> I don't know if it's the same place, but I've got a bunch of these > going back to Dec 20 (as far back as my logs go). > > [EMAIL PROTECTED] > [EMAIL PROTECTED] > [EMAIL PROTECTED] > [EMAIL PROTECTED] > > I'm guessing the ret@ e-mail is a particular spam bot signature.
Probably. However, blocking all mail from any "ret@" is doomed to generate false positives. > All of mine have been coming from the same netblock (morphed a > couple of times). It's currently 216.22.47.0/24. Back in the middle of 2004, I ended up using a script to block packets in IPTables from selected networks which were persistently sending SPAM which SA scored 15+, but who didn't get the hint when everything got a 5.7.1 error. I was seeing 500+ per day on a site where the daily mail volume was 4000. Worse still, they retried after greylisting. While the sites they came from were visibly related, it was hard to provide any sort of program logic to match on the host name. Some examples below: 12.129.167.64 mx83b.e-shapeconnection.com. 12.129.167.66 mx83b.i-bewellconnection.com. 12.129.167.67 mx83b.i-playingallnite.com. 12.129.167.68 mx83b.mybewellnetwork.com. 12.129.167.69 mx83b.myshapenet.net. 12.129.167.70 mx83b.myshapestructure.com. 12.129.167.71 mx83b.ourbewellconnection.com. 12.129.167.74 mx83b.ourshapenexus.com. 12.129.167.76 mx83b.playingallnite.com. 12.129.167.80 mx84b.i-bewellhookup.com. 12.129.167.81 mx84b.bewellnet.net. 12.129.167.82 mx84b.yourbewellnet.net. 12.129.167.83 mx84b.ourbewellnet.net. 12.129.167.84 mx84b.i-bewellnet.net. 12.129.167.85 mx84b.bewellnexus.com. 12.129.167.86 mx84b.bewellstructure.com. 64.156.172.10 mx95.mytanningdays.com. 64.156.172.11 mx95.yourtanningdays.com. 64.156.172.12 mx95.myshoptobreathe.com. 64.156.172.13 mx95.yourshoptobreathe.com. 64.156.172.14 mx95.mybeingenergetic.com. 64.156.172.15 mx95.yourbeingenergetic.com. 64.156.172.16 mx96.weekendlifers.com. 64.156.172.17 mx96.myweekendlifers.com. 64.156.172.18 mx96.TanningTime.com. 64.156.172.19 mx96.tanninghour.com. 64.156.172.21 mx96.myshoptobe.com. 64.156.172.22 mx96.beinganimated.com. 64.156.172.23 mx96.mybeinganimated.com. 64.156.172.8 mx95.myweekendtolive.com. 64.156.172.9 mx95.yourweekendtolive.com. 65.216.114.10 mx91.yourfunkingdom.net. 65.216.114.100 out6.mydigitalknowshow.com. 65.216.114.101 out6.ipinpoint.info. 65.216.114.102 out6.myfultondirect.com. 65.216.114.105 out6.myjackpotgamingoffers.com. 65.216.114.107 out6.eusahealthyweb.com. 65.216.114.11 mx91.jackpotgamingoffers.com. 65.216.114.110 out6.myinternetgamingoffers.com. 65.216.114.113 out6.ibargaintimes.com. 65.216.114.114 out6.ivendarefinancial.com. 65.216.114.115 out6.yourclubofferstoday.com. 65.216.114.116 out6.yourusa-wellbeing.com. 65.216.114.117 out6.edealfinders.net. 65.216.114.118 out6.yourdigitalknowshow.com. 65.216.114.119 out6.yourpinpoint.info. 65.216.114.12 mx91.jackpotgamingdeals.com. 65.216.114.120 out6.yourfultondirect.com. 65.216.114.121 out6.yourmemberselect.com. 65.216.114.122 out6.yourblinkpayday.com. 