[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Dirty spam

On 10/19/2006 08:04 PM, José Alburquerque wrote:

José Alburquerque wrote:


Roberto C. Sanchez wrote:


Install spamassasin and train it.  Go to the web archives, find the
offending message(s) and click the corresponding "Report this as Spam"
button on the page for the message.  The list admins periodically train
spamassasin on lists.d.o with those messages which are reported as spam.

Regards,

-Roberto
Quick question on spamassasin: Will this work for those that do not use fetchmail to download mail to server? I simply get my mail by using mozilla-thunderbird. In my case, I guess I'd just click on the "Junk Mail" button, although I'm afraid that it will begin to throw out good messages on this list. However, I don't mind simply deleting. I just thought that I'd make the observation in case there might be other options. Thanks again. 


As Roberto suggested, I went to the archives and reported the two
offending e-mails as spam.  Thanks once more. :-)
Taking down the botnet is another way to fight the spam. It doesn't always work as planned: 



This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  abuse@qixhosting.net
    SMTP error from remote mailer after RCPT TO:<abuse@qixhosting.net>:
    host mail.qixhosting.net [66.102.41.26]: 550 5.7.1 <abuse@qixhosting.net>... Relaying denied

------ This is a copy of the message, including all the headers. ------

Return-path: <paduille.4060.mumia.w@earthlink.net>
Received: from [4.158.105.169] (helo=[4.158.105.169])
	by elasmtp-kukur.atl.sa.earthlink.net with asmtp (Exim 4.34)
	id 1GajdB-0001rN-AE; Thu, 19 Oct 2006 21:57:06 -0400
Message-ID: <45382A34.1000204@earthlink.net>
Date: Thu, 19 Oct 2006 20:45:24 -0500
From: "Mumia W.." <paduille.4060.mumia.w@earthlink.net>
User-Agent: Thunderbird 1.5.0.7 (X11/20060909)
MIME-Version: 1.0
To:  abuse@verizon.net
CC: abuse@netvision.net.il, abuse@sasktel.net, abuse@aol.net, gpetticrew@esat.ie, abuse@kornet.net, abuse@comcast.net, abuse@grandecom.com, abuse@sbcglobal.net, abuse@tpnet.pl, abuse@gaoland.net, abuse@telstra.net, abuse@qixhosting.net 
Subject: Spam message reveals botnet on your networks
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
I received a spam message that involves all of your networks. The spam seems to advertise a website that is managed by a botnet. A botnet is a group of machines controlled by Internet organized crime gangs (without the knowledge of the true owners). A botnet consists of machines that mutually support one another by sending spam, hosting websites and providing DNS services for those websites. 

The spam message came from this machine:  71.111.0.143 (verizon)

The spam-advertized websites are hosted on these machines:
www.lemuwin.com.        180     IN      A       64.110.215.97 (sasktel)
www.lemuwin.com.        180     IN      A       172.161.194.59 (AOL)
www.lemuwin.com.        180     IN      A       172.195.44.236 (AOL)
www.lemuwin.com.        180     IN      A       194.145.134.112 (Esat)
www.lemuwin.com.        180     IN      A       211.223.172.213 (kornet)

And this site is linked to by the spam-advertised site:
www.14inch.com.         0       IN      A       66.102.43.10 (qixhosting)


The domain-naming services are hosted on these machines:
ns1.marivanna.com.      41678   IN      A       212.235.54.208 (netvision)
ns1.marivanna.com.      41678   IN      A       221.162.35.178 (kornet)
ns1.marivanna.com.      41678   IN      A       24.91.25.155 (comcast)
ns1.marivanna.com.      41678   IN      A       24.155.135.157 (grandecom)
ns1.marivanna.com.      41678   IN      A       66.159.174.240 (sbcglobal)
ns1.marivanna.com.      41678   IN      A       70.136.103.192 (sbcglobal)
ns1.marivanna.com. 41678 IN A 83.10.199.248 (telekomunikacja) 
ns1.marivanna.com.      41678   IN      A       86.73.81.56 (gaoland)
ns1.marivanna.com.      41678   IN      A       124.186.234.43 (telstra)
ns2.marivanna.com.      168631  IN      A       86.73.81.56 (gaoland)
ns4.marivanna.com.      84554   IN      A       212.235.54.208 (netvision)
Taking down a botnet is a lot of work, but I'm sure you guys and gals will do a fantastic job of it. Botnets typically change the locations of the various servers on a continuing basis. After several hours, some of this information may have changed. Don't worry; taking down the old botnet machines makes then unavailable to the crime gangs.
Qixhosting, it is critical that you take down the spammer's website at www.14inch.com (66.102.43.10). That is the primary money-making website for the crime gang; if you fail to take that site down, everything would have been for nothing.
Time is important when evaluating botnets. This information was collected around Fri Oct 20 01:25:02 UTC 2006 .
The spam message was sent to the debian-user mailing list of which I am a member. Here is the spam message including full headers: 



