Re: [sniffer] Spam blocks loading me up with spam
I'm also taking out the: 200.49.32.xxx to 200.49.47.xxx addresses with my IPFILE. Most of them were taken out in Feb with SBL 17983. The trouble on this spammer for me, is they aren't listed anywhere (with the 299.49.50.XXXs and are probably burning through domain names faster than the SURBLs can really be effective. So unless I get an SURBL hit or a Sniffer hit they are leaking through. Hopefully with Pete's new rules, this will be stopped. 200.49.32.0/24200.49.32.0/24moved 06-15-05SBL17983200.49.33.0/24200.49.33.0/24starsoftmails.comadded 02-17-05SBL17983200.49.34.0/24200.49.34.0/24moved 06-15-05SBL17983200.49.35.0/24200.49.35.0/24moved 06-15-05SBL17983200.49.36.0/24200.49.36.0/24moved 06-15-05SBL17983200.49.37.0/24200.49.37.0/24afdtc.comadded 02-17-05SBL17983200.49.38.0/24200.49.38.0/24afdtc.comadded 02-17-05SBL17983200.49.39.0/24200.49.39.0/24afdaa.comadded 02-17-05SBL17983200.49.40.0/24200.49.40.0/24moved 06-15-05SBL17983200.49.41.0/24200.49.41.0/24moved 06-15-05SBL17983200.49.42.0/24200.49.42.0/24moved 06-15-05SBL17983200.49.43.0/24200.49.43.0/24awwsc.comadded 02-17-05SBL17983200.49.44.0/24200.49.44.0/24arvvv.commoved 05-29-05SBL17983200.49.45.0/24200.49.45.0/24starofferzone.comadded 02-17-05SBL17983200.49.46.0/24200.49.46.0/24fdcmm.comadded 02-17-05SBL17983200.49.47.0/24200.49.47.0/24bicsc.comadded 02-17-05SBL17983 - Original Message - From: Darrell ([EMAIL PROTECTED]) To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:44 PM Subject: Re: [sniffer] Spam blocks loading me up with spam Scott, Not to many incoming for me - about 200 out of about 125K messages. One thing to note is the ones I am getting are around that block but even lower like 200.49.44.x. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Scott Fisher To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:04 PM Subject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24200.49.48.0/24 200.49.49.0/24200.49.49.0/24mowz2.com200.49.50.0/24200.49.50.0/24qckcstmr.com 200.49.51.0/24200.49.51.0/24srvdupfrsh.com200.49.52.0/24200.49.52.0/24aahtv.com200.49.53.0/24200.49.53.0/24aakai.com 200.49.54.0/24200.49.54.0/24aakib.com200.49.55.0/24200.49.55.0/24aakli.com200.49.56.0/24200.49.56.0/24aafix.com200.49.57.0/24200.49.57.0/24e.com 200.49.58.0/24200.49.58.0/24200.49.59.0/24200.49.59.0/24 Domain names andlinks seem to be five chars beginning with aa. Theyalsoseem to be progressing through theIP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
RE: [sniffer] Spam blocks loading me up with spam
Title: Message
Gotta
catch 'em all (not Pokemon, spam)...
Sniffer caught all of them today:
gawk
"$0 ~ /.+From: .+To: .+IP: 200\.49\.[3|4|5]/ {print $3}" dec0617.log
temp.txt
fgrep
-ftemp.txt dec0617.log | fgrep "Total weight"
If
your volume is quite high, that second line, instead of showing all the total
weights for the netblocks in question, could instead show which lines sniffer
didn't hit on:
fgrep
-ftemp.txt dec0617.log | fgrep "Total weight" | fgrep -v
"SNIFFER"
Andrew 8)
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Scott FisherSent: Thursday, June 16, 2005 4:20
PMTo: sniffer@SortMonster.comSubject: Re: [sniffer] Spam
blocks loading me up with spam
I'm also taking out the: 200.49.32.xxx to
200.49.47.xxx addresses with my IPFILE. Most of them were taken out in Feb
with SBL 17983.
The trouble on this spammer for me, is they
aren't listed anywhere (with the 299.49.50.XXXs and are probably burning
through domain names faster than the SURBLs can really be
effective.
So unless I get an SURBL hit or a Sniffer hit
they are leaking through. Hopefully with Pete's new rules, this will be
stopped.
