Jump to content
Sign in to follow this  
petzl

The Republic of Belarus

Recommended Posts

Getting a lot of caught botnet spam from Belarus they can't be that stupid?

http://cbl.abuseat.org/lookup.cgi?ip=93.84.209.223

I always include cbl.abuseat.org with engrish message (boilerplate)

"botnet spam from infected email server. see above link for fix"

As well as all the botnet severs associated with botnet provider?

From

http://spamcop.net/w3m?action=checkblock&a...p=93.84.209.223

Other botnet hosts in this "neighborhood" with spam reports

93.84.208.252 93.84.209.12 93.84.209.19 93.84.209.28 93.84.209.35 93.84.209.37 93.84.209.45 93.84.209.46 93.84.209.51 93.84.209.62 93.84.209.65 93.84.209.69 93.84.209.74 93.84.209.79 93.84.209.82 93.84.209.87 93.84.209.95 93.84.209.120 93.84.209.130 93.84.209.133 93.84.209.139 93.84.209.149 93.84.209.156 93.84.209.168 93.84.209.170 93.84.209.175 93.84.209.176 93.84.209.177 93.84.209.183 93.84.209.185 93.84.209.201 93.84.210.8 93.84.210.19 93.84.210.22 93.84.210.23 93.84.210.31 93.84.210.37 93.84.210.41 93.84.210.48 93.84.210.75 93.84.210.79 93.84.210.86 93.84.210.92 93.84.210.93 93.84.210.107 93.84.210.110 93.84.210.113 93.84.210.127 93.84.210.130 93.84.210.131 93.84.210.148 93.84.210.161 93.84.210.162 93.84.210.168 93.84.210.193 93.84.210.210 93.84.210.211 93.84.210.220

Share this post


Link to post
Share on other sites

Certainly not the way you or I (or any other spamsufferer) would want them to conduct themselves petzl. Different botnets, different compositions but one like that ought to be relatively easy to tackle, if the ISPs had a will.

I seem to be on the receiving end of a couple of totally different ones (botnets), low volume, well distributed/diffuse, I seem to be the only SC reporter submitting the things but that's probably more testament to their snowshoeing approach than lack of total volume. I probably need to take a leaf from your book and start including the CBL links since that list seems to be highly efficient in tagging them.

"Mine" are defined by/notable in that the continually-changing spamvertized links (mostly Czech and Chineses hosting) almost invariably are dismissed by the parser, like:

"www.onlinepharmacybest.ru is not a routeable IP address

Cannot resolve http://www.onlinepharmacybest.ru/"

- which is nonsense in terms of DNS resolution generally but doesn't worry me particularly (at least the mail senders are usually resolved) as I'm fairly sure the hosts really don't want to know anyway and the SC staff may well have backed off resolution effort accordingly - or for some other very good reason. I've been wasting time looking up reporting addresses for them for user-defined reporting none-the-less, but I think you're pointing the way to more effective reporting with the helpful provision of the CBL data to the ISPs of the senders.

Even if it (provision of the look-up links) is apparently not finding fertile ground with the Belarusians it may be more effective with some of the other ISPs infested by the more widely-distributed botnets. We would hope they would have enough clues to work this sort of thing out for themselves but, as we know, the usual ISP response to spamming is not so much in elimination but in sweeping it under the carpet, just as long as the "average user" is not inconvenienced by it. Anyway, can't hurt to encourage them to lift their respective games.

