Re: spam caught, now how to catch spammer
On 9/5/10 8:46 PM, Dennis German dger...@real-world-systems.com wrote: In the last several weeks I have been receiving a lot of spam with email addresses of the form: learningmadeeasy.???...@??.yourseemlost.net accountingeducation.gpx...@oiteew.badpeoplepaper.net affordablelifeinsurance.aj...@wiogif.constum.net How do we stop this guy? Greylisting and a good snowshoe-spammer rbl like invaluement. Invaluement costs a little, but our snowshoe spam has pretty much disappeared since we enabled it. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: spam CAUGHT, now how to catch spammer
On Mon, 6 Sep 2010, Dennis German wrote: On Sun, 5 Sep 2010, Dennis German wrote: In the last several weeks I have been receiving a lot of spam with email addresses of the form: learningmadeeasy.???...@??.yourseemlost.net learningmadeeasy.???...@??.hisoftenusing.net learningmadeeasy.???...@??.wheatdrinkcontrol.net learningmadeeasy....@??.actbookfelt.net learningmadeeasy....@??.stillstationwhether.net learningmadeeasy....@??.legbottleloss.net and accountingeducation.gpx...@oiteew.badpeoplepaper.net accountingeducation.ihd...@aapufx.stillstationwhether accountingeducation.ionm...@wxnuab.legbottleloss.net accountingeducation.iqle...@mlmuwx.stillstationwhethe and affordablelifeinsurance.aj...@wiogif.constum.net affordablelifeinsurance.ki...@pzodkk.injecou.net How do we stop this guy? John, thanks for the reply. Sorry to mislead. SPAM was caught by spamassassin. How can I get this guy stopped? IP addresses are: 67.50.37.35,.36,.69,.75 Ah. Yes, that's a different question. (1) Find out who owns those network addresses. Use tools like http://enc.com.au/itools/inetnum.php and http://enc.com.au/itools/person.php to do that. (I provide .au tools as the ones in .us are overloaded at the moment.) That tells us: Network Number 67.50.0.0 - 67.51.255.255 Origin AS7385 NIC Handle NET-67-50-0-0-1 Status Direct Allocation DNS Servers NS2.INTEGRAONLINE.COM NS.INTEGRAONLINE.COM Created 2003-06-20 2000-07-05 Changed 2008-11-03 2010-03-04 Description Integra Telecom, Inc. 1201 NE Lloyd Suite 500 Portland OR 97232 Country United States (US) Abuse Contact ABUSE91-ARIN Tech ContactITIA-ARIN NIC Handle ABUSE91-ARIN Description Integra Telecom Inc. 19545 NW Von Neumann Beaverton OR 97006 Country United States (US) Created 2002-10-30 Changed 2002-10-30 Phone +1-503-748-4511 (Office) Email ab...@integratelecom.com (2) Report the abuse to them. Send an email to the abuse address reporting the offending IP addresses and the nature of the abuse. They may be resellers so they may send you on to a smaller entity that owns those particular IP addresses The owner will either have terms of service that prohibit spamming and will try to stop the abuse, or are spam-friendly and will ignore you, or possibly are a small company that is clueless and won't have any idea what to do. Keep logs of the traffic for evidence. The ISP may ask for them. Best of luck. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- After ten years (1998-2008) of draconian gun control in the State of Massachusetts, the results are in: firearms-related assaults up 78%, firearms-related homicides up 67%, assault-related emergency room visits up 331%. Gun Control does not reduce violent crime. --- 10 days until the 223rd anniversary of the signing of the U.S. Constitution
Re: spam CAUGHT, now how to catch spammer
John Hardin wrote: Sorry to mislead. SPAM was caught by spamassassin. How can I get this guy stopped? IP addresses are: 67.50.37.35,.36,.69,.75 Ah. Yes, that's a different question. (1) Find out who owns those network addresses. Use tools like http://enc.com.au/itools/inetnum.php and http://enc.com.au/itools/person.php to do that. whois will also tell you. /Per Jessen, Zürich
Re: spam CAUGHT, now how to catch spammer
On Tue, 7 Sep 2010, Per Jessen wrote: John Hardin wrote: Sorry to mislead. SPAM was caught by spamassassin. How can I get this guy stopped? IP addresses are: 67.50.37.35,.36,.69,.75 Ah. Yes, that's a different question. (1) Find out who owns those network addresses. Use tools like http://enc.com.au/itools/inetnum.php and http://enc.com.au/itools/person.php to do that. whois will also tell you. True, but at the time I was composing that message both command-line whois and several US-based web UIs were returning a unable to return results due to high traffic message. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- So Microsoft's invented the ASCII equivalent to ugly ink spots that appear on your letter when your pen is malfunctioning. -- Greg Andrews, about Microsoft's way to encode apostrophes --- 10 days until the 223rd anniversary of the signing of the U.S. Constitution
Re: spam CAUGHT, now how to catch spammer
On Tue, 2010-09-07 at 10:02 -0700, John Hardin wrote:
On Tue, 7 Sep 2010, Per Jessen wrote:
John Hardin wrote:
Sorry to mislead. SPAM was caught by spamassassin.
