>The domain names look all like junk/senseless domain names used by
spammers.
intentwishes.com:
If this were the case then it would mean that the spammer also has control
of the DNS servers responsible for this domains IP address as there is a
reverse DNS record. I would not be surprised if they did have control as the
block of IP addresses where this is coming from is assigned to: The
Education Network of Ontario
There is an spf record fro this domain, but it is not for this machine, so
blocking on an invalid spf record should stop this spam.
Roger
On 9/18/07, Len Conrad <[EMAIL PROTECTED]> wrote:
>
> This won't catch a lot, but it could give you IPs or Class C's to
> block. I noted some stuff getting through to me where a header was:
>
> x: ZRlJFRUtJVEBCUkVOREFTQ1JJVkVORVIuQ09NZ
>
> ....probably some kind of spam tracking code.
>
> and FROM: was illegal stuff (carat is illegal in sender field):
>
> from=<[EMAIL PROTECTED]>
>
> in header_checks.regep:
>
> /(^x: .*)/ DISCARD x: header = "$1"
>
>
> the $1 write the expression to the log line. If you want to test,
> replace DISCARD with WARN or HOLD
>
> Here's a command to report hits by PTR[ip] sorted by IP:
>
> egrep -i "discard:.*x: header" /var/log/maillog | cut -d ";" -f 1 |
> awk '{print $NF}' | sort -fn | uniq -ic | sort -t[ -k2
>
> 1 flail03.intentwishes.com[205.150.40.18]
> 1 flail04.intentwishes.com[205.150.40.19]
> 1 flail05.intentwishes.com[205.150.40.20]
> 1 flail06.intentwishes.com[205.150.40.21]
> 3 flail07.intentwishes.com[205.150.40.22]
> 3 flail08.intentwishes.com[205.150.40.23]
> 1 flail09.intentwishes.com[205.150.40.24]
> 1 alpha02.fimaan.com[207.139.124.131]
> 6 great06.awareintentions.com[208.76.108.71]
> 10 great07.awareintentions.com[208.76.108.72]
> 16 great08.awareintentions.com[208.76.108.73]
> 14 great09.awareintentions.com[208.76.108.74]
> 13 great10.awareintentions.com[208.76.108.75]
> 2 allotmentmead.com[208.77.224.176]
> 2 additionafield.com[208.77.224.179]
> 1 liablecleanup.com[208.77.224.181]
> 1 undersilvery.com[208.77.224.182]
> 2 flare1.loyalelites.com[209.205.34.132]
> 1 flare2.loyalelites.com[209.205.34.133]
> 1 flail12.intentwishes.com[216.94.105.138]
> 2 flail15.intentwishes.com[216.94.105.141]
> 1 unknown[216.94.105.6]
> 2 colorful50.newlyfoundsight.com[216.94.187.77]
> 2 colorful49.newlyfoundsight.com[216.94.187.78]
> 3 colorful48.newlyfoundsight.com[216.94.187.79]
> 1 colorful47.newlyfoundsight.com[216.94.187.80]
> 3 colorful46.newlyfoundsight.com[216.94.187.81]
> 1 unknown[216.94.241.131]
> 2 general38.treasuredidea.com[216.94.244.81]
> 2 general35.treasuredidea.com[216.94.244.84]
> 1 general34.treasuredidea.com[216.94.244.85]
> 1 general33.treasuredidea.com[216.94.244.86]
> 1 general32.treasuredidea.com[216.94.244.87]
> 1 general29.treasuredidea.com[216.94.244.90]
> 1 general28.treasuredidea.com[216.94.244.91]
> 1 general25.treasuredidea.com[216.94.244.94]
> 1 general24.treasuredidea.com[216.94.244.95]
> 1 general23.treasuredidea.com[216.94.244.96]
> 1 general22.treasuredidea.com[216.94.244.97]
> 2 general20.treasuredidea.com[216.94.244.99]
>
> The domain names look all like junk/senseless domain names used by
> spammers.
>
> Len
>
>
>
--
Do you like it hot? http://www.spicymama.com
Hot Pepper/BBQ/Wing sauce for those who like it hot.