As far as the Belarusians go, if they are complicit then they will (eventually) paint themselves into a corner - reporting and DNSBLs will give them progressively less room to manoeuvre and to deny. Hopefully. Well, I hope the same about the Chinese. It's a long game and a (slowly) changing one but the basics are the same. But maybe, one day, some government, somewhere, is going to realize that if they're already monitoring the internet closely enough they can effectively slap a carbon tax on spam transmission. :D

Share this post


Link to post
Share on other sites

As far as the Belarusians go, if they are complicit then they will (eventually) paint themselves into a corner - reporting and DNSBLs will give them progressively less room to manoeuvre and to deny. Hopefully. Well, I hope the same about the Chinese. It's a long game and a (slowly) changing one but the basics are the same. But maybe, one day, some government, somewhere, is going to realize that if they're already monitoring the internet closely enough they can effectively slap a carbon tax on spam transmission. :D

Another bank of Bearus botnets

http://cbl.abuseat.org/lookup.cgi?ip=178.127.134.138

Other botnet hosts in this "neighborhood" with spam reports

178.127.133.140 178.127.133.141 178.127.133.153 178.127.133.158 178.127.133.162 178.127.133.163 178.127.133.164 178.127.133.167 178.127.133.168 178.127.133.170 178.127.133.171 178.127.133.174 178.127.133.176 178.127.133.181 178.127.133.185 178.127.133.196 178.127.133.199 178.127.133.203 178.127.133.212 178.127.133.213 178.127.133.216 178.127.133.219 178.127.133.223 178.127.133.225 178.127.133.232 178.127.133.237 178.127.133.238 178.127.133.243 178.127.133.251 178.127.133.254 178.127.134.5 178.127.134.9 178.127.134.10 178.127.134.11 178.127.134.12 178.127.134.27 178.127.134.28 178.127.134.29 178.127.134.30 178.127.134.31 178.127.134.33 178.127.134.35 178.127.134.54 178.127.134.56 178.127.134.69 178.127.134.71 178.127.134.81 178.127.134.83 178.127.134.92 178.127.134.94 178.127.134.97 178.127.134.98 178.127.134.110 178.127.134.112 178.127.134.113 178.127.134.116 178.127.134.125 178.127.134.126 178.127.134.134 178.127.134.136 178.127.134.140 178.127.134.144 178.127.134.146 178.127.134.147 178.127.134.149 178.127.134.152 178.127.134.153 178.127.134.156 178.127.134.167 178.127.134.170 178.127.134.178 178.127.134.186 178.127.134.193 178.127.134.194 178.127.134.196 178.127.134.199 178.127.134.200 178.127.134.210 178.127.134.213 178.127.134.216 178.127.134.223 178.127.134.225 178.127.134.229 178.127.134.231 178.127.134.242 178.127.134.249 178.127.134.253 178.127.135.1 178.127.135.14 178.127.135.15 178.127.135.33 178.127.135.42 178.127.135.55 178.127.135.63 178.127.135.68 178.127.135.70 178.127.135.72 178.127.135.73 178.127.135.83 178.127.135.89 178.127.135.93 178.127.135.100 178.127.135.112 178.127.135.121 178.127.135.128 178.127.135.131 178.127.135.132

Share this post


Link to post
Share on other sites

Just about every sender in "my" botnets is listed in the CBL. As noted elsewhere, CBL can get a little tetchy if you hammer their lookups. I find it convenient to use the SenderBase lookup and simply copy the CBL link (almost always there, as said) from the "DNS-based blocklists" section of the resolved query on the IP address involved.

As noted, "mine" are well-distributed, not those moody Belarus, even so, I'm not exactly being flooded with grateful thanks for the pointer from the ISPs affected. That doesn't matter - in addition to the uniquely detailed SC report they are being given in the notes the (usually) specific detail of the exploit that has infested their network, should they care to heed.

AND I'm still doing the lookups of the unending succession of new spamvertized sites that SpamCop declines to resolve to alert the possibly unsuspecting hosts via "User_Notification" since there seems to be some variety in those host networks now (who knows, maybe it is having some effect but I haven't the time to check whether those supposed payload websites still have name services running - pretty unlikely the hosts are ever going to receive payment in any event).

Share this post


Link to post
Share on other sites

Just about every sender in "my" botnets is listed in the CBL. As noted elsewhere, CBL can get a little tetchy if you hammer their lookups. I find it convenient to use the SenderBase lookup and simply copy the CBL link (almost always there, as said) from the "DNS-based blocklists" section of the resolved query on the IP address involved.

