Jump to content
Sign in to follow this  
elind

Is anyone else receiving thousands of identical spam this morning?

Recommended Posts

http://www.spamcop.net/sc?id=z2553887995z5...2a1142c8812d2cz

coming from hostway and southwebventures

So far I've got 8000+ and they are still coming in fast.

The spam is the same as one that was sent a month ago. That lot was about 5000 pieces and came courtesy of aplus, who had had a similar incident last year sometime.

Can anyone explain this? Is it an attack on the sending ISP (idiots) or on spamcop?

Share this post


Link to post
Share on other sites

The sending IP [207.150.194.88] is on the SCBL, as well as:

xbl.spamhaus.org

cbl.abuseat.org

dnsbl-1.uceprotect.net

t1.dnsbl.net.au

ucepn.dnsbl.net.au

and probably others. You're initially receiving them at a SpamCop.net address, correct? If so, do you have all your blacklists turned off? You seem to be having the messages forwarded to yet another location and are using Cloudmark, from what I see in the headers.

And yes, others are receiving them. Take a look at the flood received by a PSBL spamtrap:

http://psbl.surriel.com/listing?ip=207.150...PSBL+list+query

and there are several reports in n.a.n-a.s and n.a.n-a.e. Do a Google Groups search on the IP.

More info from the SpamCop reporting system:

Causes of listing

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

* SpamCop users have reported system as a source of spam about 53250 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

* DNS error: 207.150.194.88 is 207-150-194-88.aus.us.siteprotect.com. but 207-150-194-88.aus.us.siteprotect.com. has no DNS information

Because of the above problems, express-delisting is not available.

DT

Edited by DavidT

Share this post


Link to post
Share on other sites

http://www.spamcop.net/sc?id=z2553887995z5...2a1142c8812d2cz

coming from hostway and southwebventures

So far I've got 8000+ and they are still coming in fast.

The spam is the same as one that was sent a month ago. That lot was about 5000 pieces and came courtesy of aplus, who had had a similar incident last year sometime.

Can anyone explain this? Is it an attack on the sending ISP (idiots) or on spamcop?

I got about six hundred but they stopped abruptly about five hours ago. Can't see how it's an attack on SpamCop as mine were sent to an account which rather strangely now receives very little spam. The very rapid flow of spam was being received at the rate of two or three a minute at times with SpamCop sending reports to affinity.com but midstream the destination changed to hostway.com and southwebventures.com. I'm sure the IP address remained the same though, i.e. 207.150.194.88. I had sent most of my six hundred reports before the IP appeared on the SCBL. I've just checked and over 53000 reports have been sent regarding this IP address. When I first looked earlier today the figure was only around 1800.

Edited by g4mby

Share this post


Link to post
Share on other sites

Yes, they are sent to spamcop address, (mine is not the one shown, but I presume the list is all spamcop) as is 99% of all the spam I get.

I don't have blacklists turned off, but I'm not sure what you mean. I don't know what Cloudmark means and I haven't fiddled with my configuration for years. I have the spamcop address, another main address which is forwarded to spamcop for filtering and Held Mail. Real mail that is not held then gets forwarded to another email which is the one I read from, but normally never publish or use otherwise.

Maybe there are simpler ways, but if it ain't broke....

I'm still wondering however if anyone has an opinion on why this happens. I would consider a programming error by the spammer, except that it is the same spam from a similar incident not long ago.

And, another question, is there no legal liability for the hosting ISP in these cases (when they appear to be US based)? It really is vandalism.

The sending IP [207.150.194.88] is on the SCBL, as well as:

xbl.spamhaus.org

cbl.abuseat.org

dnsbl-1.uceprotect.net

t1.dnsbl.net.au

ucepn.dnsbl.net.au

and probably others. You're initially receiving them at a SpamCop.net address, correct? If so, do you have all your blacklists turned off? You seem to be having the messages forwarded to yet another location and are using Cloudmark, from what I see in the headers.

