Re: [sniffer] Spam blocks loading me up with spam
I'm also taking out the: 200.49.32.xxx to 200.49.47.xxx addresses with my IPFILE. Most of them were taken out in Feb with SBL 17983. The trouble on this spammer for me, is they aren't listed anywhere (with the 299.49.50.XXXs and are probably burning through domain names faster than the SURBLs can really be effective. So unless I get an SURBL hit or a Sniffer hit they are leaking through. Hopefully with Pete's new rules, this will be stopped. 200.49.32.0/24200.49.32.0/24moved 06-15-05SBL17983200.49.33.0/24200.49.33.0/24starsoftmails.comadded 02-17-05SBL17983200.49.34.0/24200.49.34.0/24moved 06-15-05SBL17983200.49.35.0/24200.49.35.0/24moved 06-15-05SBL17983200.49.36.0/24200.49.36.0/24moved 06-15-05SBL17983200.49.37.0/24200.49.37.0/24afdtc.comadded 02-17-05SBL17983200.49.38.0/24200.49.38.0/24afdtc.comadded 02-17-05SBL17983200.49.39.0/24200.49.39.0/24afdaa.comadded 02-17-05SBL17983200.49.40.0/24200.49.40.0/24moved 06-15-05SBL17983200.49.41.0/24200.49.41.0/24moved 06-15-05SBL17983200.49.42.0/24200.49.42.0/24moved 06-15-05SBL17983200.49.43.0/24200.49.43.0/24awwsc.comadded 02-17-05SBL17983200.49.44.0/24200.49.44.0/24arvvv.commoved 05-29-05SBL17983200.49.45.0/24200.49.45.0/24starofferzone.comadded 02-17-05SBL17983200.49.46.0/24200.49.46.0/24fdcmm.comadded 02-17-05SBL17983200.49.47.0/24200.49.47.0/24bicsc.comadded 02-17-05SBL17983 - Original Message - From: Darrell ([EMAIL PROTECTED]) To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:44 PM Subject: Re: [sniffer] Spam blocks loading me up with spam Scott, Not to many incoming for me - about 200 out of about 125K messages. One thing to note is the ones I am getting are around that block but even lower like 200.49.44.x. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Scott Fisher To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:04 PM Subject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24200.49.48.0/24 200.49.49.0/24200.49.49.0/24mowz2.com200.49.50.0/24200.49.50.0/24qckcstmr.com 200.49.51.0/24200.49.51.0/24srvdupfrsh.com200.49.52.0/24200.49.52.0/24aahtv.com200.49.53.0/24200.49.53.0/24aakai.com 200.49.54.0/24200.49.54.0/24aakib.com200.49.55.0/24200.49.55.0/24aakli.com200.49.56.0/24200.49.56.0/24aafix.com200.49.57.0/24200.49.57.0/24e.com 200.49.58.0/24200.49.58.0/24200.49.59.0/24200.49.59.0/24 Domain names andlinks seem to be five chars beginning with aa. Theyalsoseem to be progressing through theIP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
RE: [sniffer] Spam blocks loading me up with spam
Title: Message Gotta catch 'em all (not Pokemon, spam)... Sniffer caught all of them today: gawk "$0 ~ /.+From: .+To: .+IP: 200\.49\.[3|4|5]/ {print $3}" dec0617.log temp.txt fgrep -ftemp.txt dec0617.log | fgrep "Total weight" If your volume is quite high, that second line, instead of showing all the total weights for the netblocks in question, could instead show which lines sniffer didn't hit on: fgrep -ftemp.txt dec0617.log | fgrep "Total weight" | fgrep -v "SNIFFER" Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Thursday, June 16, 2005 4:20 PMTo: sniffer@SortMonster.comSubject: Re: [sniffer] Spam blocks loading me up with spam I'm also taking out the: 200.49.32.xxx to 200.49.47.xxx addresses with my IPFILE. Most of them were taken out in Feb with SBL 17983. The trouble on this spammer for me, is they aren't listed anywhere (with the 299.49.50.XXXs and are probably burning through domain names faster than the SURBLs can really be effective. So unless I get an SURBL hit or a Sniffer hit they are leaking through. Hopefully with Pete's new rules, this will be stopped. 