Jump to content


Photo

Noticeable increase in spam


  • Please log in to reply
14 replies to this topic

#1 DavidT

DavidT

    Been There

  • Memberp
  • PipPipPipPip
  • 2,391 posts

Posted 17 September 2006 - 10:35 AM

I've seen a rather disturbing sudden increase in spam received at multipe addresses on several domains. A lot of them have the Subject "Re: my PHxxxARMA" (with the "xxx" being three random lowercase letters), which account for much of the increased volume, but not all (I don't keep careful statistics). Thankfully, the SpamAssassin implementation on my SC email account is catching almost all of it. I think that the SA testing probably happens before BL checking, because out of 55 messages in my Held Mail this morning, 52 of them were put there due to the SA scoring, and 3 due to being listed on the CBL. Similar stats with my other SC email account. I think that for the next few days, I'll regularly scan the folder for anything blocked due to "bl.spamcop.net" because I think that's usually the case with a significant portion of what winds up in my Held Mail folder. DT

#2 agsteele

agsteele

    Been There

  • Memberp
  • PipPipPipPip
  • 1,199 posts

Posted 18 September 2006 - 03:38 AM

I've seen a rather disturbing sudden increase in spam received at multipe addresses on several domains. A lot of them have the Subject "Re: my PHxxxARMA" (with the "xxx" being three random lowercase letters), which account for much of the increased volume, but not all (I don't keep careful statistics). Thankfully, the SpamAssassin implementation on my SC email account is catching almost all of it.

Yes, I agree that whomever is pumping out this PH***ARMA stuff (and also PHA***RMA) seems to be more active.

Using a SpamCop Email account with the various spam blocking functions fairly keenly set I'm not seeing any arriving in the mailbox but the held mail folder is certainly a little more full :)

I've noted for a long time that SpamAssassin identifies more spam that the various BLs but I'm unsure which test comes first in the chain. Presumably, if SpamAssassin is the first check then much of the junk gets weeded out before a BL check. It would be interesting but otherwise not necessary for me to know.

Andrew
A SpamCop user - all comments I make are mine and not SpamCop's :-)

All comments in these forums are from users offering help to other users unless the user explicitly identifies themselves as SpamCop staff.

To contact SpamCop staff Email service[at]admin.spamcop.net

#3 Lking

Lking

    Advanced Member

  • Membersph
  • PipPipPip
  • 871 posts

Posted 18 September 2006 - 05:20 AM

I've seen a rather disturbing sudden increase in spam received at multipe addresses on several domains. A lot of them have the Subject "Re: my PHxxxARMA"

Yes that subject sure is the current leader, as many as 30-40 a day to my domain. But as stated in an other thread my overall spam count is fairly flat, 145-185 per day.
Lou

Say what you will about Sisyphus. He always has work.

#4 epgeek

epgeek

    Member

  • Members
  • PipPip
  • 30 posts

Posted 20 September 2006 - 12:38 PM

Yes that subject sure is the current leader, as many as 30-40 a day to my domain. But as stated in an other thread my overall spam count is fairly flat, 145-185 per day.

I am also seeing a lot of these spams including this one from 5 minutes ago: PHmkARcMA ...You would certainly suspect that they all came from the same spammer creep. Perhaps if this one scum bag could be tracked down and stopped (or shot) there would be a slight but noticeable drop in spam??? This guy certainly leaves a lot of tracks around the Internet. Surely law enforcement somewhere could devote a little time to this. How many tax dollars has spam[at]uce.gov wasted doing nothing to this point? Here's a novel idea: perhaps all the wasted dollars on enforcement for CAN spam should be lavished on spam COP where they might do some good.

#5 showker

showker

    Advanced Member

  • Membera
  • PipPipPip
  • 134 posts

Posted 03 October 2006 - 02:06 PM

Another frequent one... several dozen since yesterday. But I doubt you'll find the actual spammer -- I believe it's a zombie propagated to user PCs. I've done a bit of hand tracking on that one and it does bounce around quite a bit all over the world. This is another of those cases where the SPAMVERTISER should be the trail, and NOT the sender. If you follow the money trail up the chain, it comes back to a Canadian attempting to get associate fees from one of the bigger online pharmacys. The host of which will not respond, and denies that they're hosting the spamvertised site. /-(

#6 showker

showker

    Advanced Member

  • Membera
  • PipPipPip
  • 134 posts

Posted 04 October 2006 - 07:55 AM

FOLLOW UP I tracked five of the SAME emails this morning... to three different "honey pot" addresses, and found they ALL came from the SAME IP ... However, when tracking that IP I came up empty handed... Response said: > Server Used: [ none ] > ERROR: IP Range Reserved by IANA.org So, the big question is: ? How does the spammer use a "none" server to send spam, and ? What is a "reserved" IP by IANA, and ? Why would IANA allow this use of a "reserved" IP doesn't make sense. I think I should post this as a new topic. Fred

#7 Miss Betsy

Miss Betsy

    T-shirt wearing out

  • Membersph
  • PipPipPipPipPip
  • 3,336 posts

Posted 04 October 2006 - 04:31 PM

Don't quote me, but I think an 'IP reserved..' is for internal use only. I am not an experienced headers reader (only very simple ones), but I think that you went one line too far and got a forged one. Miss Betsy
an almost new internet user
if you don't think your post has been answered sufficiently, please email service[at]admin.spamcop.net

