Jump to content
Sign in to follow this  
fliptop

recent significant increase in hotmail spam?

Recommended Posts

has anyone noticed a significant increase in spam from hotmail accounts? i've noticed over the past couple of months it's been increasing to the point where almost 1/3 of the spam i get is from somebay.somebay.hotmail.com. here's an example of 7 in a row i just received:

http://www.spamcop.net/sc?id=z787824156z65...619da3e21a3a70z

it looks like hotmail is not even in the top 98 on the statistics page. is anyone else experiencing the same, or am i the only one?

thanks, paul

Share this post


Link to post
Share on other sites

The actual spammer in this case is most probably abusing the "Confirmed open http-post proxy" (as listed by SORBS with code 127.0.0.6) at IP Address 80.88.128.12 in inetnum 80.88.128.0 - 80.88.128.127 with netname EMP-MFG-NOC to post via HTTP using MSN commercial account maryjones[at]maryjonesworld.com, so the Parser rightly wants to notify abuse[at]hotmail.com. Per Routing details for 80.88.128.12:

Reports routes for 80.88.128.12:
routeid:633353 80.88.128.0 - 80.88.143.255 to:emperion.net[at]devnull.spamcop.net
Administrator interested in all reports

Monday, May 31, 2004 09:37:44 -0400
Corrupt notes were found here - combined raw data below:
[Note added by 158.152.24.165 (lef.demon.co.uk)]
emperion does not want reports from spamcop, per email from Kim Wohlert at
Emperion. Abuse.net record is incorrect (hence use of IP-range routing to disable
spamcop reports rather than address-based disabling)

04/23/02 23:55:11 IP block 80.88.143.0[at]whois.ripe.net
Trying 80.88.143.0 at ARIN
Trying 80.88.143 at ARIN
Redirecting to RIPE ...
Trying 80.88.143.0 at RIPE
Trying 80.88.143 at RIPE
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit [url="http://www.ripe.net/rpsl"]http://www.ripe.net/rpsl[/url] for more information.
% Rights restricted by copyright.
% See [url="http://www.ripe.net/ripencc/pub-services/db/copyright.html"]http://www.ripe.net/ripencc/pub-services/db/copyright.html[/url]

inetnum: 80.88.128.0 - 80.88.143.255
netname: DK-EMPERION-20010828
descr: Emperion A/S
descr: PROVIDER LOCAL REGISTRY
country: DK
admin-c: KW6968-RIPE
tech-c: SRL7-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: EMP-NOC-MNT
mnt-routes: EMP-NOC-MNT
changed: hostmaster[at]ripe.net 20010828
source: RIPE

route: 80.88.128.0/20
descr: DK-EMPERION-20010828-ROUTE
origin: AS21125
mnt-by: EMP-NOC-MNT
changed: kmw[at]Emperion.net 20010906
source: RIPE

person: Kim Wohlert
address: Emperion A/S
address: Middelfartgade 7
address: 2100 Koebenhavn Oe
address: DK
phone: 45 3929 3530
e-mail: kmw[at]emperion.net
nic-hdl: KW6968-RIPE
mnt-by: EMP-NOC-MNT
changed: andreas[at]dk.uu.net 20010807
changed: hostmaster[at]dk.uu.net 20010903
changed: kmw[at]emperion.net 20020110
source: RIPE

person: Steen R. Larsen
address: Emperion A/S
address: Middelfartgade 7
address: DK-2100 Copenhagen OE
address: Denmark
phone: 45 39252560
fax-no: 45 26310986
e-mail: srl[at]emperion.net
nic-hdl: SRL7-RIPE
notify: noc[at]emperion.net
changed: hostmaster[at]ripe.net 20010816
source: RIPE

1019602680
[Note added by 158.152.24.165 (lef.demon.co.uk)]
emperion does not want reports from spamcop, per email from Kim Wohlert at
Emperion. Abuse.net record is incorrect (hence use of IP-range routing to disable
spamcop reports rather than address-based disabling)

