RE: Re[2]: [sniffer] Spam blocks loading me up with spam
Today I saw hits from this campaign on another IP block as well, and plugging that into SenderBase.org gives me: http://www.senderbase.org/search?searchString=200.49.37.130 Note in the top right that they list: 200.49.36.0/22 belonging to "Network Access Point S.R.L.", and following that link shows 19 domains, many of which follow Scott's spam campaign sample domains. Weirdly, plugging in that CIDR format back into SenderBase reveals little joy. I've submitted to "spam@" multiple samples from today of spam that I caught with and without Sniffer so that Pete can see what is common. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, June 16, 2005 3:58 PM To: Chuck Schick Subject: Re[2]: [sniffer] Spam blocks loading me up with spam Additional info (justifying the IP block rules just added): http://www.senderbase.org/search?searchString=200.49.48.0%2F20 I wonder why nobody else is listing these IPs yet. Could we just be the first? (This exercise has given me some ideas for new research tasks-- :-) ) Interesting. _M On Thursday, June 16, 2005, 6:46:13 PM, Chuck wrote: CS> We have been seeing these. CS> Chuck Schick CS> Warp 8, Inc. CS> (303)-421-5140 CS> www.warp8.com CS> -Original Message- CS> From: [EMAIL PROTECTED] CS> [mailto:[EMAIL PROTECTED] CS> On Behalf Of Scott Fisher CS> Sent: Thursday, June 16, 2005 4:04 PM CS> To: sniffer@SortMonster.com CS> Subject: [sniffer] Spam blocks loading me up with spam CS> Am I the only one getting blasted by these spam from these IP CS> blocks? Sniffer seems a little behind on catching these. CS> 200.49.48.0/24 200.49.48.0/24 CS> 200.49.49.0/24 200.49.49.0/24 mowz2.com CS> 200.49.50.0/24 200.49.50.0/24 qckcstmr.com CS> 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com CS> 200.49.52.0/24 200.49.52.0/24 aahtv.com CS> 200.49.53.0/24 200.49.53.0/24 aakai.com CS> 200.49.54.0/24 200.49.54.0/24 aakib.com CS> 200.49.55.0/24 200.49.55.0/24 aakli.com CS> 200.49.56.0/24 200.49.56.0/24 aafix.com CS> 200.49.57.0/24 200.49.57.0/24 e.com CS> 200.49.58.0/24 200.49.58.0/24 CS> 200.49.59.0/24 200.49.59.0/24 CS> Domain names and links seem to be five chars beginning with aa. They CS> also seem to be progressing through the IP blocks. CS> i think they started in on the June 15th and have been spamming CS> pretty consistantly. CS> This E-Mail came from the Message Sniffer mailing list. For CS> information and (un)subscription instructions go to CS> http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Spam blocks loading me up with spam
Additional info (justifying the IP block rules just added): http://www.senderbase.org/search?searchString=200.49.48.0%2F20 I wonder why nobody else is listing these IPs yet. Could we just be the first? (This exercise has given me some ideas for new research tasks-- :-) ) Interesting. _M On Thursday, June 16, 2005, 6:46:13 PM, Chuck wrote: CS> We have been seeing these. CS> Chuck Schick CS> Warp 8, Inc. CS> (303)-421-5140 CS> www.warp8.com CS> -Original Message- CS> From: [EMAIL PROTECTED] CS> [mailto:[EMAIL PROTECTED] CS> On Behalf Of Scott Fisher CS> Sent: Thursday, June 16, 2005 4:04 PM CS> To: sniffer@SortMonster.com CS> Subject: [sniffer] Spam blocks loading me up with spam CS> Am I the only one getting blasted by these spam from these IP blocks? CS> Sniffer seems a little behind on catching these. CS> 200.49.48.0/24 200.49.48.0/24 CS> 200.49.49.0/24 200.49.49.0/24 mowz2.com CS> 200.49.50.0/24 200.49.50.0/24 qckcstmr.com CS> 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com CS> 200.49.52.0/24 200.49.52.0/24 aahtv.com CS> 200.49.53.0/24 200.49.53.0/24 aakai.com CS> 200.49.54.0/24 200.49.54.0/24 aakib.com CS> 200.49.55.0/24 200.49.55.0/24 aakli.com CS> 200.49.56.0/24 200.49.56.0/24 aafix.com CS> 200.49.57.0/24 200.49.57.0/24 e.com CS> 200.49.58.0/24 200.49.58.0/24 CS> 200.49.59.0/24 200.49.59.0/24 CS> Domain names and links seem to be five chars beginning with aa. They also CS> seem to be progressing through the IP blocks. CS> i think they started in on the June 15th and have been spamming pretty CS> consistantly. CS> This E-Mail came from the Message Sniffer mailing list. For CS> information and (un)subscription instructions go to CS> http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Spam blocks loading me up with spam
