So when you look at the header, the only information you can trust is the last server before it reaches your server. Is his server address real? I mean, really his? Does he hijack open relays or spam zombies, or use servers outside of the US? I'm just curious how reliable this information is in filtering him out. Just for curiousity, I made a list from his latest New Account spam and found these sources.
Ben ************************** 02.mailmx01.com [207.154.32.2] mx05.curb101.com [64.200.217.41] mx17.curb101.com [64.200.217.53] mx20.curb101.com [64.200.217.56] 134.opnletters.com [65.175.2.134] k.opnletters.com [65.175.2.20] 03.opnletters.com [65.175.2.30] 11.opnletters.com [65.175.2.38] 52.opnletters.com [65.175.2.52] 107.opnstuff.com [66.227.68.107] 224.opnstuff.com [66.227.68.224] 227.opnstuff.com [66.227.68.227] 234.opnstuff.com [66.227.68.234] 234.opnstuff.com [66.227.68.234] 32.opnstuff.com [66.227.68.32] 52.opnstuff.com [66.227.68.52] 55.opnstuff.com [66.227.68.55] 59.opnstuff.com [66.227.68.59] mx18139.tt03.com [69.6.18.139] mx18143.ss03.com [69.6.18.143] mx18180.hh02.com [69.6.18.180] mx18193.pp03.com [69.6.18.193] mx18231.ee02.com [69.6.18.231] mx1886.ff02.com [69.6.18.86] mx1927.tt03.com [69.6.19.27] mx1938.ff02.com [69.6.19.38] mx1982.dd03.com [69.6.19.82] mx20173.aa05.com [69.6.20.173] mx2027.tt03.com [69.6.20.27] mx2081.pp03.com [69.6.20.81] mx2081.pp03.com [69.6.20.81] mx4121.gg02.com [69.6.41.21] mx634.dd03.com [69.6.6.34] 16.asp060.com [69.6.64.116] 28.asp070.com [69.6.65.128] 46.asp070.com [69.6.65.146] 60.asp070.com [69.6.65.160] 66.asp070.com [69.6.65.166] 14.asp010.com [69.6.73.114] 46.asp040.com [69.6.76.146] ************************** ----- Original Message ----- From: "Matt" <[EMAIL PROTECTED]> To: <Declude.JunkMail@declude.com> Sent: Sunday, October 09, 2005 3:58 PM Subject: Re: [Declude.JunkMail] chronic junkmail -- "new account" > This is spam from Scott Ricter, Spamhaus's #1 listed spammer. This > particular block is 65.175.2.0/24. Surprisingly it isn't widely listed, > but I did find it in MAILPOLICE, and if you have URIBL support, it is > also in SURBL presently. > > Matt > > > > IMail Admin wrote: > > > Hi, > > > > For the last few weeks, we've seen an explotion of spam mail with the > > from line as "New Account". The subject and text vary. Some messages > > get caught by our threshold and dumped, but many do not. Sniffer > > seems to spot these pretty effectively, but not always and we don't > > take action on just one test, even one as good as Sniffer. Any > > suggestions? > > > > Ben > > BC Web > > > > Here is the source of one such message: > > > > Received: from 52.opnletters.com [65.175.2.52] by bcw4.bcwebhost.net > > with ESMTP > > (SMTPD32-7.15) id A25813CE00F4; Sun, 09 Oct 2005 14:57:44 -0700 > > Received: (from [EMAIL PROTECTED]) > > by 52.opnletters.com (8.8.8/8.8.8) id OAA44895; > > Sun, 9 Oct 2005 14:45:45 -0700 (PDT) > > Date: Sun, 9 Oct 2005 14:59:51 -0700 (PDT) > > Message-Id: <[EMAIL PROTECTED]> > > From: New Account <[EMAIL PROTECTED]> > > To: [EMAIL PROTECTED] > > Subject: Get A Free Ringtone [EMAIL PROTECTED] > > MIME-Version: 1.0 > > Content-Type: text/plain; charset="iso-8859-1" > > X-RBL-Warning: SNIFFER: Message failed SNIFFER: 60. > > X-Declude-Sender: > > [EMAIL PROTECTED] > > [65.175.2.52] > > X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) > > for spam. > > X-Spam-Tests-Failed: SNIFFER [4] > > X-Note: This E-mail was sent from 52.opnletters.com ([65.175.2.52]). > > X-RCPT-TO: <[EMAIL PROTECTED]> > > Status: U > > X-UIDL: 428897057 > > > > Get the Newest Ring Tones! > > > > Download Top Hits to your Cell Phone! > > http://52.opnletters.com/m/l?3xp-e38u-1-aox4-f417 > > > > <a href="http://52.opnletters.com/m/l?3xp-e38u-2-aox4-f417";>Get the > > latest Ringtones, wallpapers, Screensavers, and more! Top ring tones > > include, "Wait" by Ying Yang Twins. First download is FREE!</a> > > > > > > > > You need to visit this link. Take your Pick! > > http://52.opnletters.com/m/l?3xp-e38u-3-aox4-f417 > > > > > > > > > > > > To unsubscribe, from this Advertisement go to: > > http://52.opnletters.com/remove?r.NewAccounts.0-6037852-730b.bcwebhost.net.-ben?r > > > > > > or, send a blank message to: > > mailto:[EMAIL PROTECTED] > > > > New Account List > > 1333 W 120th Ave. Suite 101 > > Westminster, Colorado 80234 > > > > > > > > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