200.49.32.0/24200.49.32.0/24moved 06-15-05SBL17983200.49.33.0/24200.49.33.0/24starsoftmails.comadded 02-17-05SBL17983200.49.34.0/24200.49.34.0/24moved 06-15-05SBL17983200.49.35.0/24200.49.35.0/24moved 06-15-05SBL17983200.49.36.0/24200.49.36.0/24moved 06-15-05SBL17983200.49.37.0/24200.49.37.0/24afdtc.comadded 02-17-05SBL17983200.49.38.0/24200.49.38.0/24afdtc.comadded 02-17-05SBL17983200.49.39.0/24200.49.39.0/24afdaa.comadded 02-17-05SBL17983200.49.40.0/24200.49.40.0/24moved 06-15-05SBL17983200.49.41.0/24200.49.41.0/24moved 06-15-05SBL17983200.49.42.0/24200.49.42.0/24moved 06-15-05SBL17983200.49.43.0/24200.49.43.0/24awwsc.comadded 02-17-05SBL17983200.49.44.0/24200.49.44.0/24arvvv.commoved 05-29-05SBL17983200.49.45.0/24200.49.45.0/24starofferzone.comadded 02-17-05SBL17983200.49.46.0/24200.49.46.0/24fdcmm.comadded 02-17-05SBL17983200.49.47.0/24200.49.47.0/24bicsc.comadded 02-17-05SBL17983 - Original Message - From: Darrell ([EMAIL PROTECTED]) To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:44 PM Subject: Re: [sniffer] Spam blocks loading me up with spam Scott, Not to many incoming for me - about 200 out of about 125K messages. One thing to note is the ones I am getting are around that block but even lower like 200.49.44.x. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Scott Fisher To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:04 PM Subject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24200.49.48.0/24 200.49.49.0/24200.49.49.0/24mowz2.com200.49.50.0/24200.49.50.0/24qckcstmr.com 200.49.51.0/24200.49.51.0/24srvdupfrsh.com200.49.52.0/24200.49.52.0/24aahtv.com200.49.53.0/24200.49.53.0/24aakai.com 200.49.54.0/24200.49.54.0/24aakib.com200.49.55.0/24200.49.55.0/24aakli.com200.49.56.0/24200.49.56.0/24aafix.com200.49.57.0/24200.49.57.0/24e.com 200.49.58.0/24200.49.58.0/24200.49.59.0/24200.49.59.0/24 Domain names andlinks seem to be five chars beginning with aa. Theyalsoseem to be progressing through theIP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
RE: [sniffer] Spam blocks loading me up with spam
Title: Message I haven't noticed this spam leaking through, but at your prompting I did a: egrep ".+From: .+To: .+IP: 200\.49\." dec0616.log and saw about 46. A glance through these to:from:ip: lines definitely shows messages that fit your description, along with messages that don't (I'm deliberately looking at the16 bit subnet) and I see messages today from: 200.49.37.0/24 200.49.44.0/24 in addition to the blocks you listed, and a spot check of two of them did not turn up any hitswith sniffer. Total volume was low,at less than50 messages. One other interesting comment that I can add is that I'm seeing them use VERP like MAILFROM addresses, e.g.: [EMAIL PROTECTED] Of course, jsmith and example.com are not the actual text, but the recipient at my domain. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Thursday, June 16, 2005 3:04 PMTo: sniffer@SortMonster.comSubject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24200.49.48.0/24 200.49.49.0/24200.49.49.0/24mowz2.com200.49.50.0/24200.49.50.0/24qckcstmr.com 200.49.51.0/24200.49.51.0/24srvdupfrsh.com200.49.52.0/24200.49.52.0/24aahtv.com200.49.53.0/24200.49.53.0/24aakai.com 200.49.54.0/24200.49.54.0/24aakib.com200.49.55.0/24200.49.55.0/24aakli.com200.49.56.0/24200.49.56.0/24aafix.com200.49.57.0/24200.49.57.0/24e.com 200.49.58.0/24200.49.58.0/24200.49.59.0/24200.49.59.0/24 Domain names andlinks seem to be five chars beginning with aa. Theyalsoseem to be progressing through theIP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
RE: [sniffer] Spam blocks loading me up with spam
Title: Message Also, thedomains in the body textare not hitting on SURBL tests. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Thursday, June 16, 2005 3:34 PMTo: sniffer@SortMonster.comSubject: RE: [sniffer] Spam blocks loading me up with spam I haven't noticed this spam leaking through, but at your prompting I did a: egrep ".+From: .+To: .+IP: 200\.49\." dec0616.log and saw about 46. A glance through these to:from:ip: lines definitely shows messages that fit your description, along with messages that don't (I'm deliberately looking at the16 bit subnet) and I see messages today from: 200.49.37.0/24 200.49.44.0/24 in addition to the blocks you listed, and a spot check of two of them did not turn up any hitswith sniffer. Total volume was low,at less than50 messages. One other interesting comment that I can add is that I'm seeing them use VERP like MAILFROM addresses, e.g.: [EMAIL PROTECTED] Of course, jsmith and example.com are not the actual text, but the recipient at my domain. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Thursday, June 16, 2005 3:04 PMTo: sniffer@SortMonster.comSubject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24200.49.48.0/24 200.49.49.0/24200.49.49.0/24mowz2.com200.49.50.0/24200.49.50.0/24qckcstmr.com 200.49.51.0/24200.49.51.0/24srvdupfrsh.com200.49.52.0/24200.49.52.0/24aahtv.com200.49.53.0/24200.49.53.0/24aakai.com 200.49.54.0/24200.49.54.0/24aakib.com200.49.55.0/24200.49.55.0/24aakli.com200.49.56.0/24200.49.56.0/24aafix.com200.49.57.0/24200.49.57.0/24e.com 200.49.58.0/24200.49.58.0/24200.49.59.0/24200.49.59.0/24 Domain names andlinks seem to be five chars beginning with aa. Theyalsoseem to be progressing through theIP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
