Re: A flood of new domains ?
Am 21.03.2012 09:09, schrieb Per Jessen: > Has anyone else noticed this stream of new spamvertized domains : > > http://files.jessen.ch/list-of-new-domains > > Typically accompanied by messages/subject lines such as: > > You should check your status update and see if it changed > This method of language learning is super easy. > Please confirm that this update is accurate. > Teach yourself a new foreign language in 10 days > > Just being curious. Yesterday I got another 10 different domains. > > Hi Per, nothing special like that, was noticed here -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: A flood of new domains ?
Robert Schetterer wrote: > Am 21.03.2012 09:09, schrieb Per Jessen: >> Has anyone else noticed this stream of new spamvertized domains : >> >> http://files.jessen.ch/list-of-new-domains >> >> Typically accompanied by messages/subject lines such as: >> >> You should check your status update and see if it changed >> This method of language learning is super easy. >> Please confirm that this update is accurate. >> Teach yourself a new foreign language in 10 days >> >> Just being curious. Yesterday I got another 10 different domains. >> >> > > Hi Per, nothing special like that, was noticed here > Thanks Robert - amazing that nobody else seems to have noticed. I've added a rule to catch some of them, but yesterday I still got another 15 brand-new such domains. Perhaps of interest - all of these have valid DKIM signatures. -- Per Jessen, Zürich (6.2°C)
Re: A flood of new domains ?
Am 22.03.2012 08:23, schrieb Per Jessen: > Robert Schetterer wrote: > >> Am 21.03.2012 09:09, schrieb Per Jessen: >>> Has anyone else noticed this stream of new spamvertized domains : >>> >>> http://files.jessen.ch/list-of-new-domains >>> >>> Typically accompanied by messages/subject lines such as: >>> >>> You should check your status update and see if it changed >>> This method of language learning is super easy. >>> Please confirm that this update is accurate. >>> Teach yourself a new foreign language in 10 days >>> >>> Just being curious. Yesterday I got another 10 different domains. >>> >>> >> >> Hi Per, nothing special like that, was noticed here >> > > Thanks Robert - amazing that nobody else seems to have noticed. I've > added a rule to catch some of them, but yesterday I still got another > 15 brand-new such domains. sorry i dont follow new spam domains, until there is no significant rise but if grepped your domains yesterday on few servers with no result spam often is very recipient related i.e my beloved spambot armee relocated from china/us now to india/brasil during last year , looks like thats trendy > Perhaps of interest - all of these have valid DKIM signatures. thats not so suprising, they allready often have valid spf too perhaps they wanna make sure to pass new dmarc mechs at google etc > > > perhaps , they are preparing to a bigger spam flood later and your servers are a test ballon target that happend before ,but speculation -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: A flood of new domains ?
Robert Schetterer wrote: > spam often is very recipient related > i.e my beloved spambot armee relocated from china/us now to india/brasil > during last year , looks like thats trendy regarding BR we get most from afrinic 41.0 and pakistan 182.177, and of course our own adsl blocks if you like to prevent brazil origin you could block any adsl source since this addresses are not supposed to run a valid MTA if you're interested you could block connection from all rDNS IPs faking to be an MTA and resolving to domain names which follow, each at least several /16 if not /8 blocks .virtua.com.br .dsl.telesp.net.br .gvt.net.br .vivotorpedo.com.br .user.veloxzone.com.br .speedy.com.ar .fibertel.com.ar .adsl.terra.cl .prima.com.ar some small sub blocks may have been relocated to other services and are still not updated because of sloppy maintenance of the telco personal but this problem is probably not relevant for europe Hans -- XTrade Assessory International Facilitator BR - US - CA - DE - GB - RU - UK +55 (11) 4249. http://xtrade.matik.com.br
Re: A flood of new domains ?
