RE: [sniffer] Spam blocks loading me up with spam

[Colbeck, Andrew]

Title: Message

Gotta catch 'em all (not Pokemon, spam)...   Sniffer caught all of them today:   gawk "$0 ~ /.+From: .+To: .+IP: 200\.49\.[3|4|5]/ {print $3}" dec0617.log >temp.txt   fgrep -ftemp.txt dec0617.log | fgrep "Total weight"   If your volume is quite high, that second line, instead of showing all the total weights for the netblocks in question, could instead show which lines sniffer didn't hit on:   fgrep -ftemp.txt dec0617.log | fgrep "Total weight" | fgrep -v "SNIFFER"     Andrew 8) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, June 16, 2005 4:20 PM To: sniffer@SortMonster.com Subject: Re: [sniffer] Spam blocks loading me up with spam I'm also taking out the: 200.49.32.xxx to 200.49.47.xxx addresses with my IPFILE. Most of them were taken out in Feb with SBL 17983.   The trouble on this spammer for me, is they aren't listed anywhere (with the 299.49.50.XXXs and are probably burning through domain names faster than the SURBLs can really be effective. So unless I get an SURBL hit or a Sniffer hit they are leaking through. Hopefully with Pete's new rules, this will be stopped.   200.49.32.0/24  200.49.32.0/24     moved 06-15-05 SBL17983 200.49.33.0/24  200.49.33.0/24  starsoftmails.com added 02-17-05 SBL17983 200.49.34.0/24  200.49.34.0/24     moved 06-15-05 SBL17983 200.49.35.0/24  200.49.35.0/24     moved 06-15-05 SBL17983 200.49.36.0/24  200.49.36.0/24     moved 06-15-05 SBL17983 200.49.37.0/24  200.49.37.0/24  afdtc.com  added 02-17-05 SBL17983 200.49.38.0/24  200.49.38.0/24  afdtc.com  added 02-17-05 SBL17983 200.49.39.0/24  200.49.39.0/24  afdaa.com  added 02-17-05 SBL17983 200.49.40.0/24  200.49.40.0/24     moved 06-15-05 SBL17983 200.49.41.0/24  200.49.41.0/24     moved 06-15-05 SBL17983 200.49.42.0/24  200.49.42.0/24     moved 06-15-05 SBL17983 200.49.43.0/24  200.49.43.0/24  awwsc.com  added 02-17-05 SBL17983 200.49.44.0/24  200.49.44.0/24  arvvv.com  moved 05-29-05 SBL17983 200.49.45.0/24  200.49.45.0/24  starofferzone.com added 02-17-05 SBL17983 200.49.46.0/24  200.49.46.0/24  fdcmm.com  added 02-17-05 SBL17983 200.49.47.0/24  200.49.47.0/24  bicsc.com  added 02-17-05 SBL17983 ----- Original Message ----- From: Darrell ([EMAIL PROTECTED]) To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:44 PM Subject: Re: [sniffer] Spam blocks loading me up with spam Scott,   Not to many incoming for me - about 200 out of about 125K messages.  One thing to note is the ones I am getting are around that block but even lower like 200.49.44.x.   Darrell ------------------------------------------- Check out http://www.invariantsystems.com for utilities for Declude And Imail.  IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. ----- Original Message ----- From: Scott Fisher To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:04 PM Subject: [sniffer] Spam blocks loading me up with spam   Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these.   200.49.48.0/24  200.49.48.0/24      200.49.49.0/24  200.49.49.0/24  mowz2.com   200.49.50.0/24  200.49.50.0/24  qckcstmr.com   200.49.51.0/24  200.49.51.0/24  srvdupfrsh.com   200.49.52.0/24  200.49.52.0/24  aahtv.com   200.49.53.0/24  200.49.53.0/24  aakai.com   200.49.54.0/24  200.49.54.0/24  aakib.com   200.49.55.0/24  200.49.55.0/24  aakli.com   200.49.56.0/24  200.49.56.0/24  aafix.com   200.49.57.0/24  200.49.57.0/24  aaaae.com   200.49.58.0/24  200.49.58.0/24       200.49.59.0/24  200.49.59.0/24       Domain names and links seem to be five chars beginning with aa. They also seem to be progressing through the IP blocks.     i think they started in on the June 15th and have been spamming pretty consistantly.