As noted, "mine" are well-distributed, not those moody Belarus, even so, I'm not exactly being flooded with grateful thanks for the pointer from the ISPs affected. That doesn't matter - in addition to the uniquely detailed SC report they are being given in the notes the (usually) specific detail of the exploit that has infested their network, should they care to heed.

AND I'm still doing the lookups of the unending succession of new spamvertized sites that SpamCop declines to resolve to alert the possibly unsuspecting hosts via "User_Notification" since there seems to be some variety in those host networks now (who knows, maybe it is having some effect but I haven't the time to check whether those supposed payload websites still have name services running - pretty unlikely the hosts are ever going to receive payment in any event).

Possibly now whitelisted? But since including the senderbase CBL link AND the SCBL

"Other hosts in this "neighborhood" with spam reports" (I add BOTNET to it)

Brazil are now my anoying attackers to my SC email address, but mainly from USA sites!

http://www.spamcop.net/sc?id=z5493673089z0...b77bbfa795991az

Adding "mail-abuse[ AT ]cert.br" seems to of scared Brazil spammers attacking me from Brazil?

Edited by petzl

Share this post


Link to post
Share on other sites

Not enough cases to be sure yet but one of the botnets sending me "Canadian Pharmacy" spam (one using the present billet doux that, through endless redistribution, misspells "discreet" ad infinitum) seems to be increasingly using "new" zombies - IP addresses, even whole networks that aren't yet featuring in the DNSbls. I suppose it's all pretty-much a "set and forget' operation for the botmaster - and disappointing that there are so many newly-compromised machines about - but it's tempting to imagine that some of those botnets are being slowly denuded of their longer-term membership. No way to know without tedious back-checks. The occasional one that is shut down in its entirety when the command and control network is busted is far more satisfying.

Can't believe "Canadian Pharmacy" is still blighting us after all these years. Wish the Canadians would send in one of their CANSOFCOM units to sort it out once and for all (it impugns the national honour) ... or even a couple of their seal hunters.

Share this post


Link to post
Share on other sites

Can't believe "Canadian Pharmacy" is still blighting us after all these years. Wish the Canadians would send in one of their CANSOFCOM units to sort it out once and for all (it impugns the national honour) ... or even a couple of their seal hunters.

Not had any Botnet spam from Belarus since giving (listing) them around 100 or more botnet homes on their email servers.

Now doing this on all Botnet spam I get I list all the botnets in their IP range

Senderbase (new web page)

http://www.senderbase.org/senderbase_queri...ring=189.3.4.50

then

"IP addresses used to send emails in" 189.3.4.50/24

Raise the selectable number to /16 189.3.4.50/16

Hovering mouse over red flagged IP's show if listed right clicking allows to copy CBL link

http://cbl.abuseat.org/lookup.cgi?ip=189.3.164.84

I get the lot

Country wide abuse address for different countries are good (include these)

https://support.google.com/mail/answer/34080?hl=en

Australia's

http://www.acma.gov.au/WEB/STANDARD/pc=PC_310369

And check your own computer for Spyware. "Search & Destroy" is free for home Windows users

Share this post


Link to post
Share on other sites

I keep wondering myself why these guys call themselves Canadians, other than both living under the Artic circle they have nothing in common. But sadly they are the most persistent spammers I have had to deal with and I lost any reasonable hope they can be eradicated other than provoking another Chernobyl disaster.. (or hoping for one to happen)..

Share this post


Link to post
Share on other sites

I keep wondering myself why these guys call themselves Canadians, ...

Well, as an outsider (maybe mistaken) - it is a US market thing, now applied in the cheerful spammer scattergun manner to the entire bloody universe. Ironically, it started as Canada being seen in the US as an alternative and cheap source of safe pharmaceuticals.

Not sure why cheap - maybe something to do with subsidies and/or leverage under the Canadian welfare system but "safe" due to the ferocious Canadian bureaucracy and enforcement overseeing such aspects of public safety. Ironic because the spammers try to foist all sorts of mislabelled and unsafe products under the (formerly) trusted Canadian cachet.

