Re: spam to bogus users
On Fri, 2006-07-14 at 16:51 +0100, John Kelly wrote:
> On Fri, 14 Jul 2006 09:01:01 -0700 (PDT), Steve Redlich
> <steve@redlicheng.com> wrote:
>
> >> I get mail delivery attempts to non-existent users like:
>
> >> k2159jcd003343@isp2dial.com
> >> k1mmcsoa007563@isp2dial.com
> >> k1nardpb001747@isp2dial.com
>
> >This is a Joe Job. http://en.wikipedia.org/wiki/Joe_job A spammer is
> >using your domain with the random usernames to send spam to other domains.
>
> >These likely are the bounce messages from domains that queue SPAM before
> >rejecting and don't check SPF records.
>
>
> <k2159jcd003343@isp2dial.com>... Mail from unknown host
> [221.225.87.212] delivery refused
whois 221.225.87.212
inetnum: 221.224.0.0 - 221.231.255.255
netname: CHINANET-JS
descr: CHINANET jiangsu province network
descr: China Telecom
> <k1mmrlps007599@isp2dial.com>... Mail from unknown host
> [218.63.92.165] delivery refused
whois 218.63.92.165
inetnum: 218.62.128.0 - 218.63.255.255
netname: CHINANET-YN
descr: CHINANET yunnan province network
descr: China Telecom
> <k1nardpb001747@isp2dial.com>... Mail from unknown host
> [218.63.92.165] delivery refused
Im seeing a pattern here. My guess would be lots of compromised hosts
being exploited here. There was an article a few months back about the
number of exploitable hosts in China. I block all China Telecom and CNC
due to the amount of spam that comes out of there. I also block most of
Korea due to the unwillingness to act upon spam/abuse reports.
Shane
>
> If these were bounce messages, they should have an IP address of a
> real domain. But they never do. They're from hosts which lack DNS,
> or occasionally a host listed in a dnsbl. So it seems more likely
> they are client hosts infected with spam malware.
>
> It would make sense if it was a joe job, because otherwise, I see no
> point to it. But how can it be a joe job, since they are not bounces
> from real domains?
>
>
Reply to: