That's interesting.
I'm pretty sure one of my users was getting those same emails. One user
out of several thousand, but she was getting hundreds of messages per day.
They were coming from different IP's, but they were all in the same /23:
Inmotion, Inc. INMOTION-173-245-203-0-23 (NET-173-245-204-0-1)
173.245.204.0 - 173.245.205.255
I blocked that /23 in our MTA. I don't know if inmotion inc got it's
address pool stolen or if their workstations are infected by spambots or
if they themselves are a spammer.....but I also don't really care.
They're dead to me now.
Hello *,
since some days my servers are hit by 50.000-80.000 Spams a day and for
some minutes they have spamed today 18 accounts out of 98.000 with MORE then
100.000 spams.
All spams coming from the same network:
xxx.root.static.coolserver.info
xxx.root.static.starsweet.info
where xxx change every time and the servers IP too (they resolv)
In the body of the messages I found those domains:
advocatebuying.info aidpurchase.info encouragebuying.info
ensurepurchase.info guidebuying.info motivatebuying.info
providebuying.info purchaseadvocate.info purchaseaid.info
purchaseassist.info purchasecoach.info purchaseguide.info
purchasesimplify.info purchasesupport.info simplifybuying.info
supportbuying.info techsweet.info topsweet.info
tradesweet.info travelsweet.info videosweet.info
visionsweet.info volunteerbuying.info websweet.info
yousweet.info
maybe there are some more, but these are those which I was able to grep.
However, I have tried to train Spamassassin but it give only a score of
2-4.
Does someone know more about this crap?
Thanks, Greetings and nice Day/Evening
Michelle Konzack