As I have said, it could all be sorted out in a trice should Canada care to ex-judicially unleash, in the appropriate quarters, a couple of burly seal-pup cullers with their highly efficient cudgelling techniques. But they're much too nice to do that. More's the pity. And Russia would probably grumble about sovereignty. But one can dream ...

Share this post


Link to post
Share on other sites

Well, as an outsider (maybe mistaken) - it is a US market thing, now applied in the cheerful spammer scattergun manner to the entire bloody universe. Ironically, it started as Canada being seen in the US as an alternative and cheap source of safe pharmaceuticals.

Not sure why cheap - maybe something to do with subsidies and/or leverage under the Canadian welfare system but "safe" due to the ferocious Canadian bureaucracy and enforcement overseeing such aspects of public safety. Ironic because the spammers try to foist all sorts of mislabelled and unsafe products under the (formerly) trusted Canadian cachet.

As I have said, it could all be sorted out in a trice should Canada care to ex-judicially unleash, in the appropriate quarters, a couple of burly seal-pup cullers with their highly efficient cudgelling techniques. But they're much too nice to do that. More's the pity. And Russia would probably grumble about sovereignty. But one can dream ...

A while back a Canadian woman died from consuming pharmaceutics contained poison bought via a spam email

Probably lost a lot of money from giving credit card details

Share this post


Link to post
Share on other sites

Hmmm ... came across a little Malaysian network which looks to be mostly rogue, just as a one-off participant (so far) in one of "my" (OK, rotten pun) regular (but low-volume) botnet senders:

inetnum: 103.1.68.0 - 103.1.71.255

netname: YTLCOMMS-AS-AP

descr: YTL Communications Sdn Bhd

descr: 8th Floor One Oriental Place

descr: No 1, Jalan Hang Lekiu

country: MY

SenderBase lookups aren't what they used to be, but easy to see this one is largely rotten and bot-driven though apparently not behaving at all like the pharmacy cartel networks. Totally different groups and drivers of course, if actually criminal - or just a few colluding, corrupt individuals selling/hiring out their corporation's resources? Or unbelievably inept bunglers? Not too hard to clean it all up if they wanted to, as you say, and they're getting lots of data to help with that. Or the CBL has got it completely wrong? Hard to say without more info - but they're all over Google, apparently legitimate. Anyway, just another sender among many, it looks like, from the POV of the spamsufferer. There are all sorts of variations (still) but disappointing that any of them survive.

Share this post


Link to post
Share on other sites

Hmmm ... came across a little Malaysian network which looks to be mostly rogue, just as a one-off participant (so far) in one of "my" (OK, rotten pun) regular (but low-volume) botnet senders:

inetnum: 103.1.68.0 - 103.1.71.255

netname: YTLCOMMS-AS-AP

descr: YTL Communications Sdn Bhd

descr: 8th Floor One Oriental Place

descr: No 1, Jalan Hang Lekiu

country: MY

SenderBase lookups aren't what they used to be, but easy to see this one is largely rotten and bot-driven though apparently not behaving at all like the pharmacy cartel networks. Totally different groups and drivers of course, if actually criminal - or just a few colluding, corrupt individuals selling/hiring out their corporation's resources? Or unbelievably inept bunglers? Not too hard to clean it all up if they wanted to, as you say, and they're getting lots of data to help with that. Or the CBL has got it completely wrong? Hard to say without more info - but they're all over Google, apparently legitimate. Anyway, just another sender among many, it looks like, from the POV of the spamsufferer. There are all sorts of variations (still) but disappointing that any of them survive.

Been testing some of these BOTNET IP'S they are getting around greylisting? but don't seem to be a fully functioning email server? All just send so I'm thinking maybe these IP's are infected with a rouge email sever

Really hard not to get infected nowadays on a Windows computer, you need to check regularly "SpyBot Search & Destroy" is very good at this and freeware for personal computer. Seems better than paid for detection which I also use.

