages. One thing to note is the ones I am getting are
around that block but even lower like 200.49.44.x.
Darrell
---Check out http://www.invariantsystems.com
for utilities for Declude And Imail. IMail Queue Monitoring, Declude
Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log
Parsers.
- Original Message -
From:
Scott Fisher
To: sniffer@SortMonster.com
Sent: Thursday, June 16, 2005 6:04
PM
Subject: [sniffer] Spam blocks
loading me up with spam
Am I the only one getting blasted by these
spam from these IP blocks? Sniffer seems a little behind on catching
these.
200.49.48.0/24200.49.48.0/24
200.49.49.0/24200.49.49.0/24mowz2.com200.49.50.0/24200.49.50.0/24qckcstmr.com
200.49.51.0/24200.49.51.0/24srvdupfrsh.com200.49.52.0/24200.49.52.0/24aahtv.com200.49.53.0/24200.49.53.0/24aakai.com
200.49.54.0/24200.49.54.0/24aakib.com200.49.55.0/24200.49.55.0/24aakli.com200.49.56.0/24200.49.56.0/24aafix.com200.49.57.0/24200.49.57.0/24e.com
200.49.58.0/24200.49.58.0/24200.49.59.0/24200.49.59.0/24
Domain names andlinks seem to be five
chars beginning with aa. Theyalsoseem to be progressing
through theIP blocks.
i think they started in on the June 15th and
have been spamming pretty
consistantly.