We're parsing a fairly high percentage of those payload links now. In the case of our attack, they are far more concentrated than the IPs of the source machines - just as you would expect.
-Dave ----- Original Message ----- From: "Matt" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 10, 2004 9:16 PM Subject: Re: [Declude.JunkMail] 2,000,000 + emails today > In this case, headers don't provide any benefit because this stuff all > comes from zombies with forged info. It's the payload links, where they > might be redirected to and/or is hosted , where their DNS is hosted, and > where their names were registered. Chances are that everything can be > tracked back to the same spam gang. > > I searched the newsgroups for one of the subjects, and found a bunch of > zero day domains, one of which was still active and hosting images for > this spam, turwy33.info. I then looked up the IP and found it listed in > SBL fresh as of today: > > http://www.spamhaus.org/sbl/sbl.lasso?query=SBL14807 > > This has been attributed to ROKSO spammer MailTrain, who's evidence file > can be found at the following: > > http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=MailTrain > > Here's the full list of their current SBL listings...lots from China, as > all good pill spammers who need dishonest hosts go (unless they can get > a good rate at Exodus): > > > http://www.spamhaus.org/rokso/sbl_listings.lasso?spammer=MailTrain&rokso_id=ROK > > One of the contacts listed in SBL shows that at least one of these guys > is Scott's neighbor (figuratively). > > I would be curious about whether or not this was the same spammer > causing issues with Darin. Nevertheless, everyone should turn off the > Nobody alias for fear that they might get harvested from not rejecting a > dictionary attack during the SMTP envelope. > > Matt > > > > Darryl Koster wrote: > > >We generally do not have nobody alias's set on the domains we have, this was > >set up to capture some of the emails that were being held by the server so > >we could look at the headers. Once we knew we had enough of them to work > >with we removed the nobody alias. Basically those 10 Megs worth of emails > >span about 10 minutes worth of time. > > > > > >Here are a couple sample headers. The IP range found within some of the > >(207.164.190.***) is our IP Range. > > > > > >Take a look, there are two of them I have not been able to find any > >similarities between them. There are hundreds like this. > > > > > > > >Darryl Koster > > > > > > > >-----------HEADER ONE -------------------------- > >>From <[EMAIL PROTECTED]> Wed Mar 10 15:30:58 2004 > >Received: from mx2.statusconcepts.com [207.164.190.21] by > >mail.statustechnologies.com > > (SMTPD32-7.07) id AAF069B8010C; Wed, 10 Mar 2004 15:30:40 -0500 > >Received: (qmail 32104 invoked from network); 10 Mar 2004 16:44:32 -0000 > >Received: from spr1-brig5-3-0-cust133.lond.broadband.ntl.com (80.3.72.133) > > by mx2.statusconcepts.com with SMTP; 10 Mar 2004 16:44:32 -0000 > >Received: from (HELO idif) [126.202.95.91] by > >spr1-brig5-3-0-cust133.lond.broadband.ntl.com SMTP id T5WrKU8YPux1cX; Sat, > >13 Mar 2004 15:38:00 -0600 > >Message-ID: <[EMAIL PROTECTED]> > >From: "Lakisha Woody" <[EMAIL PROTECTED]> > >Reply-To: "Lakisha Woody" <[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED] > >Cc: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, > ><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, > ><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, > ><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, > ><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> > >Subject: turn your Spud into a stud!! m > >Date: Sat, 13 Mar 04 15:38:00 GMT > >X-Mailer: Microsoft Outlook Express 6.00.2462.0000 > >MIME-Version: 1.0 > >Content-Type: multipart/alternative; > > boundary="B0DD5_.B3._EBFDDB0" > >X-Priority: 3 > >X-MSMail-Priority: Normal > >X-Declude-Sender: [EMAIL PROTECTED] [207.164.190.21] > >X-Declude-Spoolname: D7af069b8010ca4e1.SMD > >X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for > >spam. > >X-Note: If there are problems please contact > >[EMAIL PROTECTED] > >X-Note: http://www.statustechnologeis.com > >X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, BADHEADERS, IPNOTINMX, > >NOLEGITCONTENT, ROUTING, BODYFILTER, SPAM-DOMAINS, WEIGHT10, WEIGHT30 [55] > >X-RCPT-TO: <[EMAIL PROTECTED]> > >Status: U > >X-UIDL: 378950659 > > > > > >--B0DD5_.B3._EBFDDB0 > >Content-Type: text/html; > >Content-Transfer-Encoding: quoted-printable > > > > > > > > > >--------------------------------HEADER TWO ------------------------------- > > > > > > > >>From <[EMAIL PROTECTED]> Wed Mar 10 16:00:13 2004 > >Received: from mx2.statusconcepts.com [207.164.190.21] by > >mail.statustechnologies.com > > (SMTPD32-7.07) id ADD9621B00AE; Wed, 10 Mar 2004 15:43:05 -0500 > >Received: (qmail 1595 invoked from network); 10 Mar 2004 16:48:27 -0000 > >Received: from c-24-12-20-130.client.comcast.net (24.12.20.130) > > by mx2.statusconcepts.com with SMTP; 10 Mar 2004 16:48:27 -0000 > >Received: from [218.175.132.210] by c-24-12-20-130.client.comcast.net with > >ESMTP id 05811379 for <[EMAIL PROTECTED]>; Sat, 13 Mar 2004 17:37:56 -0400 > >Message-ID: <[EMAIL PROTECTED]> > >From: "Melissa Funk" <[EMAIL PROTECTED]> > >Reply-To: "Melissa Funk" <[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED] > >Cc: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, > ><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, > ><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> > >Subject: This email is for Men! uukvx xga pxd hclt > >Date: Sat, 13 Mar 04 17:37:56 GMT > >X-Mailer: The Bat! (v1.52f) Business > >MIME-Version: 1.0 > >Content-Type: multipart/alternative; > > boundary="B0DD5_.B3._EBFDDB0" > >X-Priority: 3 > >X-MSMail-Priority: Normal > >X-Declude-Sender: [EMAIL PROTECTED] [207.164.190.21] > >X-Declude-Spoolname: D7dd9621b00ae0338.SMD > >X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for > >spam. > >X-Note: If there are problems please contact > >[EMAIL PROTECTED] > >X-Note: http://www.statustechnologeis.com > >X-Spam-Tests-Failed: NOPOSTMASTER, BADHEADERS, IPNOTINMX, NOLEGITCONTENT, > >BODYFILTER, GIBBERISHSUB, SPAM-DOMAINS, WEIGHT10, WEIGHT30, WEIGHT100 [149] > >X-RCPT-TO: <[EMAIL PROTECTED]> > >Status: U > >X-UIDL: 378952512 > > > > > > > >--- > >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > > >--- > >This E-mail came from the Declude.JunkMail mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.JunkMail". The archives can be found > >at http://www.mail-archive.com. > > > > > > > > > > -- > ===================================================== > MailPure custom filters for Declude JunkMail Pro. > http://www.mailpure.com/software/ > ===================================================== > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