Am 22.03.2012 09:43, schrieb xTrade Assessory: > Robert Schetterer wrote: >> spam often is very recipient related >> i.e my beloved spambot armee relocated from china/us now to india/brasil >> during last year , looks like thats trendy > > > regarding BR > > we get most from afrinic 41.0 and pakistan 182.177, and of course our > own adsl blocks > > if you like to prevent brazil origin you could block any adsl source > since this addresses are not supposed to run a valid MTA > > if you're interested you could block connection from all rDNS IPs faking > to be an MTA and resolving to domain names which follow, each at least > several /16 if not /8 blocks > > .virtua.com.br > .dsl.telesp.net.br > .gvt.net.br > .vivotorpedo.com.br > .user.veloxzone.com.br > .speedy.com.ar > .fibertel.com.ar > .adsl.terra.cl > .prima.com.ar > > > some small sub blocks may have been relocated to other services and are > still not updated because of sloppy maintenance of the telco personal > but this problem is probably not relevant for europe > > > Hans > > > > > > i ve done such for years, but i now have better mechs implemted before i.e postscreen, ( i dont like global rejects very much i.e banning geo ip blocks and/or domains ,after all, sometimes they needed ) my new implemented mech cant be used on every system its something equal like fail2ban does ( banning with firewall rules for some time ) but fail2ban wasnt quick enough for my bot bombards and i was tired of tons of logging, so i switched to something direct syslog related in combi with fail2ban and postscreen so now the over years staying bot problem went nearly null i will have some blog of this ,near future, stay tuned -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: A flood of new domains ?
Robert Schetterer wrote: > Am 22.03.2012 08:23, schrieb Per Jessen: >> Robert Schetterer wrote: >> >>> Am 21.03.2012 09:09, schrieb Per Jessen: Has anyone else noticed this stream of new spamvertized domains : http://files.jessen.ch/list-of-new-domains Typically accompanied by messages/subject lines such as: You should check your status update and see if it changed This method of language learning is super easy. Please confirm that this update is accurate. Teach yourself a new foreign language in 10 days Just being curious. Yesterday I got another 10 different domains. >>> >>> Hi Per, nothing special like that, was noticed here >>> >> >> Thanks Robert - amazing that nobody else seems to have noticed. I've >> added a rule to catch some of them, but yesterday I still got another >> 15 brand-new such domains. > > sorry i dont follow new spam domains, until there is no significant > rise but if grepped your domains yesterday on few servers with no > result I don't normally follow them either, but these are coming through to one of my personal addresses. It's also the rate of change that is interesting - I very rarely see two emails with the same link. -- Per Jessen, Zürich (8.7°C)
Re: A flood of new domains ?
Am 22.03.2012 10:19, schrieb Per Jessen: > Robert Schetterer wrote: > >> Am 22.03.2012 08:23, schrieb Per Jessen: >>> Robert Schetterer wrote: >>> Am 21.03.2012 09:09, schrieb Per Jessen: > Has anyone else noticed this stream of new spamvertized domains : > > http://files.jessen.ch/list-of-new-domains > > Typically accompanied by messages/subject lines such as: > > You should check your status update and see if it changed > This method of language learning is super easy. > Please confirm that this update is accurate. > Teach yourself a new foreign language in 10 days > > Just being curious. Yesterday I got another 10 different domains. > > Hi Per, nothing special like that, was noticed here >>> >>> Thanks Robert - amazing that nobody else seems to have noticed. I've >>> added a rule to catch some of them, but yesterday I still got another >>> 15 brand-new such domains. >> >> sorry i dont follow new spam domains, until there is no significant >> rise but if grepped your domains yesterday on few servers with no >> result > > I don't normally follow them either, but these are coming through to one > of my personal addresses. ok , i understand , so you cant miss them *g It's also the rate of change that is > interesting - I very rarely see two emails with the same link. > one more indicate for a bright planned campaign what are they try to push...? > > -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: A flood of new domains ?
Robert Schetterer wrote: > one more indicate for a bright planned campaign > what are they try to push...? I guess that is easy and simple ... the more the merrier they are smart but we got smarter too and now it is getting harder and harder for "them" so they switch identification as fast as possible in order to get still to the endpoint Hans -- XTrade Assessory International Facilitator BR - US - CA - DE - GB - RU - UK +55 (11) 4249. http://xtrade.matik.com.br
Re: A flood of new domains ?
