That's interesting.

I'm pretty sure one of my users was getting those same emails. One user out of several thousand, but she was getting hundreds of messages per day.

They were coming from different IP's, but they were all in the same /23:
Inmotion, Inc. INMOTION-173-245-203-0-23 (NET-173-245-204-0-1) 173.245.204.0 - 173.245.205.255

I blocked that /23 in our MTA. I don't know if inmotion inc got it's address pool stolen or if their workstations are infected by spambots or if they themselves are a spammer.....but I also don't really care. They're dead to me now.

Hello *,

since some days my servers are hit by  50.000-80.000 Spams  a  day  and  for
some minutes they have spamed today 18 accounts out of 98.000 with MORE then
100.000 spams.

All spams coming from the same network:

  xxx.root.static.coolserver.info
  xxx.root.static.starsweet.info

where xxx change every time and the servers IP too  (they resolv)

In the body of the messages I found those domains:

advocatebuying.info     aidpurchase.info        encouragebuying.info
ensurepurchase.info     guidebuying.info        motivatebuying.info
providebuying.info      purchaseadvocate.info   purchaseaid.info
purchaseassist.info     purchasecoach.info      purchaseguide.info
purchasesimplify.info   purchasesupport.info    simplifybuying.info
supportbuying.info      techsweet.info          topsweet.info
tradesweet.info         travelsweet.info        videosweet.info
visionsweet.info        volunteerbuying.info    websweet.info
yousweet.info

maybe there are some more, but these are those which I was able to grep.
However, I have tried to train Spamassassin but it give only a score  of
2-4.

Does someone know more about this crap?

Thanks, Greetings and nice Day/Evening
     Michelle Konzack


Reply via email to