A spam in my queue begins: P I 11-11-2002 16:47:32 0000 thefreevirtual.org glen R E 11-11-2002 16:47:36 0000 bzlaw.com glen R E 11-11-2002 16:48:06 0000 bzlaw.com jeff R E 11-11-2002 16:48:36 0000 bzlaw.com katie R E 11-11-2002 16:49:06 0000 bzlaw.com oscar R E 11-11-2002 16:51:06 0000 bzlaw.com pierre R E 11-11-2002 16:53:06 0000 bzlaw.com rainbow
Received: from [213.167.166.26] (HELO thefreevirtual.org) by SMTP.az.net (Stalker SMTP Server 1.8b9d11) with SMTP id S.0000110944; Mon, 11 Nov 2002 09:47:34 -0700 Can I accept 213.167.166.26 as the real IP address of the offending MTA or is it like the HELO argument (thefreevirtual.org) which can be any durned thing the spammer pleases? Trying to lookup the MX for thefreevirtual.org comes up empty which is why, I suppose, SIMS tries to connect to 61.129.78.34 -- the IP of thefreevirtual.org, which is probably not the real host name anyway. 00:17:33 3 SMTP-208(thefreevirtual.org) Failed to connect to [61.129.78.34:25]. reason=60 I went through the spam in the queue and noted that not more than three items were from any one IP address but all are obviously part of the same dictionary attack on one domain. 64.86.229.68 195.228.147.142 200.207.18.32 200.252.68.208 202.65.158.4 210.72.254.146 213.19.179.5 213.167.166.26 213.170.87.163 213.176.50.69 213.190.37.170 213.204.80.166 213.221.129.112 213.229.50.165 All gave the same "thefreevirtual.org" HELO argument. Given the wide variety of addresses, is it likely that the IP is faked too? Then again, those IPs that resolve are all non-US but scattered throughout br, de, it, at, etc. Now, I would think that a spammer with resources spread this widely would be caught by my RBL but that doesn't seem to be happening so I'm adding each IP manually in the hope that the IPs are not faked and that eventually it will do some good. Am I wasting my time. ############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