And yes, others are receiving them. Take a look at the flood received by a PSBL spamtrap:

http://psbl.surriel.com/listing?ip=207.150...PSBL+list+query

and there are several reports in n.a.n-a.s and n.a.n-a.e. Do a Google Groups search on the IP.

More info from the SpamCop reporting system:

I got about six hundred but they stopped abruptly about five hours ago.

I'm still getting them. When I first looked a couple of hours ago it was 7000 odd, now it's nearly 9000 and thats after reporting a bunch.

Of course hostway doesn't work on weekends (I tried calling) and their contact form is non functional.

Share this post


Link to post
Share on other sites

Now it's 10,000.

What's the quickest way to delete more than 100 at a time? I don't have time to report all of them, and I guess it's not fair to spamcop.

Share this post


Link to post
Share on other sites
Now it's 10,000.

What's the quickest way to delete more than 100 at a time? I don't have time to report all of them, and I guess it's not fair to spamcop.

I don't know. I wish I did.

I've had 10,000 too but then they stopped. Well paused, anyway! Hopefully that will be the lot.

Share this post


Link to post
Share on other sites
Yes, they are sent to spamcop address, (mine is not the one shown, but I presume the list is all spamcop)

What do you mean by "mine is not the one shown"? Doesn't the Tracking URL you posted involve a message sent originally to *your* SC address?

I don't have blacklists turned off, but I'm not sure what you mean.

Well, the sending IP is on the SCBL, and the SCBL is one of the default blacklists on our SC email account options. If you have it enabled, then all of those messages should be going into your Held folder rather than being forwarded on to you RR address. So, I'm thinking that you should log into the webmail, go into Options, then SpamCop Tools, then "Select your email filtering blacklists." On that screen, you should have the first two boxes unchecked, but then the SpamAssassin box should be checked. In the case of the sample spam, it's SA score was 11.5, and so that alone should have dumped it into your Held folder. Then all the DNS blacklist boxes should be checked, which includes the SpamCop Blacklist (SCBL).

Is that how your settings are? If so, where did the sample message from the Tracking URL wind up?

I don't know what Cloudmark means

It was in the headers from your Tracking URL:

X-Cloudmark-Score:

That implies that CloudMark technology was involved at some point....it could be that RoadRunner is using it, but the lack of a score is curious.

In any case, these messages should all be going to your held folder...is that not the case?

DT

Edited by DavidT

Share this post


Link to post
Share on other sites

DavidT

Sorry if I'm not clear. By mine is not the one shown, all I mean is that in looking at the actual message (not analyzing deeper) I see a spamcop address, but not mine, which is the way any multiple adressee email would show. Almost all spam I receive is to my spamcop address.

Again, sorry if I'm not clear. All my spam is in my held mail, but I now have 15000+ messages there. How can I unload them faster than 100 at a time, which is all spamcop will let me do?

You got me on the cloudmark. I haven't a clue. I do use spamassassin.

The sample email I sent was one I forwarded to myself from held mail so I could have a look at it. I then reported it manually and that was the tracking URL. In this case that spam did go through RoadRunner, (from held mail to my RR account) so perhaps they added it, and perhaps they didn't know then if it was spam or not, so no score?

Also, they seem to have stopped coming a few hours ago.

Share this post


Link to post
Share on other sites
Now it's 10,000.

What's the quickest way to delete more than 100 at a time? I don't have time to report all of them, and I guess it's not fair to spamcop.

(webmail menu bar item 'Folders')

> use the dropdown to select "empty folder" which is the 3rd from the

> bottom -- do NOT select delete folder

> it can take the system a while to grind thru emptying a folder if it was

> a lot of mail in it but you can start this up and wander off and do

> other things

> BTW you could also set up an imap acct in your email app - IMAP to your

> SC account, do a mass select and delete of all mail in the held mail folder

> And BTW2: IIRC you can set your page size to >100 mails if you have some

> insane desire to sit around do select all/delete

And YAM (Yet Another Method) is to use an ad hoc webmail filter (webmail menu bar item 'Filters) to delete selected items in the held folder, perhaps all with an SA level of 16 or more

Share this post


Link to post
Share on other sites
(webmail menu bar item 'Folders')

> use the dropdown to select "empty folder" which is the 3rd from the

> bottom -- do NOT select delete folder

I get an error message saying the "Held Mail" folder is already empty. When it has over 7,000 messages in it.

So it's back to reporting or deleting 100 at a time.

Share this post


Link to post
Share on other sites

Thanks for the IMAP setup hint.... the remaining 5000 messages were removed in about 5 minutes. And this time there was actually a false positive included in the "pile".... so I avoided missing that.

Thanks, Malcolm

Share this post


Link to post
Share on other sites
I get an error message saying the "Held Mail" folder is already empty. When it has over 7,000 messages in it.
You might want to take another try at using the "Folders" view to empty your Held Mail folder.

I use it to bulk delete the spam from my Held Mail folder and from my Trash folder every day, and it works just fine for me.

- Don D'Minion - SpamCop Admin -

.

Share this post


Link to post
Share on other sites

I followed michaelanglo's instructions, the first part, and it zapped 16000 in a couple of minutes, as much as I wanted to report every last one.

Share this post


Link to post
Share on other sites
You might want to take another try at using the "Folders" view to empty your Held Mail folder.

Yes, after 29 years with computers, I should know to try things more than once really :-)

Anyway I decided to report them all instead, and of course hit the 15,000 limit... oops.

Share this post


Link to post
Share on other sites

I sent a message to support[at]hostway.com demanding an explanation.

I actually received the following reply some days later, but I know that I was still getting new ones in my held mail until sometime on Saturday afternoon. Is that possible if the server was taken down EARLY on Saturday? (I had the same type of response last time this happened, from Aplus.com)

Hello,

Shortly after our last e-mail, we were informed of the spam issue regarding 207.150.194.88, one of our dedicated servers, by team that manages the southwebventures.com servers. We also received your notifications through abuse[at]hostway.com. They disconnected the server shortly after the attack was discovered early on Saturday. We do apologize for the inconvenience we know this caused for many people, including those of you at spamcop.net. Feel free to let us know if you require any further assistance.

Thank you,

Abuse Department

Hostway Corporation

Share this post


Link to post
Share on other sites
I actually received the following reply some days later, but I know that I was still getting new ones in my held mail until sometime on Saturday afternoon. Is that possible if the server was taken down EARLY on Saturday? (I had the same type of response last time this happened, from Aplus.com)

Actually, yes, it's possible. Talking about an unknown network configuration there, but ... there could have been 'the' compromised e-mail server, which originally 'sent' the e-mail. But, this specific server may not be connected 'directly' to the Internet for outgoing .. rather handing the traffic off to one of several other servers to actually handle the 'delivery' part of the process ... call it load-balancing, simple traffic management, just a couple of several possible reasons. So the issue would be that the compromised server was taken off-line, but the other systems handling the outbound traffic were still merrily doing their job without complaint, delivering all that crap that had been previously tasked to them by the bad server.

Share this post


Link to post
Share on other sites
Actually, yes, it's possible. ...
Plus, going with what we know, looking at the example supplied in the opening post there's an hour and a half (roughly) time difference demonstrated just in that first step (between steps 4 and 3 working back from the origin), both times stated in UIT:

3: Received: ...; 24 Jan 2009 09:13:08 -0000

4: Received: ...; 24 Jan 2009 07:42:35 -0000

With no specific explanation of that, it could as easily be some other number on another message (leaping into the 'unknown but possible', as Wazoo has pointed out) then there's the actual timezone of the office making the response relative to yours. I think you have a good result elind.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×