200.49.32.0/24200.49.32.0/24moved
06-15-05SBL17983200.49.33.0/24200.49.33.0/24starsoftmails.comadded
02-17-05SBL17983200.49.34.0/24200.49.34.0/24moved
06-15-05SBL17983200.49.35.0/24200.49.35.0/24moved
06-15-05SBL17983200.49.36.0/24200.49.36.0/24moved
06-15-05SBL17983200.49.37.0/24200.49.37.0/24afdtc.comadded
02-17-05SBL17983200.49.38.0/24200.49.38.0/24afdtc.comadded
02-17-05SBL17983200.49.39.0/24200.49.39.0/24afdaa.comadded
02-17-05SBL17983200.49.40.0/24200.49.40.0/24moved
06-15-05SBL17983200.49.41.0/24200.49.41.0/24moved
06-15-05SBL17983200.49.42.0/24200.49.42.0/24moved
06-15-05SBL17983200.49.43.0/24200.49.43.0/24awwsc.comadded
02-17-05SBL17983200.49.44.0/24200.49.44.0/24arvvv.commoved
05-29-05SBL17983200.49.45.0/24200.49.45.0/24starofferzone.comadded
02-17-05SBL17983200.49.46.0/24200.49.46.0/24fdcmm.comadded
02-17-05SBL17983200.49.47.0/24200.49.47.0/24bicsc.comadded
02-17-05SBL17983
- Original Message -
From:
Darrell
([EMAIL PROTECTED])
To: sniffer@SortMonster.com
Sent: Thursday, June 16, 2005 6:44
PM
Subject: Re: [sniffer] Spam blocks
loading me up with spam
Scott,
Not to many incoming for me - about 200 out of
about 125K messages. One thing to note is the ones I am getting are
around that block but even lower like 200.49.44.x.
Darrell
---Check out http://www.invariantsystems.com
for utilities for Declude And Imail. IMail Queue Monitoring, Declude
Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log
Parsers.
- Original Message -
From:
Scott Fisher
To: sniffer@SortMonster.com
Sent: Thursday, June 16, 2005 6:04
PM
Subject: [sniffer] Spam blocks
loading me up with spam
Am I the only one getting blasted by these
spam from these IP blocks? Sniffer seems a little behind on catching
these.
200.49.48.0/24200.49.48.0/24
200.49.49.0/24200.49.49.0/24mowz2.com200.49.50.0/24200.49.50.0/24qckcstmr.com
200.49.51.0/24200.49.51.0/24srvdupfrsh.com200.49.52.0/24200.49.52.0/24aahtv.com200.49.53.0/24200.49.53.0/24aakai.com
200.49.54.0/24200.49.54.0/24aakib.com200.49.55.0/24200.49.55.0/24aakli.com200.49.56.0/24200.49.56.0/24aafix.com200.49.57.0/24200.49.57.0/24e.com
200.49.58.0/24200.49.58.0/24200.49.59.0/24200.49.59.0/24
Domain names andlinks seem to be five
chars beginning with aa. Theyalsoseem to be progressing
through theIP blocks.
i think they started in on the June 15th and
have been spamming pretty
consistantly.
RE: [sniffer] Spam blocks loading me up with spam
Title: Message I haven't noticed this spam leaking through, but at your prompting I did a: egrep ".+From: .+To: .+IP: 200\.49\." dec0616.log and saw about 46. A glance through these to:from:ip: lines definitely shows messages that fit your description, along with messages that don't (I'm deliberately looking at the16 bit subnet) and I see messages today from: 200.49.37.0/24 200.49.44.0/24 in addition to the blocks you listed, and a spot check of two of them did not turn up any hitswith sniffer. Total volume was low,at less than50 messages. One other interesting comment that I can add is that I'm seeing them use VERP like MAILFROM addresses, e.g.: [EMAIL PROTECTED] Of course, jsmith and example.com are not the actual text, but the recipient at my domain. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Thursday, June 16, 2005 3:04 PMTo: sniffer@SortMonster.comSubject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24200.49.48.0/24 200.49.49.0/24200.49.49.0/24mowz2.com200.49.50.0/24200.49.50.0/24qckcstmr.com 200.49.51.0/24200.49.51.0/24srvdupfrsh.com200.49.52.0/24200.49.52.0/24aahtv.com200.49.53.0/24200.49.53.0/24aakai.com 200.49.54.0/24200.49.54.0/24aakib.com200.49.55.0/24200.49.55.0/24aakli.com200.49.56.0/24200.49.56.0/24aafix.com200.49.57.0/24200.49.57.0/24e.com 200.49.58.0/24200.49.58.0/24200.49.59.0/24200.49.59.0/24 Domain names andlinks seem to be five chars beginning with aa. Theyalsoseem to be progressing through theIP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
RE: [sniffer] Spam blocks loading me up with spam
Title: Message Also, thedomains in the body textare not hitting on SURBL tests. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Thursday, June 16, 2005 3:34 PMTo: sniffer@SortMonster.comSubject: RE: [sniffer] Spam blocks loading me up with spam I haven't noticed this spam leaking through, but at your prompting I did a: egrep ".+From: .+To: .+IP: 200\.49\." dec0616.log and saw about 46. A glance through these to:from:ip: lines definitely shows messages that fit your description, along with messages that don't (I'm deliberately looking at the16 bit subnet) and I see messages today from: 200.49.37.0/24 200.49.44.0/24 in addition to the blocks you listed, and a spot check of two of them did not turn up any hitswith sniffer. Total volume was low,at less than50 messages. One other interesting comment that I can add is that I'm seeing them use VERP like MAILFROM addresses, e.g.: [EMAIL PROTECTED] Of course, jsmith and example.com are not the actual text, but the recipient at my domain. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Thursday, June 16, 2005 3:04 PMTo: sniffer@SortMonster.comSubject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24200.49.48.0/24 200.49.49.0/24200.49.49.0/24mowz2.com200.49.50.0/24200.49.50.0/24qckcstmr.com 200.49.51.0/24200.49.51.0/24srvdupfrsh.com200.49.52.0/24200.49.52.0/24aahtv.com200.49.53.0/24200.49.53.0/24aakai.com 200.49.54.0/24200.49.54.0/24aakib.com200.49.55.0/24200.49.55.0/24aakli.com200.49.56.0/24200.49.56.0/24aafix.com200.49.57.0/24200.49.57.0/24e.com 200.49.58.0/24200.49.58.0/24200.49.59.0/24200.49.59.0/24 Domain names andlinks seem to be five chars beginning with aa. Theyalsoseem to be progressing through theIP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
RE: [sniffer] Spam blocks loading me up with spam
Title: Message Hey Andrew, Are yousending your logs to a UNIX box, or running a ported version of grep/egrep for windows? Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Thursday, June 16, 2005 17:34To: sniffer@SortMonster.comSubject: RE: [sniffer] Spam blocks loading me up with spam I haven't noticed this spam leaking through, but at your prompting I did a: egrep ".+From: .+To: .+IP: 200\.49\." dec0616.log and saw about 46. A glance through these to:from:ip: lines definitely shows messages that fit your description, along with messages that don't (I'm deliberately looking at the16 bit subnet) and I see messages today from: 200.49.37.0/24 200.49.44.0/24 in addition to the blocks you listed, and a spot check of two of them did not turn up any hitswith sniffer. Total volume was low,at less than50 messages. One other interesting comment that I can add is that I'm seeing them use VERP like MAILFROM addresses, e.g.: [EMAIL PROTECTED] Of course, jsmith and example.com are not the actual text, but the recipient at my domain. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Thursday, June 16, 2005 3:04 PMTo: sniffer@SortMonster.comSubject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24200.49.48.0/24 200.49.49.0/24200.49.49.0/24mowz2.com200.49.50.0/24200.49.50.0/24qckcstmr.com 200.49.51.0/24200.49.51.0/24srvdupfrsh.com200.49.52.0/24200.49.52.0/24aahtv.com200.49.53.0/24200.49.53.0/24aakai.com 200.49.54.0/24200.49.54.0/24aakib.com200.49.55.0/24200.49.55.0/24aakli.com200.49.56.0/24200.49.56.0/24aafix.com200.49.57.0/24200.49.57.0/24e.com 200.49.58.0/24200.49.58.0/24200.49.59.0/24200.49.59.0/24 Domain names andlinks seem to be five chars beginning with aa. Theyalsoseem to be progressing through theIP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
RE: [sniffer] Spam blocks loading me up with spam
We have been seeing these. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, June 16, 2005 4:04 PM To: sniffer@SortMonster.com Subject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24 200.49.48.0/24 200.49.49.0/24 200.49.49.0/24 mowz2.com 200.49.50.0/24 200.49.50.0/24 qckcstmr.com 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com 200.49.52.0/24 200.49.52.0/24 aahtv.com 200.49.53.0/24 200.49.53.0/24 aakai.com 200.49.54.0/24 200.49.54.0/24 aakib.com 200.49.55.0/24 200.49.55.0/24 aakli.com 200.49.56.0/24 200.49.56.0/24 aafix.com 200.49.57.0/24 200.49.57.0/24 e.com 200.49.58.0/24 200.49.58.0/24 200.49.59.0/24 200.49.59.0/24 Domain names and links seem to be five chars beginning with aa. They also seem to be progressing through the IP blocks. i think they started in on the June 15th and have been spamming pretty consistantly. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam blocks loading me up with spam
Scott, Not to many incoming for me - about 200 out of about 125K messages. One thing to note is the ones I am getting are around that block but even lower like 200.49.44.x. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Scott Fisher To: sniffer@SortMonster.com Sent: Thursday, June 16, 2005 6:04 PM Subject: [sniffer] Spam blocks loading me up with spam Am I the only one getting blasted by these spam from these IP blocks? Sniffer seems a little behind on catching these. 200.49.48.0/24200.49.48.0/24 200.49.49.0/24200.49.49.0/24mowz2.com200.49.50.0/24200.49.50.0/24qckcstmr.com 200.49.51.0/24200.49.51.0/24srvdupfrsh.com200.49.52.0/24200.49.52.0/24aahtv.com200.49.53.0/24200.49.53.0/24aakai.com 200.49.54.0/24200.49.54.0/24aakib.com200.49.55.0/24200.49.55.0/24aakli.com200.49.56.0/24200.49.56.0/24aafix.com200.49.57.0/24200.49.57.0/24e.com 200.49.58.0/24200.49.58.0/24200.49.59.0/24200.49.59.0/24 Domain names andlinks seem to be five chars beginning with aa. Theyalsoseem to be progressing through theIP blocks. i think they started in on the June 15th and have been spamming pretty consistantly.
