I think you actually identified Cheetah Mail with that block. Here's what SenderBase has for that range:
http://www.senderbase.org/search?searchString=207.251.96.200&whichOthers=%2F24
I would highly advise not blocking Cheetah Mail, at least indiscriminately. They do have a pretty good opt-in policy for their member companies, and they serve only the largest such companies. Although one of the companies using their services might have opted users in inappropriately, that typically isn't the case with them. Same goes for Dart Mail and a few others.
The header search for that X-JLH: string though did expose another large block of addresses for Pexicom, one in fact that I had been collecting IP's for blocking outside of this hunt. Now that I am giving this stuff so much weight, and deleting at those weights, the remaining stuff that comes through is easy to identify. So I've added the following blocks. You will probably recognize the domains listed in the updated file (at the top).
64.124.165.0/25 [64.124.165.0] - [64.124.165.127] 64.124.165.128/26 [64.124.165.128] - [64.124.165.191] 64.124.165.192/27 [64.124.165.192] - [64.124.165.223] 64.125.181.0/24 [64.125.181.0] - [64.125.181.255]
It seems that both ranges, especially the class C, are used without reverse DNS sometimes, and the names seem to change. The class C is also the range that they have listed on SBL, and it's not by any means defunct. This guy has about 1,000 IP's at his disposal to spam from, and he consistantly makes use of a lot of them to send out what I term "contest spam."
Note that after the CIDR range, those are effectively comments in an IPFILE, and they will show up in your logs or headers if you use WARN (no need to add a # symbol).
I've attached a new version of the filter. Some might want to block at the router or IMail to save on processing. He's probably up to 5% of my mail volume with these additions.
Matt
Gufler Markus wrote:
Great work Matthew! Have seen this type of messages from the IP block 207.251.96.201 ... 204 in the last 10 days.
So I've added
207.251.96.200/29 [207.251.96.200] - [207.251.96.207] # mckinseyquarterly.com
to your pexicom-ipfile.
Anyone knows www.mckinseyquarterly.com ? Looks legit... ?
Looks like this guy has invested a lot to create a big "spam-engine"
Maybe some Declude Pro users should set up a filter file to identify the "X-JLH". So we could create gradually a more complete picture of this distributed spam processing tecnique.
PEXICOM-HEADER filter C:\IMail\Declude\filters\pexicom_header.txt x 5 0
And in the pexicom_header.txt file
HEADERS 0 CONTAINS X-JLH
---
Gufler Markus ---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
-- =================================================== Matthew S. Bramble President and Technical Coordinator iGaia Incorporated, Operator of NYcars.com --------------------------------------------------- Office Phone: (518) 862-9042 Cellular: (518) 229-3375 Fax: (518) 862-9044 E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED] ===================================================
Pexicom.zip
Description: Zip compressed data
