Can't keep up with spam from SolarVPS sites

Fri, 06 Jun 2014 14:33:06 -0700 

We’re getting a lot of spam that contains URL’s which look like (remove the 
####):

http://mab####sut.com/20220362/vuxtxumsrnsst6unlornt3umtfuwznvv~5v0nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnl_ts_tn_ttce/unnt7uqs_mrn_ttdfw3yuw_h_03xo_gl_67_8gw_buutxveumpomte3yuo_tlltcx3yumsrnsstziaumte3umm/lst0x0ut0xut7eunty1um_ttf1umnrt2utezdeuteutyutw2utv3utvaut0u_0czz_xz66_a298zty8ux97xvd/e_o8zetdy97utd3aut09ultcdaumtd3un_unsrrtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol

http://ihn####yc.org/20219021/vuv~5xtxumssmqst6um_ulnmt3untfuwznvv0nmro0ysnx_u_usqzxs/rwlln_t_t_tomtdyumplnl_tpsqntceum_tt7uqn_momntdfw3yuv_/h2fz_h_7fwo_48txveum_tqmte3yuo_tlltcx3yumssmqstziaumte/3ummlst0x0ut0xut7eunty1u_ttf1umnrt2utezdeuteutyutw2utv/3utvaut0u_vce2c3e3dty8u7z_ox97tdy97utd3aut09ultcdaumtd/3uoonlm_utw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol

http://iea####to.com/whos/be2aaf2163fd72c9975ec76b00288831

http://cp.mk-k####bcc.com/b70b761a4447c8c67c6e9038d1de210a97a45dea243016466fa7c1444ab14bb1abc5cc032da9130670fdfc882f064d6860e488e378ca0ded95d2cdf134d434767a3055d838fe41ca19d924b5a65cf04f

http://ifs####pc.com/20220362/vuxtxumsn_tpmt6unlorv~5nt3umtfuwznvv0nmro0ysnx_u_usqzxsrwlln_t_t_to/mtdyumplnl_tllpqtceunmt7uqs_moomtdfw3yuv_h_kkx_1_7f_jn_uetxveuolnt/e3yuo_tlltcx3yu_uprtziaumte3ummlst0x0ut0xut7eunty1uptf1umnrt2utezd/euteutyutw2utv3utvaut0u_h3cz6zdd_38ezc8zety8ujv299_ox97tdy97utd3au/t09ultcdaumtd3uompqmotw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol

http://nig####gu.com/20220362/vuxtxums_tqq_ut6unlornt3umtfuwznvvv~50nmro0ysnx_u_usqzxsrwlln_t_t_tomtdyumplnlsm_tnntceum/_tt7uqr_mrsotdfw3yuw768_ko_ff_jn_uetxveuompnte3yuo_tlltcx3yuqsrotziaumte3ummlst0x0ut0xut/7eunty1uptf1umnrt2utezdeuteutyutw2utv3utvaut0u_xzce303zy_8fcd381_vdd3dev8e_zyfxve398ty8u/jv299_ox97tdy97utd3aut09ultcdaumtd3uopp_tqqtw3utwv8utweut80utecegutfnutaeut263yutdzeumt9cul_ol

Some observations… The URL’s should be fairly easy to filter against via a 
regex.  Anyone have some working rules they could share?

The other thing is, the URL is almost always hosted by solarvps.com, in the 
CIDR block 65.181.64.0/18.

Is there an easy way to do a domain lookup on the host portion of the URL and 
then filter it if it’s in this subnet?

Thanks,

-Philip

Reply via email to