On 2/11/2018 2:37 PM, David Jones wrote:
This mail server has legit email for centurylink.net and
embarqmail.com plus a lot of other spam coming out of it.
It's listed on a number of RBLs making this very hard to allow ham
through and block spam.
http://multirbl.valli.org/lookup/206.152.134.66.html
<snip>
https://pastebin.com/YidWCqp8
I've downgraded the whitelisting entry for this IP at invaluement. It
still won't get blacklisted due to the large amount of collateral damage
that such a listing would cause. (And others lists having this
blacklisted is probably a GOOD thing! I'm not disputing their decision
for their list. Different lists serve different purposes, etc.) But with
this downgrade at invaluement, future spam that comes from this IP willÂ
be examined with greater scrutiny by invaluement, in order to possibly
blacklist other domains and IPs related to the spam.
Also, the spam sample shows a Google shortner being used as the payload
link. I've seen many of those lately - and I think Google needs to work
on improving their ability to prevent these, or at least get the
shortner terminated faster. At the moment, this one is still "live". I
reported this particular one as spam to their shortner abuse form. So,
it will be interesting to see how long it persists from this point forward?
btw - if anyone ever wants to learn more about one of these google
shortners without actually visiting the link (which can be dangerous...
for example, some of the more malicious links arrive at a page that
tries to install a virus), add ".info" to the end of the google shortner
URL and you can then see more info about the shortner, including its
intended destination. For example, for this one:
https://goo.gl/s7XxhD.info
--
Rob McEwen
https://www.invaluement.com
