>...
>http://zmi.at/x/penis-spam.txt
>
>Wow, the first time this year a SPAM passed my filters and even SA=20
>without being marked. Is there work being done to prevent such SPAM=20
>passing?
>
>mfg zmi
>...
>// Michael Monnerie, Ing.BSc --- it-management Michael Monnerie
>// http://zmi.at Tel: 0660/4156531 Linux 2.6.11
>// PGP Key: "lynx -source http://zmi.at/zmi2.asc | gpg --import"
>// Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879
>// Keyserver: www.keyserver.net Key-ID: 0x70545879
>=2D-=20
Cute; The domain is registered to Vladimir Mironov, which means
it could be any of Kuvayev, Pavka, Alex "Blood"/Polyakov or even Yambo,
but Spamhaus' SBL36203 marks the IP range as Leo (still could be any of
them). The SBL listing is over a month old - Do you have URIBL enabled?
The name servers and site(s) are all at the same IP (today).
The site used a javascript trick to hide redirection to the site
at drynesses.com-M, another "Vladimir Mironov" domain, but at the same IP.
That site come up blank, but with a "faked" affiliate tag give yet more
script junk (similar to the first redirect):
gg = String.fromCharCode(list of lots of numbers);
window.location.replace('./index.php?k='+gg);
Which generates a "session" tag; The site is "smart" enough to refuse
connections from most tools that aren't "real" browsers - implying it is more
likely not Leo, but Alex or Yambo. After actually making a valid connection,
for people who know what I talking about, the actual site is in the "/ms"
(More-Size) subdirectory - a relatively "new" product. The copyright at the
bottom of the web page, "© 2002 - 2005 WW3 DISTRIBUTERS LLC", makes it
almost certain that the spammer is "Alex Blood".
I wonder how they get "Nitrous Oxide" into the pills:)
An "old" (about two months ago) reference to the product is at:
http://web.tebweb.com:8080/spammers/
which shows the same directory structure was used before, but the domains
involved look like "Alex Blood"'s other domains at Paycenter and BizCN.
(And you didn't know that Bulgaria was part of China before, did you?)
The old sites were also pushing premature ejaculation cures (subdirectory
"/et") back in January of this year (spam sample I have).
Anyway, the best bet to block these is a combination of DUL checks,
BAYES and digests (DCC, Razor and Pyzor). *And* make sure to feed it back
to sa-learn if it slipped through to begin with.
Paul Shupak
[EMAIL PROTECTED]