I found this: IP-Whois 200.49.48.0: (ARIN/LACNIC-200)[Querying whois.lacnic.net] [whois.lacnic.net] % Copyright LACNIC lacnic.net % The data below is provided for information purposes % and to assist persons in obtaining information about or % related to AS and IP numbers registrations % By submitting a whois query, you agree to use this data % only for lawful purposes. % 2005-06-16 19:33:19 (BRT -03:00) inetnum: 200.49.48/20 status: allocated owner: FritzWare S.R.L. ownerid: AR-FRSR-LACNIC responsible: NOC Fritzware address: Av. San Martin, 6465, PB address: 1419 - Buenos Aires - country: AR phone: +54 911 5008 0447 [] owner-c: NOF tech-c: NOF created: 20050420 changed: 20050420 - Looks like this might have been created for this purpose just a short time ago. I've added rules for this /20 --- we'll see how that works out. _M On Thursday, June 16, 2005, 6:37:51 PM, Andrew wrote: CA> Also, the domains in the body text are not hitting on SURBL tests. CA> CA> Andrew 8) CA> -Original Message- CA> From: [EMAIL PROTECTED] CA> [mailto:[EMAIL PROTECTED] OnBehalf Of Colbeck, CA> Andrew CA> Sent: Thursday, June 16, 2005 3:34PM CA> To: sniffer@SortMonster.com CA> Subject: RE: [sniffer] Spamblocks loading me up with spam CA> Ihaven't noticed this spam leaking through, but at your prompting I did a: CA> CA> egrep ".+From: .+To: .+IP: 200\.49\." dec0616.log CA> CA> andsaw about 46. A glance through these to:from:ip: CA> lines definitely showsmessages that fit your description, CA> along with messages that don't (I'mdeliberately looking at CA> the 16 bit subnet) and I see messages todayfrom: CA> CA> 200.49.37.0/24 CA> 200.49.44.0/24 CA> CA> in addition to the blocks you listed, anda spot check of CA> two of them did not turn up any hits with sniffer. Total CA> volume was low, at less than 50 messages. CA> CA> One other interesting comment that I canadd is that I'm CA> seeing them use VERP like MAILFROM addresses,e.g.: CA> CA> [EMAIL PROTECTED] CA> CA> Of course, jsmith and example.com are notthe actual text, CA> but the recipient at my domain. CA> CA> Andrew8) CA> -Original Message- CA> From: [EMAIL PROTECTED] CA> [mailto:[EMAIL PROTECTED] On Behalf Of Scott CA> Fisher CA> Sent: Thursday, June 16, 2005 3:04 PM CA> To: sniffer@SortMonster.com CA> Subject: [sniffer] Spam blocks loading me up with spam CA> CA> Am I the only one getting blasted by these spam from CA> these IP blocks? Sniffer seems a little behind on catching CA> these. CA> CA> 200.49.48.0/24 200.49.48.0/24 CA> 200.49.49.0/24 200.49.49.0/24 mowz2.com CA> 200.49.50.0/24 200.49.50.0/24 qckcstmr.com CA> 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com CA> 200.49.52.0/24 200.49.52.0/24 aahtv.com CA> 200.49.53.0/24 200.49.53.0/24 aakai.com CA> 200.49.54.0/24 200.49.54.0/24 aakib.com CA> 200.49.55.0/24 200.49.55.0/24 aakli.com CA> 200.49.56.0/24 200.49.56.0/24 aafix.com CA> 200.49.57.0/24 200.49.57.0/24 e.com CA> 200.49.58.0/24 200.49.58.0/24 CA> 200.49.59.0/24 200.49.59.0/24 CA> CA> Domain names and links seem to be five chars beginning CA> with aa. They also seem to be progressing through the IP CA> blocks. CA> CA> i think they started in on the June 15th and have been spamming pretty consistantly. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html