Hey guys, Anyone else receive this subject on the 14th... "AMERICAN STOCK MARKET: TRHL Retains Sky Investor Relations...edita", where edita was changed with multiple names. Not strange that I received spam, however I received the same message 8 times to the same address with about 2-3 per hour. My spamassasin picked them up but the strange thing was they all came from different IP addresses and I couldn't traceroute any of them... All of them stop at 202.37.246.18 (Global-gateway) eg. traceroute 89.87.209.213 traceroute to 89.87.209.213 (89.87.209.213), 64 hops max, 44 byte packets 1 gateway (219.88.241.241) 1.679 ms 2.403 ms 1.358 ms 2 fe0-0.cr1.idc.orcon.net.nz (219.88.242.250) 0.863 ms 0.872 ms 0.852 ms 3 fe-1.qos2.idc.orcon.net.nz (219.88.242.226) 1.134 ms 1.004 ms 1.128 ms 4 219.88.242.233 (219.88.242.233) 1.774 ms 1.906 ms 1.567 ms 5 202.50.245.33 (202.50.245.33) 39.962 ms 93.651 ms 6.643 ms 6 ge-0-3-0-6.akbr3.global-gateway.net.nz (202.37.246.18) 6.165 ms !N^C Ip addresses they were sent from: 99.27.67.200 202.163.151.24 89.87.209.213 112.188.234.68 45.38.78.200 244.128.164.67 168.80.80.67 64.215.105.194 In all cases the messages were stopped as they were listed in blacklists. RCVD_IN_NJABL (0.9 points) RBL: Received via a relay in dnsbl.njabl.org [RBL check: found 45.38.78.200.dnsbl.njabl.org.,] [type: 127.0.0.9] RCVD_IN_UNCONFIRMED_DSBL (0.5 points) RBL: Received via a relay in unconfirmed.dsbl.org [RBL check: found 45.38.78.200.unconfirmed.dsbl.org.] RCVD_IN_BL_SPAMCOP_NET (3.0 points) RBL: Received via a relay in bl.spamcop.net [RBL check: found 45.38.78.200.bl.spamcop.net.] They were also stopped because of forged headers, some having forged froms, forged MUA Outlook, etc. The thing I don't understand is that there was no consistency, all the emails from different IP's, all different forged header fields, all not tracerouteable and within 30 minutes of eachother to an address only listed on a new zealand website. Weird, sounds very much like the spam system explained on the list not too long ago. Barry Murphy
On 17 Nov 2003, at 06:25, Barry Murphy wrote:
Anyone else receive this subject on the 14th... "AMERICAN STOCK MARKET: TRHL Retains Sky Investor Relations...edita", where edita was changed with multiple names. Not strange that I received spam, however I received the same message 8 times to the same address with about 2-3 per hour. My spamassasin picked them up but the strange thing was they all came from different IP addresses and I couldn't traceroute any of them...
It seems to be fairly commonplace these days for (a) spam to be vectored through widely-distributed sets of open proxies or infected windows drones and (b) for unallocated or normally unadvertised space to be advertised transiently in order to provide temporary addresses to bind SMTP clients to. You're probably seeing one or the other (or both). Joe
participants (2)
-
Barry Murphy -
Joe Abley