RE: [sniffer] Spam blocks loading me up with spam
Title: Message Hey Andrew, Are yousending your logs to a UNIX box, or running a ported version of grep/egrep for windows? Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Thursday, June 16, 2005 17:34To: sniffer@SortMonster.comSubject: RE: [sniffer] Spam blocks loading me up with spam I haven't noticed this spam leaking through, but at your prompting I did a: egrep ".+From: .+To: .+IP: 200\.49\." dec0616.log and saw about 46. A glance through these to:from:ip: lines definitely shows messages that fit your description, along with messages that don't (I'm deliberately looking at the16 bit subnet) and I see messages today from: 200.49.37.0/24 200.49.44.0/24 in addition to the blocks you listed, and a spot check of two of them did not turn up any hitswith sniffer. Total volume was low,at less than50 messages. One other interesting comment that I can add is that I'm seeing them use VERP like MAILFROM addresses, e.g.: [EMAIL PROTECTED] Of course, jsmith and example.com are not the actual text, but the recipient at my domain. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Thursday, June 16, 2005 3:04 PMTo: sniffer@SortMonster.comSubject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24200.49.48.0/24 200.49.49.0/24200.49.49.0/24mowz2.com200.49.50.0/24200.49.50.0/24qckcstmr.com 200.49.51.0/24200.49.51.0/24srvdupfrsh.com200.49.52.0/24200.49.52.0/24aahtv.com200.49.53.0/24200.49.53.0/24aakai.com 200.49.54.0/24200.49.54.0/24aakib.com200.49.55.0/24200.49.55.0/24aakli.com200.49.56.0/24200.49.56.0/24aafix.com200.49.57.0/24200.49.57.0/24e.com 200.49.58.0/24200.49.58.0/24200.49.59.0/24200.49.59.0/24 Domain names andlinks seem to be five chars beginning with aa. Theyalsoseem to be progressing through theIP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
RE: [sniffer] Spam blocks loading me up with spam
We have been seeing these. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, June 16, 2005 4:04 PM To: sniffer@SortMonster.com Subject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24 200.49.48.0/24 200.49.49.0/24 200.49.49.0/24 mowz2.com 200.49.50.0/24 200.49.50.0/24 qckcstmr.com 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com 200.49.52.0/24 200.49.52.0/24 aahtv.com 200.49.53.0/24 200.49.53.0/24 aakai.com 200.49.54.0/24 200.49.54.0/24 aakib.com 200.49.55.0/24 200.49.55.0/24 aakli.com 200.49.56.0/24 200.49.56.0/24 aafix.com 200.49.57.0/24 200.49.57.0/24 e.com 200.49.58.0/24 200.49.58.0/24 200.49.59.0/24 200.49.59.0/24 Domain names and links seem to be five chars beginning with aa. They also seem to be progressing through the IP blocks. i think they started in on the June 15th and have been spamming pretty consistantly. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam blocks loading me up with spam
Scott, Not to many incoming for me - about 200 out of about 125K messages. One thing to note is the ones I am getting are around that block but even lower like 200.49.44.x. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Scott Fisher To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:04 PM Subject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24200.49.48.0/24 200.49.49.0/24200.49.49.0/24mowz2.com200.49.50.0/24200.49.50.0/24qckcstmr.com 200.49.51.0/24200.49.51.0/24srvdupfrsh.com200.49.52.0/24200.49.52.0/24aahtv.com200.49.53.0/24200.49.53.0/24aakai.com 200.49.54.0/24200.49.54.0/24aakib.com200.49.55.0/24200.49.55.0/24aakli.com200.49.56.0/24200.49.56.0/24aafix.com200.49.57.0/24200.49.57.0/24e.com 200.49.58.0/24200.49.58.0/24200.49.59.0/24200.49.59.0/24 Domain names andlinks seem to be five chars beginning with aa. Theyalsoseem to be progressing through theIP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.