I found this: IP-Whois 200.49.48.0: (ARIN/LACNIC-200)[Querying whois.lacnic.net] [whois.lacnic.net]
% Copyright LACNIC lacnic.net % The data below is provided for information purposes % and to assist persons in obtaining information about or % related to AS and IP numbers registrations % By submitting a whois query, you agree to use this data % only for lawful purposes. % 2005-06-16 19:33:19 (BRT -03:00) inetnum: 200.49.48/20 status: allocated owner: FritzWare S.R.L. ownerid: AR-FRSR-LACNIC responsible: NOC Fritzware address: Av. San Martin, 6465, PB address: 1419 - Buenos Aires - country: AR phone: +54 911 5008 0447 [] owner-c: NOF tech-c: NOF created: 20050420 changed: 20050420 ----- Looks like this might have been created for this purpose just a short time ago. I've added rules for this /20 --- we'll see how that works out. _M On Thursday, June 16, 2005, 6:37:51 PM, Andrew wrote: CA> Also, the domains in the body text are not hitting on SURBL tests. CA> CA> Andrew 8) CA> -----Original Message----- CA> From: [EMAIL PROTECTED] CA> [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, CA> Andrew CA> Sent: Thursday, June 16, 2005 3:34 PM CA> To: [email protected] CA> Subject: RE: [sniffer] Spam blocks loading me up with spam CA> I haven't noticed this spam leaking through, but at your prompting I did a: CA> CA> egrep ".+From: .+To: .+IP: 200\.49\." dec0616.log CA> CA> and saw about 46. A glance through these to:from:ip: CA> lines definitely shows messages that fit your description, CA> along with messages that don't (I'm deliberately looking at CA> the 16 bit subnet) and I see messages today from: CA> CA> 200.49.37.0/24 CA> 200.49.44.0/24 CA> CA> in addition to the blocks you listed, and a spot check of CA> two of them did not turn up any hits with sniffer. Total CA> volume was low, at less than 50 messages. CA> CA> One other interesting comment that I can add is that I'm CA> seeing them use VERP like MAILFROM addresses, e.g.: CA> CA> [EMAIL PROTECTED] CA> CA> Of course, jsmith and example.com are not the actual text, CA> but the recipient at my domain. CA> CA> Andrew 8) CA> -----Original Message----- CA> From: [EMAIL PROTECTED] CA> [mailto:[EMAIL PROTECTED] On Behalf Of Scott CA> Fisher CA> Sent: Thursday, June 16, 2005 3:04 PM CA> To: [email protected] CA> Subject: [sniffer] Spam blocks loading me up with spam CA> CA> Am I the only one getting blasted by these spam from CA> these IP blocks? Sniffer seems a little behind on catching CA> these. CA> CA> 200.49.48.0/24 200.49.48.0/24 CA> 200.49.49.0/24 200.49.49.0/24 mowz2.com CA> 200.49.50.0/24 200.49.50.0/24 qckcstmr.com CA> 200.49.51.0/24 200.49.51.0/24 srvdupfrsh.com CA> 200.49.52.0/24 200.49.52.0/24 aahtv.com CA> 200.49.53.0/24 200.49.53.0/24 aakai.com CA> 200.49.54.0/24 200.49.54.0/24 aakib.com CA> 200.49.55.0/24 200.49.55.0/24 aakli.com CA> 200.49.56.0/24 200.49.56.0/24 aafix.com CA> 200.49.57.0/24 200.49.57.0/24 aaaae.com CA> 200.49.58.0/24 200.49.58.0/24 CA> 200.49.59.0/24 200.49.59.0/24 CA> CA> Domain names and links seem to be five chars beginning CA> with aa. They also seem to be progressing through the IP CA> blocks. CA> CA> i think they started in on the June 15th and have been spamming pretty consistantly. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