65.216.114.123 out6.ejackpotgamingoffers.com. 65.216.114.124 out6.evacationsforus.com. 65.216.114.13 mx91.jackpotgamingbargains.com. 65.216.114.130 out7.mybargaintimes.com. 65.216.114.131 out7.ecasinoreport.net. 65.216.114.132 out7.mysport-times.com. 65.216.114.133 out7.mydeal-finders.net. 65.216.114.134 out7.mydigitalknowshow.com. 65.216.114.135 out7.ipinpoint.info. 65.216.114.138 out7.myblinkpayday.com. 65.216.114.14 mx91.jackpotcasinodeals.com. 65.216.114.142 out7.my-vacay.com. 65.216.114.143 out7.myclubofferstoday.com. 65.216.114.144 out7.myinternetgamingoffers.com. 65.216.114.146 out7.yourset-for-life.net. 65.216.114.147 out7.ibargaintimes.com. 65.216.114.148 out7.ivendarefinancial.com. 65.216.114.149 out7.yourclubofferstoday.com. 65.216.114.15 mx91.jackpotcasinobargains.com. 65.216.114.151 out7.edealfinders.net. 65.216.114.152 out7.yourdigitalknowshow.com. 65.216.114.153 out7.yourpinpoint.info. 65.216.114.154 out7.yourfultondirect.com. 65.216.114.155 out7.yourmemberselect.com. 65.216.114.156 out7.yourblinkpayday.com. 65.216.114.157 out7.ejackpotgamingoffers.com. 65.216.114.159 out7.yourusawellbeing.com. 65.216.114.16 mx92.jackpotcasinotoday.com. 65.216.114.17 mx92.jackpotcasinonow.com. 65.216.114.19 mx92.myjackpotgamingbargains.com. 65.216.114.20 mx92.yourjackpotgamingbargains.com. 65.216.114.21 mx92.ijackpotgamingbargains.com. 65.216.114.24 mx02.leedirect.net. 65.216.114.25 mx02.greaterfun.com. 65.216.114.26 mx02.gamingplayer.com. 65.216.114.27 mx02.ibargainday.net. 65.216.114.28 mx02.idealpursuit.net. 65.216.114.29 mx02.ijackpotjoy.net. 65.216.114.32 mx8.ivendarefinancial.com. 65.216.114.33 mx8.yourclubofferstoday.com. 65.216.114.34 mx8.yourusa-wellbeing.com. 65.216.114.35 mx8.edealfinders.net. 65.216.114.36 mx8.yourdigitalknowshow.com. 65.216.114.37 mx8.yourpinpoint.info. 65.216.114.42 mx03.mybigaward.com. 65.216.114.43 mx03.mybiggestprizes.com. 65.216.114.44 mx03.memberselects.com. 65.216.114.45 mx03.iwilliamsdirect.info. 65.216.114.46 mx03.keepslender.com. 65.216.114.47 mx03.mybigeprizes.com. 65.216.114.48 mx03.mydealpioneer.com. 65.216.114.49 mx03.mydealpursuit.net. 65.216.114.51 mx04.mytargets.net. 65.216.114.52 mx04.myvacations.info. 65.216.114.53 mx04.perfectcluboffers.com. 65.216.114.54 mx04.net.certificates.info. 65.216.114.55 mx04.net.gamingoffers.net. 65.216.114.56 mx04.pinpointed.net. 65.216.114.57 mx04.phiscalphinances.com. 65.216.114.58 mx04.prizenet.info. 65.216.114.60 mx05.manybigprizes.com. 65.216.114.69 mx9.yourfultondirect.com. 65.216.114.70 mx9.yourmemberselect.com. 65.216.114.71 mx9.yourblinkpayday.com. 65.216.114.72 mx9.ejackpotgamingoffers.com. 65.216.114.73 mx9.evacationsforus.com. 65.216.114.74 mx9.yourusawellbeing.com. 65.216.114.87 mx01.slimmerandsexier.com. 65.216.114.88 mx01.checkoutstore.net. 65.216.114.89 mx01.blinkpay.com. 65.216.114.90 mx01.bigreward.info. 65.216.114.91 mx01.e-ambition.info. 65.216.114.92 mx01.dealseeker.info. 65.216.114.96 out6.mybargaintimes.com. 65.216.114.97 out6.ecasinoreport.net. 