How can I get this guy stopped?
IP addresses are: 67.50.37.35,.36,.69,.75
Ah. Yes, that's a different question.
(1) Find out who owns those network addresses.
Use tools like http://enc.com.au/itools/inetnum.php and
http://enc.com.au/itools/person.php to do that.
whois will also tell you.
True, but at the time I was composing that message both command-line whois
and several US-based web UIs were returning a unable to return results
due to high traffic message.
John, I missed the beginning of this post so I guess you originally sent
it. Anyway here is a way you can track this down:
first telnet to whois.cymru.com port 43:
which gives you:
67.50.37.35
AS | IP | AS Name
7385| 67.50.37.35 | INTEGRATELECOM - Integra Telecom, Inc.
Then telnet to whois.ra.net port 43:
telnet whois.ra.net 43
Trying 198.108.0.8...
Connected to radb3.merit.edu (198.108.0.8).
Escape character is '^]'.
as7385
aut-num:AS7385
as-name:Integra
descr: INTEGRA TELECOM
admin-c:Network Services
tech-c: Network Services
import: from AS12003
action pref=1;
accept ANY AND NOT {0.0.0.0/0}
import: from AS3549
action pref=1;
accept ANY AND NOT {0.0.0.0/0}
import: from AS22899
accept ^AS22154+$ AND NOT {0.0.0.0/0}
import: from AS2914
action pref=1;
accept ANY AND NOT {0.0.0.0/0}
import: from AS7911
action pref=1;
accept ANY AND NOT {0.0.0.0/0}
import: from AS13857
accept ^AS13857+$ AND NOT {0.0.0.0/0}
import: from AS18463
accept ^AS18463+$ AND NOT {0.0.0.0/0}
import: from AS4587
accept ^AS4587+$ AND NOT {0.0.0.0/0}
import: from AS22154
accept ^AS22154+$ AND NOT {0.0.0.0/0}
import: from AS22899
accept ^AS22154+$ AND NOT {0.0.0.0/0}
import: from AS26676
accept ^AS26676+$ AND NOT {0.0.0.0/0}
import: from AS19441
accept ^AS19441+$ AND NOT {0.0.0.0/0}
import: from AS29984
accept ^AS29984+$ AND NOT {0.0.0.0/0}
import: from AS30629
accept ^AS30629+$ AND NOT {0.0.0.0/0}
import: from AS32810
accept ^AS32810+$ AND NOT {0.0.0.0/0}
import: from AS8
accept ^AS8+$ AND NOT {0.0.0.0/0}
import: from AS36740
accept ^AS36740+$ AND NOT {0.0.0.0/0}
import: from AS16933
accept ^AS16933+$ AND NOT {0.0.0.0/0}
import: from AS32879
accept ^AS32879+$ AND NOT {0.0.0.0/0}
import: from AS39986
accept ^AS39986+$ AND NOT {0.0.0.0/0}
export: to AS2914
announce AS-INTEGRA
export: to AS3549
announce AS-INTEGRA
export: to AS4587
announce ANY
export: to AS6993
announce AS-INTEGRA
export: to AS7911
announce AS-INTEGRA
export: to AS13857
announce ANY
export: to AS18463
announce ANY
export: to AS22154
announce ANY
export: to AS22899
announce AS-INTEGRA
export: to AS26676
announce ANY
export: to AS19441
announce ANY
export: to AS29984
announce ANY
export: to AS32810
announce ANY
export: to AS8
announce ANY
export: to AS36740
announce ANY
export: to AS16933
announce ANY
export: to AS32879
announce ANY
export: to AS39986
announce ANY
export: to AS12003
announce AS-INTEGRA7385
export: to AS3549
announce AS-INTEGRA7385
export: to AS22899
announce AS-INTEGRA7385
mnt-by: MAINT-AS7385
changed:randy.roo...@integratelecom.com 20060726
source: RADB
person:Network Services
address: 15200 NBN Way
address: Blue Ridge Summit, PA 17214
phone: +1-301-459-3132
e-mail:networksupp...@hudsonps.com
nic-hdl: NES4-LEVEL3
changed: kelly.macen...@level3.como 20100518
source:LEVEL3
Then telnet whois.radb.net 43
telnet whois.radb.net 43
Trying 198.108.0.18...
Connected to whois.radb.net (198.108.0.18).
Escape character is '^]'.
MAINT-AS7385
mntner: MAINT-AS7385
descr: Maintainer for AS7385
admin-c:Data Engineering
tech-c: Data Engineering
upd-to: b...@integra.net
mnt-nfy:b...@integra.net
auth: CRYPT-PW HIDDENCRYPTPW
auth: MAIL-FROM steven.raym...@integratelecom.com
auth: MAIL-FROM kenneth.mcint...@integratelecom.com
auth: MAIL-FROM b...@integra.net
auth: MAIL-FROM craig.heidger...@integratelecom.com
auth: MAIL-FROM randy.roo...@integratelecom.com
auth: MAIL-FROM edward.arne...@integratelecom.com
auth: MAIL-FROM
Re: spam CAUGHT, now how to catch spammer
From: John Hardin jhar...@impsec.org
Sent: Tuesday, 2010/September/07 10:02
On Tue, 7 Sep 2010, Per Jessen wrote:
John Hardin wrote:
Sorry to mislead. SPAM was caught by spamassassin.