On 03/22/2012 10:19 AM, Per Jessen wrote: Robert Schetterer wrote: Am 22.03.2012 08:23, schrieb Per Jessen: Robert Schetterer wrote: Am 21.03.2012 09:09, schrieb Per Jessen: Has anyone else noticed this stream of new spamvertized domains : http://files.jessen.ch/list-of-new-domains Typically accompanied by messages/subject lines such as: You should check your status update and see if it changed This method of language learning is super easy. Please confirm that this update is accurate. Teach yourself a new foreign language in 10 days Just being curious. Yesterday I got another 10 different domains. Hi Per, nothing special like that, was noticed here Thanks Robert - amazing that nobody else seems to have noticed. I've added a rule to catch some of them, but yesterday I still got another 15 brand-new such domains. sorry i dont follow new spam domains, until there is no significant rise but if grepped your domains yesterday on few servers with no result I don't normally follow them either, but these are coming through to one of my personal addresses. It's also the rate of change that is interesting - I very rarely see two emails with the same link. Aren't the URIs being detected by SBL/DBL/SURBL/URIBL ?
Re: A flood of new domains ?
Am 22.03.2012 10:30, schrieb xTrade Assessory: > Robert Schetterer wrote: >> one more indicate for a bright planned campaign >> what are they try to push...? > > > I guess that is easy and simple ... the more the merrier > > they are smart but we got smarter too and now it is getting harder and > harder for "them" so they switch identification as fast as possible in > order to get still to the endpoint > > > > Hans > > for small tests it seems they all use the same registrar Registrar: MONIKER however no idea what to do with this info i guess they would identify themselfes not as spammer more then a urgent product news mail pusher *g -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: A flood of new domains ?
Am 22.03.2012 10:33, schrieb Axb: > On 03/22/2012 10:19 AM, Per Jessen wrote: >> Robert Schetterer wrote: >> >>> Am 22.03.2012 08:23, schrieb Per Jessen: Robert Schetterer wrote: > Am 21.03.2012 09:09, schrieb Per Jessen: >> Has anyone else noticed this stream of new spamvertized domains : >> >> http://files.jessen.ch/list-of-new-domains >> >> Typically accompanied by messages/subject lines such as: >> >> You should check your status update and see if it changed >> This method of language learning is super easy. >> Please confirm that this update is accurate. >> Teach yourself a new foreign language in 10 days >> >> Just being curious. Yesterday I got another 10 different domains. >> >> > > Hi Per, nothing special like that, was noticed here > Thanks Robert - amazing that nobody else seems to have noticed. I've added a rule to catch some of them, but yesterday I still got another 15 brand-new such domains. >>> >>> sorry i dont follow new spam domains, until there is no significant >>> rise but if grepped your domains yesterday on few servers with no >>> result >> >> I don't normally follow them either, but these are coming through to one >> of my personal addresses. It's also the rate of change that is >> interesting - I very rarely see two emails with the same link. > > Aren't the URIs being detected by SBL/DBL/SURBL/URIBL ? > domain name related rbls/lists are mostly not making very much sense also tagging by "new domains" isnt very helpfull that all may lead to too much false positives but policies like that must be decided by the postmaster related to his local needs -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: A flood of new domains ?
Am 22.03.2012 10:40, schrieb Robert Schetterer:
> Am 22.03.2012 10:33, schrieb Axb:
>> On 03/22/2012 10:19 AM, Per Jessen wrote:
>>> Robert Schetterer wrote:
>>>
Am 22.03.2012 08:23, schrieb Per Jessen:
> Robert Schetterer wrote:
>
>> Am 21.03.2012 09:09, schrieb Per Jessen:
>>> Has anyone else noticed this stream of new spamvertized domains :
>>>
>>> http://files.jessen.ch/list-of-new-domains
>>>
>>> Typically accompanied by messages/subject lines such as:
>>>
>>> You should check your status update and see if it changed
>>> This method of language learning is super easy.
>>> Please confirm that this update is accurate.
>>> Teach yourself a new foreign language in 10 days
>>>
>>> Just being curious. Yesterday I got another 10 different domains.