65.216.114.98 out6.mysport-times.com. 65.216.114.99 out6.mydeal-finders.net. 66.55.175.64 mx73.mobiletechnetwork.com. 66.55.175.65 mx73.yourfuntime.com. 66.55.175.66 mx73.fabulouslookingyou.com. 66.55.175.67 mx73.deluxebuys.com. 66.55.175.69 mx73.myglisteninghealth.com. 66.55.175.70 mx73.realdealsdaily.com. 66.55.179.17 mx15.idealhunt.net. 66.55.179.18 mx15.idigiknowhowe.com. 66.55.179.20 mx15.jackpotclubbenefit.com. 66.55.179.26 mx15.majesticmediagroup.com. 66.55.179.28 mx15.membersprime.com. 66.55.179.30 mx15.mybigprizes.net. 66.55.179.31 mx15.sportchronicle.net. 66.55.179.40 mx16.yourcasinobrief.net. 66.55.179.42 mx16.yourdamondirect.net. 66.55.189.16 mx17.fizcalfinancial.com. 66.55.189.17 mx17.ekeepitoff.com. 66.55.189.19 mx17.onlinegamingoffer.net. 66.55.189.20 mx17.edigitalknowhowe.com. 66.55.189.21 mx17.myjackpotcasinodeals.com. 66.55.189.25 mx17.mydiginohow.com. 66.55.189.29 mx17.ibigprizesclubbargains.com. 66.55.189.30 mx17.iusa-wellness.com. 66.55.189.32 mx18.usawellnet.com. 66.55.189.33 66.55.189.35 mx18.sportztime.com. 66.55.189.36 mx18.internetgamingoffers.com. 66.55.189.37 mx18.gibbonsdirect.com. 66.55.189.39 mx18.yourbiggestprizes.com. 66.55.189.41 mx19.yourvendarefinancials.com. 66.55.189.42 mx19.ewilliamsdirect.info. 66.55.189.43 mx19.emembersmark.info. 66.55.189.47 mx19.yourusa-wellbeing.com. 66.55.189.48 mx20.ebargaindaze.net. 66.55.189.49 mx20.evendaresecurities.com. 66.55.189.50 mx20.eclarkdirect.net. 66.55.189.51 mx20.emembersbest.com. 66.55.189.52 mx20.ejackpotclubdeals.com. 66.55.189.53 mx20.ejackpotclubbenefit.com. 66.55.189.54 mx20.ebigprizesclubdeals.com. 66.55.189.57 mx21.myvendaresecurities.com. 66.55.189.58 mx21.myphillipsdirect.net. 66.55.189.59 mx21.mymembersexclusive.com. 66.55.189.61 mx21.myjackpotclubgiveaway.com. 66.55.189.63 mx21.myusawellnet.com. 67.108.142.16 mx101.bargaincities.info. 67.108.142.17 mx101.bargain-city.info. 67.108.142.18 mx101.bargainsite.info. 67.108.142.19 mx101.bargainsites.info. 67.108.142.20 mx101.cuttingedgeinfoage.info. 67.108.142.21 mx101.cuttingedgeinfotech.info. 67.108.142.22 mx101.cuttingedge-infotech.info. 67.108.142.23 mx101.cuttingedgeintech.info. 67.108.142.32 mx102.cuttingedge-tech.info. 67.108.142.34 mx102.cuttingedgetechs.info. 67.108.142.35 mx102.cuttingedgetimes.info. 67.108.142.37 mx102.evirtualgoldmine.info. 67.108.142.38 mx102.evirtualgoldminez.com. 67.108.142.39 mx102.evirtualgoldpalace.info. 213.31.217.227 mx1.yourGamertoday.info. 213.31.217.228 mx1.ourGamertoday.info. 213.31.217.229 mx1.e-Gamertoday.info. 213.31.217.230 mx2.myGamingnow.info. 213.31.217.231 extraprizes.com. 213.31.217.232 mail1.extraprizes.com. 213.31.217.233 mail2.extraprizes.com. 213.31.217.234 mail3.extraprizes.com. 213.31.217.235 bonusgiveaway.com. 213.31.217.236 mail1.bonusgiveaway.com. 213.31.217.237 mail2.bonusgiveaway.com. 213.31.217.238 mail3.bonusgiveaway.com. 213.31.217.240 mail1.icasinoprizes.com. 213.31.217.241 mail2.icasinoprizes.com. 213.31.217.242 mail3.icasinoprizes.com. 213.31.217.243 