massive porn spam is making it through spamassassin. new filter oops? randy, still researching
We are not using spamasassin and only major RBLs in place and seeing the same wave of spam. Seems like a new botnot has just appeared. -- Babak -- Babak Farrokhi
On Apr 13, 2014, at 8:09 AM, Randy Bush <randy@psg.com> wrote:
massive porn spam is making it through spamassassin. new filter oops?
randy, still researching
Any chance you could provide a *clue* as to what you're seeing, eg message subject, from, etc??? Andrew Fried andrew.fried@gmail.com On 4/13/14, 1:00 AM, Babak Farrokhi wrote:
We are not using spamasassin and only major RBLs in place and seeing the same wave of spam. Seems like a new botnot has just appeared.
-- Babak
On 13/04/2014 08:10, Andrew Fried wrote:
Any chance you could provide a *clue* as to what you're seeing, eg message subject, from, etc???
The subjects seem to vary; but appear to involve animals, sex and cute women in various orders (apologies to anyone offended by that). Content is a one-liner link to porn sites. I agree with the RIPE DB scrape - the From: line on one of these is From: "Registry ripenotify" <info@audiovisualcs.com> and the CC line contains our notify: E-mail (plus a load more of this junk to noc|peering|named contacts). These seem to be botted machines sending mails 'legitimately' ie: headers appear to show that the first hop was relayed out through a normal route rather than just port 25 spray. Some are even kindly pre-marked as spam. We've had >250 turn up since 23:34 UTC yesterday (12 April). Appears to have slowed/stopped around 05:00 UTC today (13 April). Paul. -- Paul Thornton
Thanks, Paul. The #1 spam I'm seeing right now has the subject line "Subject: Why Internet was born?"; the domains from the URLs appear to be listed in Spamhaus DBL. Obviously a different batch. Andy Andrew Fried andrew.fried@gmail.com On 4/13/14, 3:59 AM, Paul Thornton wrote:
On 13/04/2014 08:10, Andrew Fried wrote:
Any chance you could provide a *clue* as to what you're seeing, eg message subject, from, etc???
The subjects seem to vary; but appear to involve animals, sex and cute women in various orders (apologies to anyone offended by that).
Content is a one-liner link to porn sites.
I agree with the RIPE DB scrape - the From: line on one of these is
From: "Registry ripenotify" <info@audiovisualcs.com> and the CC line contains our notify: E-mail (plus a load more of this junk to noc|peering|named contacts).
These seem to be botted machines sending mails 'legitimately' ie: headers appear to show that the first hop was relayed out through a normal route rather than just port 25 spray. Some are even kindly pre-marked as spam.
We've had >250 turn up since 23:34 UTC yesterday (12 April). Appears to have slowed/stopped around 05:00 UTC today (13 April).
Paul.
Hi, g I suspect I've been hit by the same run, looks like the RIPE database has been harvested since I got at least one copy on an e-mail address that I've only used for the RIPE db. I also saw a lot of peering@ and noc@ addresses in from/to/cc fields. So far I've received about a hundred copies. Whoever is responsible for this spamrun is not the brightest light in the world. Thanks, Sabri ----- Original Message -----
From: "Randy Bush" <randy@psg.com> To: "North American Network Operators' Group" <nanog@nanog.org> Sent: Saturday, April 12, 2014 8:39:36 PM Subject: spamassassin hole again?
massive porn spam is making it through spamassassin. new filter oops?
randy, still researching
participants (5)
-
Andrew Fried
-
Babak Farrokhi
-
Paul Thornton
-
Randy Bush
-
Sabri Berisha