>>>
>>>
>>
>> Hi Per, nothing special like that, was noticed here
>>
>
> Thanks Robert - amazing that nobody else seems to have noticed. I've
> added a rule to catch some of them, but yesterday I still got another
> 15 brand-new such domains.
sorry i dont follow new spam domains, until there is no significant
rise but if grepped your domains yesterday on few servers with no
result
>>>
>>> I don't normally follow them either, but these are coming through to one
>>> of my personal addresses. It's also the rate of change that is
>>> interesting - I very rarely see two emails with the same link.
>>
>> Aren't the URIs being detected by SBL/DBL/SURBL/URIBL ?
>>
>
> domain name related rbls/lists are mostly not making very much sense
> also tagging by "new domains" isnt very helpfull
>
> that all may lead to too much false positives
>
> but policies like that must be decided by the postmaster
> related to his local needs
not tested but this looks as good choice
for tagging registrars
http://anonwhois.org/usage.html
in pers domains
Moniker was the matching one
http://anonwhois.org/99_anonwhois.cf
...
urirhssub ANONWHOIS_11list.anonwhois.net. A 127.0.0.11
bodyANONWHOIS_11eval:check_uridnsbl('ANONWHOIS_11')
describeANONWHOIS_11Domain protected by Moniker Privacy Protection
tflags ANONWHOIS_11net
score ANONWHOIS_110.001
.
--
Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria
Re: A flood of new domains ?
Axb wrote: > On 03/22/2012 10:19 AM, Per Jessen wrote: >> Robert Schetterer wrote: >> >>> Am 22.03.2012 08:23, schrieb Per Jessen: Robert Schetterer wrote: > Am 21.03.2012 09:09, schrieb Per Jessen: >> Has anyone else noticed this stream of new spamvertized domains : >> >> http://files.jessen.ch/list-of-new-domains >> >> Typically accompanied by messages/subject lines such as: >> >> You should check your status update and see if it changed >> This method of language learning is super easy. >> Please confirm that this update is accurate. >> Teach yourself a new foreign language in 10 days >> >> Just being curious. Yesterday I got another 10 different >> domains. >> >> > > Hi Per, nothing special like that, was noticed here > Thanks Robert - amazing that nobody else seems to have noticed. I've added a rule to catch some of them, but yesterday I still got another 15 brand-new such domains. >>> >>> sorry i dont follow new spam domains, until there is no significant >>> rise but if grepped your domains yesterday on few servers with no >>> result >> >> I don't normally follow them either, but these are coming through to >> one >> of my personal addresses. It's also the rate of change that is >> interesting - I very rarely see two emails with the same link. > > Aren't the URIs being detected by SBL/DBL/SURBL/URIBL ? Some are, but most are not. The new ones I get to see were not. -- Per Jessen, Zürich (14.6°C)
Re: A flood of new domains ?
Robert Schetterer wrote: > Am 22.03.2012 10:19, schrieb Per Jessen: > It's also the rate of change that is >> interesting - I very rarely see two emails with the same link. >> > > one more indicate for a bright planned campaign > what are they try to push...? It varies - one link I've just clicked took me to a page that asked me to send an SMS to 40800 - cost apparently CHF10. The way there was very convoluted: (this is snipped from my proxy log): http://files.jessen.ch/proxy.log -- Per Jessen, Zürich (14.6°C)
Re: A flood of new domains ?
Am 23.03.2012 09:02, schrieb Per Jessen: > Robert Schetterer wrote: > >> Am 22.03.2012 10:19, schrieb Per Jessen: >> It's also the rate of change that is >>> interesting - I very rarely see two emails with the same link. >>> >> >> one more indicate for a bright planned campaign >> what are they try to push...? > > It varies - one link I've just clicked took me to a page that asked me > to send an SMS to 40800 - cost apparently CHF10. The way there was > very convoluted: (this is snipped from my proxy log): > > http://files.jessen.ch/proxy.log > > looks like some trojan bank pish try, maybe attack to smartphones, via hacked sites over proxy etc anyway looks like they have a greater plan registering so much domains -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: A flood of new domains ?
Den 2012-03-23 09:02, Per Jessen skrev: http://files.jessen.ch/proxy.log log mime type ? if it ends in txt, mime will let me see it as text without download into my c drive :)