My reports identify the IP showing the CBL link and my "boiler plate"

BOTNET spam attack! YOU NEED TO *BLOCK PORT 22* AND ONLY ALLOW EMAIL THROUGH GENUINE ISP SERVERS

For windows home users a very good freeware spy/malware detection/removal software program is available here

http://www.safer-networking.org/dl/

Edited by petzl

Share this post


Link to post
Share on other sites

The botnet sending to me (webmail Hotmail account) from all over the universe has gone deathly quiet again. It's happened before, then restarted. The Malaysians are still active according to the CBL, just not sending to me. Port 25 (SMTP) open but not responding. Which would be normal, I think.

Here's one query session to one of those IP addresses (using IDServe):

Initiating server query ...

Looking up the domain name for IP: 103.1.69.2

(The domain name for the specified IP address could not be found.)

Connecting to the server on remote port: 25

No response was received from the machine and port at that IP. The machine may be offline or the connection port may be stealthed.

Query complete.

Would get exactly the same querying mx.spamcop.net (using the secondary IP address, primary would confirm domain). Port 22 (SSH) is closed for that Malaysian address (on query), it is open and responding for mx.spamcop.net (both IP addresses).

Not sure what any of that tells us - but the Malaysians' network operations must surely be aware spam is transiting? And I, for one, have told them should they care to listen, even if they had been asleep at the wheel. In any event, whatever they're doing about it is quite indistinguishable from "nothing".

Hopefully other networks caught up in the botnet (or botnets) are not willing or heedless participants and our alerts to them - often comprehensive and noting additional IP addresses per your excellent pointers to that art - do some good.

Share this post


Link to post
Share on other sites

The botnet sending to me (webmail Hotmail account) from all over the universe has gone deathly quiet again. It's happened before, then restarted. The Malaysians are still active according to the CBL, just not sending to me. Port 25 (SMTP) open but not responding. Which would be normal, I think.

Here's one query session to one of those IP addresses (using IDServe):

Would get exactly the same querying mx.spamcop.net (using the secondary IP address, primary would confirm domain). Port 22 (SSH) is closed for that Malaysian address (on query), it is open and responding for mx.spamcop.net (both IP addresses).

Not sure what any of that tells us - but the Malaysians' network operations must surely be aware spam is transiting? And I, for one, have told them should they care to listen, even if they had been asleep at the wheel. In any event, whatever they're doing about it is quite indistinguishable from "nothing".

Hopefully other networks caught up in the botnet (or botnets) are not willing or heedless participants and our alerts to them - often comprehensive and noting additional IP addresses per your excellent pointers to that art - do some good.

The way I read it is (and I'm just a geek senior, not a tech)

If port 22 is open it allows one to send direct. For it to get past Greylisting (which they are?) it must run a SMTP server has to either listen for "SMTP error 452" and resend not less tan 15 minutes

Seems that there are in Belarus, Malaysia, etc, a massive listing of email servers? I'm suspecting these are in fact part of the Trojan program on personal computers?

None of it gets to my inbox but there are around 30-40 a day going to my VER folder and just takes a click of a mouse to easily and accurately report them.

Share this post


Link to post
Share on other sites

The way I read it is (and I'm just a geek senior, not a tech)

If port 22 is open it allows one to send direct. For it to get past Greylisting (which they are?) it must run a SMTP server has to either listen for "SMTP error 452" and resend not less tan 15 minutes

Seems that there are in Belarus, Malaysia, etc, a massive listing of email servers? I'm suspecting these are in fact part of the Trojan program on personal computers?

None of it gets to my inbox but there are around 30-40 a day going to my VER folder and just takes a click of a mouse to easily and accurately report them.

Port 22? That's usualy used for SSH, with port 25 for mail, isn't it?

Share this post


Link to post
Share on other sites

Port 22? That's usualy used for SSH, with port 25 for mail, isn't it?

A Internet provider by blocking Port 22 outbond means email can only be sent through their approved registered email servers (It will mean getting a STATIC IP address not DYNAMIC which is allocated)

Stops hacked or BOTNET personal computers sending spam

Edited by petzl

Share this post


Link to post
Share on other sites

Revisiting after questions raised in anther topic. Belarus really is quite remarkable. The entire 37.212.0.0/14 (37.212.0.0 - 37.215.255.255) is in the PBL, similarly 178.120.0.0/14, that's 262,144 IP addresses each, not sure about 93.84.0.0/15 (93.84.0.0 - 93.85.255.255), that seems to be listed in /18 chunks, maybe not all of it. Don't know about other ranges off-hand.

Anyway, fair enough, those PBLs reflect the nominal sending policies of the networks themselves - (ideally) for the common good they co-operate with Spamhaus to list their dynamic addresses which should never be used for e-mail direct to the internet. Or other networks do it for them. Those addresses will always be red-flagged in SenderBase lookups as being in the PBL unless they're actually static and have been de-listed on a case-by-case basis by the networks (haven't seen any in those ranges) and are spam-free or undetected. BUT wherever you look ~50% of the IPs are also shown in SenderBase as also listed in the CBL for recent botnet activity. If more networks consulted the PBL (at least, or zen) it would be a non-issue, but evidently they don't. I suppose maintenance is a general issue (as the once continual arguments over SORBS unilateral specification of static address conventions might indicate) - but not with those ranges from Belarusia at this stage of the game, surely? Incomprehensible how we continue to be plagued by spam from those sources - but it is a shared responsibility, transiting networks and (particularly) all delivering networks, not just the source networks.

Supercity - no, no, not the synonym for "megalopolis", the other one, su-PER-city, the art of becoming indispensable by being just a little bit useless. Looks like most networks practice it. Must be good for revenue according to their beancounters. Seems like a radio station with static as 85% of their "programming" to me, a false and destructive economic model, even if it sustains an immediate revenue stream.

Share this post


Link to post
Share on other sites

Revisiting after questions raised in anther topic. Belarus really is quite remarkable. The entire 37.212.0.0/14 (37.212.0.0 - 37.215.255.255) is in the PBL, similarly 178.120.0.0/14, that's 262,144 IP addresses each, not sure about 93.84.0.0/15 (93.84.0.0 - 93.85.255.255), that seems to be listed in /18 chunks, maybe not all of it. Don't know about other ranges off-hand.

What gets me is even IP's that have ZERO reports in SpamCop (I check) are not ever challenged by SpamCop Email Greylist (I check pending entries)?

Looks to me like SC Email is Whitelisting CBL listed IP's?

Not that it gets to my inbox but with this Botnet flood it makes it had to check for false positives in VER folder.

Something rotten in Belarus But I suspect some hanky panky in SC email as well

Share this post


Link to post
Share on other sites

What gets me is even IP's that have ZERO reports in SpamCop (I check) are not ever challenged by SpamCop Email Greylist (I check pending entries)?

Looks to me like SC Email is Whitelisting CBL listed IP's?

Not that it gets to my inbox but with this Botnet flood it makes it had to check for false positives in VER folder.

Something rotten in Belarus But I suspect some hanky panky in SC email as well

Have come across a similar situation to Belarus with Peru. Looks like maybe almost all 181.66.0.0/15 is in the PBL, many, many in the CBL as well - but not QUITE to the extent of Belarus - but it seems to be in /18 chunks, haven't checked extensively. Maybe other ranges there as well. An expat working in the area (well, Chile) told me 15 years ago a person would be battling to find an uncompromised PC in Peru (a very "social" lot with their work PCs), I would regret the necessity of having to exchange e-mails there. It wasn't that bad really but I lost my prime spamsource, forever ramping up, when I eventually abandoned my old work e-mail address (no doubt still bouncing away, sorry IBM-ATT-Attglobal). But now the botnets are pretty-much universal and all those unwitting Peruvian "owners" are still providing a resource pool.

I ran up against the 2K note-space limit before I could list but a fraction in a recent report to Peruvian ISPs:

Participating in botnet - see http://cbl.abuseat.org/lookup.cgi?ip=181.67.206.15

Other subverted servers listed in CBL: 181.66.0.177, 181.66.0.227, 181.66.1.8, 181.66.2.3, 181.66.2.183, 181.66.2.252, 181.66.6.179, 181.66.19.7, 181.66.19.141, 181.66.19.210, 181.66.25.195, 181.66.27.67, 181.66.29.1, 181.66.29.38, 181.66.29.56, 181.66.29.110, 181.66.29.139, 181.66.29.250, 181.66.30.179, 181.66.33.38, 181.66.33.88, 181.66.41.140, 181.66.43.186, 181.66.43.236, 181.66.43.250, 181.66.48.200, 181.66.49.2, 181.66.49.77, 181.66.50.150, 181.66.59.123, 181.66.61.106, 181.66.61.231, 181.66.104.11, 181.66.107.108, 181.66.107.146, 181.66.113.59, 181.66.116.176, 181.66.117.26, 181.66.117.192, 181.66.117.204, 181.66.129.174, 181.66.129.179, 181.66.156.84, 181.66.156.99, 181.66.156.92, 181.66.156.93, 181.66.156.103, 181.66.156.112, 181.66.156.123, 181.66.156.143, 181.66.156.145, 181.66.156.216, 181.66.157.35, 181.66.157.60, 181.66.157.135, 181.66.157.146, 181.66.157.184, 181.66.157.254, 181.66.158.73, 181.66.158.230, 181.66.164.7, 181.66.174.212, 181.66.180.168, 181.66.187.205, 181.66.188.174, 181.66.192.135, 181.66.192.210, 181.66.193.51, 181.66.193.117, 181.66.193.225, 181.66.194.193, 181.66.194.197, 181.66.194.231, 181.66.197.52, 181.66.198.123, 181.66.201.52, 181.66.201.113, 181.66.202.64, 181.66.204.9, 181.66.204.37, 181.66.205.91, 181.66.206.38, 181.66.206.194, 181.66.212.52, 181.66.212.81, 181.66.212.200, 181.66.213.160, 181.66.222.55, 181.66.233.94, 181.66.236.3, 181.66.236.130, 181.66.237.253, 181.66.238.5, 181.66.241.132, 181.66.243.117, 181.67.206.6, 181.67.206.25, 181.67.206.26, 181.67.206.28, 181.67.206.39, 181.67.206.48, 181.67.206.57, 181.67.206.59, 181.67.206.66, 181.67.206.68, 181.67.206.86, 181.67.206.88, 181.67.206.89, 181.67.206.95, 181.67.206.127, 181.67.206.128, 181.67.206.131, 181.67.206.166, 181.67.206.167, 181.67.206.168, 181.67.206.178, 181.67.206.179, 181.67.206.181, 181.67.206.191, 181.67.206.192, 181.67.206.198, 181.67.206.199, 181.67.206.242

It's gone too far to be controlled - and it all started off with unwise browsing when PCs were a novelty, corporate guidelines were non-existent or unenforced and hard-working salary-men would exchange a few jokes and "gee-whiz" (and job-hunting) e-mails during the siesta.

Share this post


Link to post
Share on other sites

What gets me is even IP's that have ZERO reports in SpamCop (I check) are not ever challenged by SpamCop Email Greylist (I check pending entries)?

Looks to me like SC Email is Whitelisting CBL listed IP's?

Not that it gets to my inbox but with this Botnet flood it makes it had to check for false positives in VER folder.

Something rotten in Belarus But I suspect some hanky panky in SC email as well

The Russian text (Cyrillic) Malware is spreading to many nations now!

The fix is simply to change to a secure Password instead of the default admin/admin

Then scan for the Malware that has been installed on the server/computer after the password has been cracked! Not Rocket science

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×