Jump to content
Sign in to follow this  
wa3kf

lots of spam from me.uk

Recommended Posts

I am getting a ton of spam from misc addresses that end in me.UK. Not sure why this is not being blocked. The info before it is always different. Since it shows in the return path if I just blacklist me.UK should that stop it?

Share this post


Link to post
Share on other sites

I am getting a ton of spam from misc addresses that end in me.UK. Not sure why this is not being blocked. The info before it is always different. Since it shows in the return path if I just blacklist me.UK should that stop it?

"Blacklisting" mail based on any e-mail addresses that appear in it (like the return path) is seldom effective for any length of lime. This is because these addresses are easily forged and do not have to correspond to the actual origins of the message. Nor do these addresses really tell you where a message came from in most cases. What you need are the IP addresses of the services that allowed the spam to be sent, and for this you need to look elsewhere in the message. This is what SpamCop does when you give it a spam message to trace.

If you have some of these messages laying around, you might consider submitting a couple to get a tracking URL and then post this URL here so that folks can get a better look at the header.

-- rick

Share this post


Link to post
Share on other sites

"Blacklisting" mail based on any e-mail addresses that appear in it (like the return path) is seldom effective for any length of lime. This is because these addresses are easily forged [...]

I suggest the old "how I use Spamcop" threads

Some scammers have to use a plausible address (though I cherish from: paypal.con rather than paypal.com) so blacklisting these may be worth the trouble. I also have various countries blacklisted such as BR and some "straight-up" spam origin addresses.

Share this post


Link to post
Share on other sites

"Blacklisting" mail based on any e-mail addresses that appear in it (like the return path) is seldom effective for any length of lime. This is because these addresses are easily forged and do not have to correspond to the actual origins of the message. Nor do these addresses really tell you where a message came from in most cases. What you need are the IP addresses of the services that allowed the spam to be sent, and for this you need to look elsewhere in the message. This is what SpamCop does when you give it a spam message to trace.

If you have some of these messages laying around, you might consider submitting a couple to get a tracking URL and then post this URL here so that folks can get a better look at the header.

-- rick

Oh I understand that. I report the emails. And according to SPAMCOP each and every spam has a different point of origin. So the spammer is moving around to avoid detection. I am just plain tired of getting 50 of these a day. And while the reporting stops it at one location, it just picks up somewhere else. For now my method is filtering and I realize that will change.

Share this post


Link to post
Share on other sites

Oh I understand that. I report the emails. And according to SPAMCOP each and every spam has a different point of origin. So the spammer is moving around to avoid detection. I am just plain tired of getting 50 of these a day. And while the reporting stops it at one location, it just picks up somewhere else. For now my method is filtering and I realize that will change.

You have a SpamCop email account?

If so

me.uk

in black list would work

If not MailWasher is a must (Freeware for one account)

Very configurable and easy to report to your SuperSecretReportingSpamCop submision email address

Share this post


Link to post
Share on other sites

This is all a bit surprising. .me.uk is supposed to be for second-level personal ("vanity") domains, much like .id.au in Australia - I'm not aware of anything the same in the US but I guess the .us TLD serves a similar but wider purpose. They can be quite useful for families. What the O/P describes sounds like systematic abuse of the registrations which is unexpected. I can only suppose that .me.uk registrations are relatively cheap, if those are the actual spam sources (as opposed to spoofed e-mail addresses).

I don't suppose http://www.nominet.org.uk/ would be at all amused by this behaviour but then they don't appear to have any specific power to control it - though they could no doubt "lean" on registrars if they were in possession of the evidence. That might be an approach to explore if the hosting of this spam is dispersed (and hard to get "killed" through DNSBLs accordingly) - and if one was sufficiently annoyed to pursue it.

As petzl points out 88124[/snapback], it should be easy enough to keep out of the inbox through filtering.

Share this post


Link to post
Share on other sites

I got a lot of spam once from an outfit that made the mistake of using the same forged from-addresses or domains over and over. I got sick of their nonsense, so I set up a filter on my provider's webmail site that would route them straight to the bit bucket on receipt.

Mind you, I did examine a lot of these messages and developed a fairly well targeted Regular Expression to catch them, and I had to tweak it once afterward. Still, it did accomplish the goal of keeping them out of my inbox (though it did not stop them from sending, I am sure).

Also, on reflection, I'm not sure I shouldn't have received the messages anyway and then reported them (that's what I'd tend to do now).

-- rick

Share this post


Link to post
Share on other sites

I have captured thousands of IP addresses used by this .me.uk spammer using my Cisco IPS to inspect SMTP traffic using a regex statement.

In turn, I have firewalled thousands of IP's and many known spam source networks, such as:

BYFLY, CC, DATAPIPE, ENZU, EONIX, FIBER-UPLOAD, HOSTNOC, HSI, LAYERED-TECH, PSYCHZ, RACKCO, SERVIUS, SHARKTECH, SILVERPOP, SINGLEHOP, SWITZERLAND-PRIVATELAYER, TELEFONICA, VNPT-NET, and a few more.

I have rarely ever seen a legitimate email come from any of these sources. They have dozens, sometimes hundreds of class C's they give freely to spammers. They constantly move them around and let them spin up virtual spam servers on new IP's and I have sent every one of them multiple detailed spam reports which include logs, headers and content. None of them respond.

I suggest you firewall them all from port 25 traffic. The sooner we isolate their networks from the world the better. They should be forced to return their spam networks to IANA and free up IPv4 resources for those of us that run spam free networks and take immediate action when mail accounts are compromised.

In fact, we just finished writing software for Zimbra that detects compromised accounts within a few minutes of bots logging into them and automatically disables the account and terminates all sessions. The software then sends a Cisco ACL formatted list of the bot IP addresses to us for entry into our firewall. It's slick.

If anyone wants my Cisco ACL list for these major spam sources, just ask. I'll be happy to share it. Just keep in mind, it's large and aggressive. I don't tolerate providers that support spammers by reassigning them to multiple class C's and/or don't respond to abuse reports.

David Kopacz, CTO

ASPwebhosting.com

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×