I searched the newsgroups for one of the subjects, and found a bunch of zero day domains, one of which was still active and hosting images for this spam, turwy33.info. I then looked up the IP and found it listed in SBL fresh as of today:
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL14807
This has been attributed to ROKSO spammer MailTrain, who's evidence file can be found at the following:
http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=MailTrain
Here's the full list of their current SBL listings...lots from China, as all good pill spammers who need dishonest hosts go (unless they can get a good rate at Exodus):
http://www.spamhaus.org/rokso/sbl_listings.lasso?spammer=MailTrain&rokso_id=ROK
One of the contacts listed in SBL shows that at least one of these guys is Scott's neighbor (figuratively).
I would be curious about whether or not this was the same spammer causing issues with Darin. Nevertheless, everyone should turn off the Nobody alias for fear that they might get harvested from not rejecting a dictionary attack during the SMTP envelope.
Matt
Darryl Koster wrote:
We generally do not have nobody alias's set on the domains we have, this was set up to capture some of the emails that were being held by the server so we could look at the headers. Once we knew we had enough of them to work with we removed the nobody alias. Basically those 10 Megs worth of emails span about 10 minutes worth of time.
Here are a couple sample headers. The IP range found within some of the (207.164.190.***) is our IP Range.
Take a look, there are two of them I have not been able to find any similarities between them. There are hundreds like this.
Darryl Koster
-----------HEADER ONE --------------------------From <[EMAIL PROTECTED]> Wed Mar 10 15:30:58 2004Received: from mx2.statusconcepts.com [207.164.190.21] by mail.statustechnologies.com (SMTPD32-7.07) id AAF069B8010C; Wed, 10 Mar 2004 15:30:40 -0500 Received: (qmail 32104 invoked from network); 10 Mar 2004 16:44:32 -0000 Received: from spr1-brig5-3-0-cust133.lond.broadband.ntl.com (80.3.72.133) by mx2.statusconcepts.com with SMTP; 10 Mar 2004 16:44:32 -0000 Received: from (HELO idif) [126.202.95.91] by spr1-brig5-3-0-cust133.lond.broadband.ntl.com SMTP id T5WrKU8YPux1cX; Sat, 13 Mar 2004 15:38:00 -0600 Message-ID: <[EMAIL PROTECTED]> From: "Lakisha Woody" <[EMAIL PROTECTED]> Reply-To: "Lakisha Woody" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> Subject: turn your Spud into a stud!! m Date: Sat, 13 Mar 04 15:38:00 GMT X-Mailer: Microsoft Outlook Express 6.00.2462.0000 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="B0DD5_.B3._EBFDDB0" X-Priority: 3 X-MSMail-Priority: Normal X-Declude-Sender: [EMAIL PROTECTED] [207.164.190.21] X-Declude-Spoolname: D7af069b8010ca4e1.SMD X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Note: If there are problems please contact [EMAIL PROTECTED] X-Note: http://www.statustechnologeis.com X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, BADHEADERS, IPNOTINMX, NOLEGITCONTENT, ROUTING, BODYFILTER, SPAM-DOMAINS, WEIGHT10, WEIGHT30 [55] X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 378950659
--B0DD5_.B3._EBFDDB0 Content-Type: text/html; Content-Transfer-Encoding: quoted-printable
--------------------------------HEADER TWO -------------------------------
From <[EMAIL PROTECTED]> Wed Mar 10 16:00:13 2004Received: from mx2.statusconcepts.com [207.164.190.21] by mail.statustechnologies.com (SMTPD32-7.07) id ADD9621B00AE; Wed, 10 Mar 2004 15:43:05 -0500 Received: (qmail 1595 invoked from network); 10 Mar 2004 16:48:27 -0000 Received: from c-24-12-20-130.client.comcast.net (24.12.20.130) by mx2.statusconcepts.com with SMTP; 10 Mar 2004 16:48:27 -0000 Received: from [218.175.132.210] by c-24-12-20-130.client.comcast.net with ESMTP id 05811379 for <[EMAIL PROTECTED]>; Sat, 13 Mar 2004 17:37:56 -0400 Message-ID: <[EMAIL PROTECTED]> From: "Melissa Funk" <[EMAIL PROTECTED]> Reply-To: "Melissa Funk" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> Subject: This email is for Men! uukvx xga pxd hclt Date: Sat, 13 Mar 04 17:37:56 GMT X-Mailer: The Bat! (v1.52f) Business MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="B0DD5_.B3._EBFDDB0" X-Priority: 3 X-MSMail-Priority: Normal X-Declude-Sender: [EMAIL PROTECTED] [207.164.190.21] X-Declude-Spoolname: D7dd9621b00ae0338.SMD X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Note: If there are problems please contact [EMAIL PROTECTED] X-Note: http://www.statustechnologeis.com X-Spam-Tests-Failed: NOPOSTMASTER, BADHEADERS, IPNOTINMX, NOLEGITCONTENT, BODYFILTER, GIBBERISHSUB, SPAM-DOMAINS, WEIGHT10, WEIGHT30, WEIGHT100 [149] X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 378952512
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