> Return-Path: <bounce-debian-user=paduille.4060.mumia.w=earthlink.net@lists.debian.org>
> Received: from murphy.debian.org ([70.103.162.31])
>     by mx-mcdonald.atl.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1gAGkc2Io3Nl36F0
>     for <paduille.4060.mumia.w@earthlink.net>; Thu, 19 Oct 2006 18:25:16 -0400 (EDT)
> Received: from localhost (localhost [127.0.0.1])
>     by murphy.debian.org (Postfix) with QMQP
>     id 2464E2E0E0; Thu, 19 Oct 2006 17:24:50 -0500 (CDT)
> Old-Return-Path: <vtsilverfndv@bloomberg.net>
> X-Original-To: debian-user@lists.debian.org
> Received: from pool-71-111-0-143.ptldor.dsl-w.verizon.net (pool-71-111-0-143.ptldor.dsl-w.verizon.net [71.111.0.143])
>     by murphy.debian.org (Postfix) with SMTP id E36732E0BD
>     for <debian-user@lists.debian.org>; Thu, 19 Oct 2006 17:05:17 -0500 (CDT)
> Received: from mh4dmz3b.bloomberg.net
>     by pool-71-111-0-143.ptldor.dsl-w.verizon.net (8.9.3/8.9.3) with SMTP id 0000001ab673
>     for <debian-user@lists.debian.org>; Thu, 19 Oct 2006 17:21:25 -0500
> Received: from [225.151.134.41]
>     by mh4dmz3b.bloomberg.net with SMTP id ZP20JtilkGbd
>     for <debian-user@lists.debian.org>; Thu, 19 Oct 2006 17:21:25 -0500
> Reply-To: "Candice Kiser" <vtsilverfndv@bloomberg.net>
> From: "Candice" <vtsilverfndv@bloomberg.net>
> Message-ID: <9194938223.610258809194@bloomberg.net>
> Date: Thu, 19 Oct 2006 17:21:25 -0500
> To: <debian-user@lists.debian.org>
> Subject: Horhny playboy teenie site
> MIME-Version: 1.0
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Rc-Spam: 2006-04-09_01
> X-Rc-Virus: 2005-11-10_01
> X-Rc-Spam: 2006-04-09_01
> X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on murphy.debian.org
> X-Spam-Level: X-Spam-Status: No, score=-0.3 required=4.0 tests=ALL_TRUSTED,BAYES_99,
>     UPPERCASE_25_50 autolearn=no version=3.0.3
> Resent-Message-ID: <2A04U.A.w_H.ys_NFB@murphy>
> Resent-From: debian-user@lists.debian.org
> X-Mailing-List: <debian-user@lists.debian.org> archive/latest/454964
> X-Loop: debian-user@lists.debian.org
> List-Id: <debian-user.lists.debian.org>
> List-Post: <mailto:debian-user@lists.debian.org>
> List-Help: <mailto:debian-user-request@lists.debian.org?subject=help>
> List-Subscribe: <mailto:debian-user-request@lists.debian.org?subject=subscribe>
> List-Unsubscribe: <mailto:debian-user-request@lists.debian.org?subject=unsubscribe>
> Precedence: list
> Resent-Sender: debian-user-request@lists.debian.org
> Resent-Date: Thu, 19 Oct 2006 17:24:50 -0500 (CDT)
> X-ELNK-AV: 0
> X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=000;
>
> two THjESE TIiNY SLUlTS CAN'T STOP COMMIbNG ... .. ONjCE THjEY TAKeE ALL 14 INyCHES!! loose
> onlinecan: && >  www. lemuwin .com < && (!!! del space's !!!)
>
>
> provide big used happy week online hot,
> self wish done all,  always stats?
>
> bye
> Candice Kiser
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
>
Reply to: