Re: spam caught, now how to catch spammer
On 9/5/10 8:46 PM, Dennis German dger...@real-world-systems.com wrote: In the last several weeks I have been receiving a lot of spam with email addresses of the form: learningmadeeasy.???...@??.yourseemlost.net accountingeducation.gpx...@oiteew.badpeoplepaper.net affordablelifeinsurance.aj...@wiogif.constum.net How do we stop this guy? Greylisting and a good snowshoe-spammer rbl like invaluement. Invaluement costs a little, but our snowshoe spam has pretty much disappeared since we enabled it. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: spam CAUGHT, now how to catch spammer
On Mon, 6 Sep 2010, Dennis German wrote: On Sun, 5 Sep 2010, Dennis German wrote: In the last several weeks I have been receiving a lot of spam with email addresses of the form: learningmadeeasy.???...@??.yourseemlost.net learningmadeeasy.???...@??.hisoftenusing.net learningmadeeasy.???...@??.wheatdrinkcontrol.net learningmadeeasy....@??.actbookfelt.net learningmadeeasy....@??.stillstationwhether.net learningmadeeasy....@??.legbottleloss.net and accountingeducation.gpx...@oiteew.badpeoplepaper.net accountingeducation.ihd...@aapufx.stillstationwhether accountingeducation.ionm...@wxnuab.legbottleloss.net accountingeducation.iqle...@mlmuwx.stillstationwhethe and affordablelifeinsurance.aj...@wiogif.constum.net affordablelifeinsurance.ki...@pzodkk.injecou.net How do we stop this guy? John, thanks for the reply. Sorry to mislead. SPAM was caught by spamassassin. How can I get this guy stopped? IP addresses are: 67.50.37.35,.36,.69,.75 Ah. Yes, that's a different question. (1) Find out who owns those network addresses. Use tools like http://enc.com.au/itools/inetnum.php and http://enc.com.au/itools/person.php to do that. (I provide .au tools as the ones in .us are overloaded at the moment.) That tells us: Network Number 67.50.0.0 - 67.51.255.255 Origin AS7385 NIC Handle NET-67-50-0-0-1 Status Direct Allocation DNS Servers NS2.INTEGRAONLINE.COM NS.INTEGRAONLINE.COM Created 2003-06-20 2000-07-05 Changed 2008-11-03 2010-03-04 Description Integra Telecom, Inc. 1201 NE Lloyd Suite 500 Portland OR 97232 Country United States (US) Abuse Contact ABUSE91-ARIN Tech ContactITIA-ARIN NIC Handle ABUSE91-ARIN Description Integra Telecom Inc. 19545 NW Von Neumann Beaverton OR 97006 Country United States (US) Created 2002-10-30 Changed 2002-10-30 Phone +1-503-748-4511 (Office) Email ab...@integratelecom.com (2) Report the abuse to them. Send an email to the abuse address reporting the offending IP addresses and the nature of the abuse. They may be resellers so they may send you on to a smaller entity that owns those particular IP addresses The owner will either have terms of service that prohibit spamming and will try to stop the abuse, or are spam-friendly and will ignore you, or possibly are a small company that is clueless and won't have any idea what to do. Keep logs of the traffic for evidence. The ISP may ask for them. Best of luck. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- After ten years (1998-2008) of draconian gun control in the State of Massachusetts, the results are in: firearms-related assaults up 78%, firearms-related homicides up 67%, assault-related emergency room visits up 331%. Gun Control does not reduce violent crime. --- 10 days until the 223rd anniversary of the signing of the U.S. Constitution
Re: spam CAUGHT, now how to catch spammer
John Hardin wrote: Sorry to mislead. SPAM was caught by spamassassin. How can I get this guy stopped? IP addresses are: 67.50.37.35,.36,.69,.75 Ah. Yes, that's a different question. (1) Find out who owns those network addresses. Use tools like http://enc.com.au/itools/inetnum.php and http://enc.com.au/itools/person.php to do that. whois will also tell you. /Per Jessen, Zürich
Re: spam CAUGHT, now how to catch spammer
On Tue, 7 Sep 2010, Per Jessen wrote: John Hardin wrote: Sorry to mislead. SPAM was caught by spamassassin. How can I get this guy stopped? IP addresses are: 67.50.37.35,.36,.69,.75 Ah. Yes, that's a different question. (1) Find out who owns those network addresses. Use tools like http://enc.com.au/itools/inetnum.php and http://enc.com.au/itools/person.php to do that. whois will also tell you. True, but at the time I was composing that message both command-line whois and several US-based web UIs were returning a unable to return results due to high traffic message. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- So Microsoft's invented the ASCII equivalent to ugly ink spots that appear on your letter when your pen is malfunctioning. -- Greg Andrews, about Microsoft's way to encode apostrophes --- 10 days until the 223rd anniversary of the signing of the U.S. Constitution
Re: spam CAUGHT, now how to catch spammer
On Tue, 2010-09-07 at 10:02 -0700, John Hardin wrote: On Tue, 7 Sep 2010, Per Jessen wrote: John Hardin wrote: Sorry to mislead. SPAM was caught by spamassassin. How can I get this guy stopped? IP addresses are: 67.50.37.35,.36,.69,.75 Ah. Yes, that's a different question. (1) Find out who owns those network addresses. Use tools like http://enc.com.au/itools/inetnum.php and http://enc.com.au/itools/person.php to do that. whois will also tell you. True, but at the time I was composing that message both command-line whois and several US-based web UIs were returning a unable to return results due to high traffic message. John, I missed the beginning of this post so I guess you originally sent it. Anyway here is a way you can track this down: first telnet to whois.cymru.com port 43: which gives you: 67.50.37.35 AS | IP | AS Name 7385| 67.50.37.35 | INTEGRATELECOM - Integra Telecom, Inc. Then telnet to whois.ra.net port 43: telnet whois.ra.net 43 Trying 198.108.0.8... Connected to radb3.merit.edu (198.108.0.8). Escape character is '^]'. as7385 aut-num:AS7385 as-name:Integra descr: INTEGRA TELECOM admin-c:Network Services tech-c: Network Services import: from AS12003 action pref=1; accept ANY AND NOT {0.0.0.0/0} import: from AS3549 action pref=1; accept ANY AND NOT {0.0.0.0/0} import: from AS22899 accept ^AS22154+$ AND NOT {0.0.0.0/0} import: from AS2914 action pref=1; accept ANY AND NOT {0.0.0.0/0} import: from AS7911 action pref=1; accept ANY AND NOT {0.0.0.0/0} import: from AS13857 accept ^AS13857+$ AND NOT {0.0.0.0/0} import: from AS18463 accept ^AS18463+$ AND NOT {0.0.0.0/0} import: from AS4587 accept ^AS4587+$ AND NOT {0.0.0.0/0} import: from AS22154 accept ^AS22154+$ AND NOT {0.0.0.0/0} import: from AS22899 accept ^AS22154+$ AND NOT {0.0.0.0/0} import: from AS26676 accept ^AS26676+$ AND NOT {0.0.0.0/0} import: from AS19441 accept ^AS19441+$ AND NOT {0.0.0.0/0} import: from AS29984 accept ^AS29984+$ AND NOT {0.0.0.0/0} import: from AS30629 accept ^AS30629+$ AND NOT {0.0.0.0/0} import: from AS32810 accept ^AS32810+$ AND NOT {0.0.0.0/0} import: from AS8 accept ^AS8+$ AND NOT {0.0.0.0/0} import: from AS36740 accept ^AS36740+$ AND NOT {0.0.0.0/0} import: from AS16933 accept ^AS16933+$ AND NOT {0.0.0.0/0} import: from AS32879 accept ^AS32879+$ AND NOT {0.0.0.0/0} import: from AS39986 accept ^AS39986+$ AND NOT {0.0.0.0/0} export: to AS2914 announce AS-INTEGRA export: to AS3549 announce AS-INTEGRA export: to AS4587 announce ANY export: to AS6993 announce AS-INTEGRA export: to AS7911 announce AS-INTEGRA export: to AS13857 announce ANY export: to AS18463 announce ANY export: to AS22154 announce ANY export: to AS22899 announce AS-INTEGRA export: to AS26676 announce ANY export: to AS19441 announce ANY export: to AS29984 announce ANY export: to AS32810 announce ANY export: to AS8 announce ANY export: to AS36740 announce ANY export: to AS16933 announce ANY export: to AS32879 announce ANY export: to AS39986 announce ANY export: to AS12003 announce AS-INTEGRA7385 export: to AS3549 announce AS-INTEGRA7385 export: to AS22899 announce AS-INTEGRA7385 mnt-by: MAINT-AS7385 changed:randy.roo...@integratelecom.com 20060726 source: RADB person:Network Services address: 15200 NBN Way address: Blue Ridge Summit, PA 17214 phone: +1-301-459-3132 e-mail:networksupp...@hudsonps.com nic-hdl: NES4-LEVEL3 changed: kelly.macen...@level3.como 20100518 source:LEVEL3 Then telnet whois.radb.net 43 telnet whois.radb.net 43 Trying 198.108.0.18... Connected to whois.radb.net (198.108.0.18). Escape character is '^]'. MAINT-AS7385 mntner: MAINT-AS7385 descr: Maintainer for AS7385 admin-c:Data Engineering tech-c: Data Engineering upd-to: b...@integra.net mnt-nfy:b...@integra.net auth: CRYPT-PW HIDDENCRYPTPW auth: MAIL-FROM steven.raym...@integratelecom.com auth: MAIL-FROM kenneth.mcint...@integratelecom.com auth: MAIL-FROM b...@integra.net auth: MAIL-FROM craig.heidger...@integratelecom.com auth: MAIL-FROM randy.roo...@integratelecom.com auth: MAIL-FROM edward.arne...@integratelecom.com auth: MAIL-FROM