gaming-plus.com. 213.31.217.244 mail1.gaming-plus.com. 213.31.217.245 mail2.gaming-plus.com. 213.31.217.246 mail3.gaming-plus.com. 213.31.217.247 mx6.yourHoopla.info. 213.31.217.248 mx6.ourHoopla.info. 213.31.217.249 mx6.e-Hoopla.info. 216.144.239.10 mx95.lifetimeofbonanzas.com. 216.144.239.11 mx95.e-lifetimeofbonanzas.com. 216.144.239.12 mx95.yourpremiertone.net. 216.144.239.13 mx95.ourpremiervigor.com. 216.144.239.14 mx95.i-funnysideofverve.com. 216.144.239.15 mx95.i-itssuchagrin.com. 216.144.239.16 mx96.ourlifetimeofblowouts.com. 216.144.239.17 mx96.yourpremierwellbeing.com. 216.144.239.18 mx96.ourfunnysideofvitality.com. 216.144.239.19 mx96.myfunnysideofliveliness.com. 216.144.239.20 mx96.mysweetsweeps.com. 216.144.239.21 mx96.ourvipsweeps.com. 216.144.239.22 mx96.i-itssuchalaugh.com. 216.144.239.23 mx96.e-itssuchachuckle.com. 216.144.239.9 mx95.i-lifetimeofsavings.com. I toyed with the idea of refusing connections from any site which resolved to a name which had two or more parts from a hit list of "my", "your", "our", "casino", "gaming", "prizes", etc., but in the end I decided I had better things to do than second-guess the spammer. My script also tried to block hosts in the same class C net block as the spammer, with good results - as you can see from the examples above, they tend to have several Class C addresses available, so if you get a couple of SPAMs from one address and this triggers you to block that address, they have 252 more to try in that block. My approach was to try to predict spammer addresses, so if you received SPAM from the following addresses: 216.144.239.10 216.144.239.14 216.144.239.19 the program would average the last octet (10+14+19/3=14.3), and then block all known spammer addresses (10,14,19) plus anything within one standard deviation of the mean (stdev=4.5), so I would also block any address between 10 and 19. The results of this were great, until of course I got a run of SPAM messages from an ISP's mail servers, and the script correctly predicted and blocked most of their outgoing mail systems. My next step was to put the whole thing into a database, include success and failure counts per IP, plus trigger/reset timestamps, and then only block SPAM sending addresses for 30 minutes on the first SPAM, 60 on the second, and so on up to the fifth. In addition, any site sending more than 10 messages of which more than 75% were SPAM would be blocked for 7 days. Stats would expired if they were more than 30 days old, so addresses which changed from a spammer to an unlucky company who got a reused address wouldn't be affected for more than a week (assuming addresses are re-allocated immediately, which I doubt). Unfortunately, I never got around to this, as the temporary block worked very well. For more background, search the mailing list archives for "Blocking spam senders using IPTables?". Best Wishes, Paul. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 16/01/2006 _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