#8 Telarin

Telarin

    Advanced Member

  • Memberp
  • PipPipPip
  • 814 posts

Posted 04 October 2006 - 04:41 PM

I would have to agree with Miss Betsy on her header analysis assumption. Care to offer up a tracking URL for one of those messages so we can all have a look at what kind of header games the spammer is using?
Will Russell, MCP
IT Specialist
Galveston Insurance Associates

#9 TerryNZ

TerryNZ

    Member

  • Members
  • PipPip
  • 72 posts

Posted 05 October 2006 - 12:03 AM

Both the PHAxxxRMA and the MExxxDS spams are from ROKSO #2 most wanted, Leo Kuvayev.
Leo has an outomated domain registration system. It generates a domain name by putting together a random selection of syllables. You will see names like hadegerfuntion and quijindesfuma etc. Every hour his autoregistrator registers a name with Beijing Innovstive Technology. If you want to view the pattern of his registrations, try this link
His technique is to create a site and spam it every hour, then move on to the next, in the hopes of staying ahead of SpamCop.

If you look up the name servers for these spamvertized sites, you will find that they are limited to just these few. Look up the registrars for the name servers, and there are only two. My team have requested the registrars to remove the name servers to close down access to over 2,500 of his sites. Only one pair of nameservers were removed, resulting in over 70 sites being made inaccessible. Of the two registrars, XIN Net is the slower to move. If you have the ability to add addressees to your SpamCop reports, select the ones listed below, and copy/paste a request to remove these nameservers.

The stated reason for your request is that the Registrar is sponsoring a known criinal, Leo Kuvayev, who was tried and found guilty in a court in Massachussets. He escaped the country without paying a fine of several million dollars.

NAME SERVER . . . . . . . . . . . REGISTRAR
ns0.shionmkindefunjas.com XIN Net
ns0.quijindeshkinmas.com Beijing Innovative

ns0.avuihdesunhawio.com Beijing Innovative << DONE >>
ns0.sadewunmkedefuna.com Beijing Innovative << DONE >>

ns0.hertunjinkdastion.com XIN Net
ns0.vckionldesunjas.com Beijing Innovative

ns0.hadesunjadukinma.com XIN Net
ns0.hadegandestui.com Beijing Innovative << DONE >>

ns2.yadesaxinmer.com XIN Net
ns3.ovdesaxinme.com Beijing Innovative << DONE >>

Addressees
-------------

Beijing Innovative . . . . liwei[at]dns.com.cn, huyan[at]dns.com.cn, abuse[at]anti-spam.cn, spam[at]ccert.edu.cn
XIN Net. . . . . . . . . . . . registrar[at]xinnet.com, abuse[at]anti-spam.cn, spam[at]ccert.edu.cn

Edited by TerryNZ, 05 October 2006 - 12:05 AM.


#10 Axxxim

Axxxim

    Newbie

  • Banned
  • Pip
  • 2 posts

Posted 11 December 2008 - 10:05 AM

Dear US and Canada Capitalist Pigs, If you'll notice, each XIN NET spam email will contain a simple http graphics file call to display a picture in your email. This simple code allows our Chinese government to grab and log your personal IP on our servers for our planned cyber attack support on your spoiled and selfish country! It also provides some information on times you check email. Think of what a country could do with a complete list of active and sniffed out list of IPs of its enemy. Your internet will be of no use. You're country is too Open. Long live the People's Republic! Please wake up, spread the word and do everything to stop XIN NET now!

#11 Lking

Lking

    Advanced Member

  • Membersph
  • PipPipPip
  • 871 posts

Posted 11 December 2008 - 11:42 AM

Dear US and Canada Capitalist Pigs,

Speaking of spam. The first copy got a smile. The second... Well your newness is showing.

Edited by Lking, 11 December 2008 - 11:50 AM.

Lou

Say what you will about Sisyphus. He always has work.

#12 Farelf

Farelf

    What Life?

  • Membersph
  • PipPipPipPipPipPip
  • 6,773 posts

Posted 11 December 2008 - 12:41 PM

Speaking of spam. The first copy got a smile. The second... Well your newness is showing.

Yeah - cross posting is never encouraged, he did the same thing at CastleCops. Heart is no doubt in the right place but that's no excuse for bad manners. Tempted to let it stand as a visible reminder (though illustrating what not to do is rarely a good idea) - and since this is an appropriate topic.
Plus ca change, plus c'est la meme chose

#13 agsteele

agsteele

    Been There

  • Memberp
  • PipPipPipPip
  • 1,199 posts

Posted 12 December 2008 - 03:57 AM

Dear US and Canada Capitalist Pigs,

I'd like to place on record that I'm deeply offended to have been left out of the farm... :blink:

Andrew
A SpamCop user - all comments I make are mine and not SpamCop's :-)

All comments in these forums are from users offering help to other users unless the user explicitly identifies themselves as SpamCop staff.

To contact SpamCop staff Email service[at]admin.spamcop.net

#14 dra007

dra007

    Been There

  • Memberp
  • PipPipPipPip
  • 1,561 posts

Posted 12 December 2008 - 12:49 PM

Oink, oink!

#15 Farelf

Farelf

    What Life?

  • Membersph
  • PipPipPipPipPipPip
  • 6,773 posts

Posted 12 December 2008 - 01:42 PM

I'd like to place on record that I'm deeply offended to have been left out of the farm... :blink:

We colonials cordially revile you as the source of all those bloody convicts - does that compensate? http://img519.images...convictsss3.jpg
Plus ca change, plus c'est la meme chose




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users