Re: spam CAUGHT, now how to catch spammer
From: John Hardin jhar...@impsec.org Sent: Tuesday, 2010/September/07 10:02 On Tue, 7 Sep 2010, Per Jessen wrote: John Hardin wrote: Sorry to mislead. SPAM was caught by spamassassin. How can I get this guy stopped? IP addresses are: 67.50.37.35,.36,.69,.75 Ah. Yes, that's a different question. (1) Find out who owns those network addresses. Use tools like http://enc.com.au/itools/inetnum.php and http://enc.com.au/itools/person.php to do that. whois will also tell you. True, but at the time I was composing that message both command-line whois and several US-based web UIs were returning a unable to return results due to high traffic message. Works from here, John. ===8--- whois 67.50.37.35 [Querying whois.arin.net] [Redirected to whois.integraonline.com:43] [Querying whois.integraonline.com] [whois.integraonline.com] %rwhois V-1.5:003fff:00 adns5 (by Network Solutions, Inc. V-1.5.7.2) network:Auth-Area:67.50.0.0/15 network:Class-Name:network network:ID:67-50-36-0/23-NET network:Network-Name:67-50-36-0/23-NET network:IP-Network:67.50.36.0/23 network:Org-Name;I:GIGLINX INC network:Street-Address:250 STOCKTON AVE network:City:SANTA CLARA network:State:CA network:Postal-Code:95126 network:Country-Code:US network:Admin-Contact;I:ITIA-ARIN network:Tech-Contact;I:ITIA-ARIN network:Updated:2010-02-24 network:Updated-By:tradz...@integra.net network:Auth-Area:67.50.0.0/15 network:Class-Name:network network:ID:67-50-0-0/15-NET network:Network-Name:67-50-0-0/15-NET network:IP-Network:67.50.0.0/15 network:Org-Name;I:ELI-NETWORK-ELIX network:Street-Address:1201 NE Lloyd Blvd, Ste 500 network:City:Portland network:State:OR network:Postal-Code:97232 network:Country-Code:US network:Admin-Contact;I:ITIA-ARIN network:Tech-Contact;I:ITIA-ARIN network:Updated:2009-12-03 network:Updated-By:hostmas...@integra.net %error 350 Invalid Query Syntax %ok ===8--- I'm not sure where the error 350 came from. GIGLINX or ELI-NETWORK-ELIX may have a bad setup. GIGLINX may be a formal spam source. The address looks bad to me. 95126 is San Jose. I don't know if it includes Santa Clara or not. (I'm not familiar with that area.) I'd email integra.net about it at abuse, hostmaster, and after an MTR run integra's upstream provider. It's easier to simply let it accumulate and get a decent picture of what the spam hydra is doing of late, which is about 3 times the volume of a month ago. sigh {^_^}
Re: spam CAUGHT, now how to catch spammer
On Tue, 2010-09-07 at 16:05 -0700, jdow wrote: whois 67.50.37.35 There's something odd about that IP all right. I got this: $ host 67.50.37.35 35.37.50.67.in-addr.arpa domain name pointer zone35.tribalhostland.com. but host zone35.tribalhostland.com just says 3(NXDOMAIN) and attempts to use whois on the domain name says its an unknown domain. Martin
Re: spam CAUGHT, now how to catch spammer
I suspect that entire 23 subnet is sour and should be blocked. {^_^} - Original Message - From: Martin Gregorie mar...@gregorie.org Sent: Tuesday, 2010/September/07 17:18 On Tue, 2010-09-07 at 16:05 -0700, jdow wrote: whois 67.50.37.35 There's something odd about that IP all right. I got this: $ host 67.50.37.35 35.37.50.67.in-addr.arpa domain name pointer zone35.tribalhostland.com. but host zone35.tribalhostland.com just says 3(NXDOMAIN) and attempts to use whois on the domain name says its an unknown domain. Martin
spam caught, now how to catch spammer
In the last several weeks I have been receiving a lot of spam with email addresses of the form: learningmadeeasy.???...@??.yourseemlost.net learningmadeeasy.???...@??.hisoftenusing.net learningmadeeasy.???...@??.wheatdrinkcontrol.net learningmadeeasy....@??.actbookfelt.net learningmadeeasy....@??.stillstationwhether.net learningmadeeasy....@??.legbottleloss.net and accountingeducation.gpx...@oiteew.badpeoplepaper.net accountingeducation.ihd...@aapufx.stillstationwhether accountingeducation.ionm...@wxnuab.legbottleloss.net accountingeducation.iqle...@mlmuwx.stillstationwhethe and affordablelifeinsurance.aj...@wiogif.constum.net affordablelifeinsurance.ki...@pzodkk.injecou.net How do we stop this guy?