How can I get this guy stopped?
IP addresses are: 67.50.37.35,.36,.69,.75
Ah. Yes, that's a different question.
(1) Find out who owns those network addresses.
Use tools like http://enc.com.au/itools/inetnum.php and
http://enc.com.au/itools/person.php to do that.
whois will also tell you.
True, but at the time I was composing that message both command-line whois
and several US-based web UIs were returning a unable to return results
due to high traffic message.
Works from here, John.
===8---
whois 67.50.37.35
[Querying whois.arin.net]
[Redirected to whois.integraonline.com:43]
[Querying whois.integraonline.com]
[whois.integraonline.com]
%rwhois V-1.5:003fff:00 adns5 (by Network Solutions, Inc. V-1.5.7.2)
network:Auth-Area:67.50.0.0/15
network:Class-Name:network
network:ID:67-50-36-0/23-NET
network:Network-Name:67-50-36-0/23-NET
network:IP-Network:67.50.36.0/23
network:Org-Name;I:GIGLINX INC
network:Street-Address:250 STOCKTON AVE
network:City:SANTA CLARA
network:State:CA
network:Postal-Code:95126
network:Country-Code:US
network:Admin-Contact;I:ITIA-ARIN
network:Tech-Contact;I:ITIA-ARIN
network:Updated:2010-02-24
network:Updated-By:tradz...@integra.net
network:Auth-Area:67.50.0.0/15
network:Class-Name:network
network:ID:67-50-0-0/15-NET
network:Network-Name:67-50-0-0/15-NET
network:IP-Network:67.50.0.0/15
network:Org-Name;I:ELI-NETWORK-ELIX
network:Street-Address:1201 NE Lloyd Blvd, Ste 500
network:City:Portland
network:State:OR
network:Postal-Code:97232
network:Country-Code:US
network:Admin-Contact;I:ITIA-ARIN
network:Tech-Contact;I:ITIA-ARIN
network:Updated:2009-12-03
network:Updated-By:hostmas...@integra.net
%error 350 Invalid Query Syntax
%ok
===8---
I'm not sure where the error 350 came from. GIGLINX or ELI-NETWORK-ELIX
may have a bad setup.
GIGLINX may be a formal spam source. The address looks bad to me. 95126
is San Jose. I don't know if it includes Santa Clara or not. (I'm not
familiar with that area.) I'd email integra.net about it at abuse,
hostmaster, and after an MTR run integra's upstream provider.
It's easier to simply let it accumulate and get a decent picture of what
the spam hydra is doing of late, which is about 3 times the volume of a
month ago. sigh
{^_^}
Re: spam CAUGHT, now how to catch spammer
On Tue, 2010-09-07 at 16:05 -0700, jdow wrote: whois 67.50.37.35 There's something odd about that IP all right. I got this: $ host 67.50.37.35 35.37.50.67.in-addr.arpa domain name pointer zone35.tribalhostland.com. but host zone35.tribalhostland.com just says 3(NXDOMAIN) and attempts to use whois on the domain name says its an unknown domain. Martin
Re: spam CAUGHT, now how to catch spammer
I suspect that entire 23 subnet is sour and should be blocked.
{^_^}
- Original Message -
From: Martin Gregorie mar...@gregorie.org
Sent: Tuesday, 2010/September/07 17:18
On Tue, 2010-09-07 at 16:05 -0700, jdow wrote:
whois 67.50.37.35
There's something odd about that IP all right. I got this:
$ host 67.50.37.35
35.37.50.67.in-addr.arpa domain name pointer zone35.tribalhostland.com.
but host zone35.tribalhostland.com just says 3(NXDOMAIN) and
attempts to use whois on the domain name says its an unknown domain.
Martin
spam caught, now how to catch spammer
In the last several weeks I have been receiving a lot of spam with email addresses of the form: learningmadeeasy.???...@??.yourseemlost.net learningmadeeasy.???...@??.hisoftenusing.net learningmadeeasy.???...@??.wheatdrinkcontrol.net learningmadeeasy....@??.actbookfelt.net learningmadeeasy....@??.stillstationwhether.net learningmadeeasy....@??.legbottleloss.net and accountingeducation.gpx...@oiteew.badpeoplepaper.net accountingeducation.ihd...@aapufx.stillstationwhether accountingeducation.ionm...@wxnuab.legbottleloss.net accountingeducation.iqle...@mlmuwx.stillstationwhethe and affordablelifeinsurance.aj...@wiogif.constum.net affordablelifeinsurance.ki...@pzodkk.injecou.net How do we stop this guy?