04/23/02 23:55:11 IP block 80.88.143.0[at]whois.ripe.net
Trying 80.88.143.0 at ARIN
Trying 80.88.143 at ARIN
Redirecting to RIPE ...
Trying 80.88.143.0 at RIPE
Trying 80.88.143 at RIPE
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit [url="http://www.ripe.net/rpsl"]http://www.ripe.net/rpsl[/url] for more information.
% Rights restricted by copyright.
% See [url="http://www.ripe.net/ripencc/pub-services/db/copyright.html"]http://www.ripe.net/ripencc/pub-services/db/copyright.html[/url]

inetnum: 80.88.128.0 - 80.88.143.255
netname: DK-EMPERION-20010828
descr: Emperion A/S
descr: PROVIDER LOCAL REGISTRY
country: DK
admin-c: KW6968-RIPE
tech-c: SRL7-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: EMP-NOC-MNT
mnt-routes: EMP-NOC-MNT
changed: hostmaster[at]ripe.net 20010828
source: RIPE

route: 80.88.128.0/20
descr: DK-EMPERION-20010828-ROUTE
origin: AS21125
mnt-by: EMP-NOC-MNT
changed: kmw[at]Emperion.net 20010906
source: RIPE

person: Kim Wohlert
address: Emperion A/S
address: Middelfartgade 7
address: 2100 Koebenhavn Oe
address: DK
phone: 45 3929 3530
e-mail: kmw[at]emperion.net
nic-hdl: KW6968-RIPE
mnt-by: EMP-NOC-MNT
changed: andreas[at]dk.uu.net 20010807
changed: hostmaster[at]dk.uu.net 20010903
changed: kmw[at]emperion.net 20020110
source: RIPE

person: Steen R. Larsen
address: Emperion A/S
address: Middelfartgade 7
address: DK-2100 Copenhagen OE
address: Denmark
phone: 45 39252560
fax-no: 45 26310986
e-mail: srl[at]emperion.net
nic-hdl: SRL7-RIPE
notify: noc[at]emperion.net
changed: hostmaster[at]ripe.net 20010816
source: RIPE

1019602680
[Note added by 158.152.24.165 (lef.demon.co.uk)]
emperion does not want reports from spamcop, per email from Kim Wohlert at
Emperion. Abuse.net record is incorrect (hence use of IP-range routing to disable
spamcop reports rather than address-based disabling)

04/23/02 23:55:11 IP block 80.88.143.0[at]whois.ripe.net
Trying 80.88.143.0 at ARIN
Trying 80.88.143 at ARIN
Redirecting to RIPE ...
Trying 80.88.143.0 at RIPE
Trying 80.88.143 at RIPE
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit [url="http://www.ripe.net/rpsl"]http://www.ripe.net/rpsl[/url] for more information.
% Rights restricted by copyright.
% See [url="http://www.ripe.net/ripencc/pub-services/db/copyright.html"]http://www.ripe.net/ripencc/pub-services/db/copyright.html[/url]

inetnum: 80.88.128.0 - 80.88.143.255
netname: DK-EMPERION-20010828
descr: Emperion A/S
descr: PROVIDER LOCAL REGISTRY
country: DK
admin-c: KW6968-RIPE
tech-c: SRL7-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: EMP-NOC-MNT
mnt-routes: EMP-NOC-MNT
changed: hostmaster[at]ripe.net 20010828
source: RIPE

route: 80.88.128.0/20
descr: DK-EMPERION-20010828-ROUTE
origin: AS21125
mnt-by: EMP-NOC-MNT
changed: kmw[at]Emperion.net 20010906
source: RIPE

person: Kim Wohlert
address: Emperion A/S
address: Middelfartgade 7
address: 2100 Koebenhavn Oe
address: DK
phone: 45 3929 3530
e-mail: kmw[at]emperion.net
nic-hdl: KW6968-RIPE
mnt-by: EMP-NOC-MNT
changed: andreas[at]dk.uu.net 20010807
changed: hostmaster[at]dk.uu.net 20010903
changed: kmw[at]emperion.net 20020110
source: RIPE

person: Steen R. Larsen
address: Emperion A/S
address: Middelfartgade 7
address: DK-2100 Copenhagen OE
address: Denmark
phone: 45 39252560
fax-no: 45 26310986
e-mail: srl[at]emperion.net
nic-hdl: SRL7-RIPE
notify: noc[at]emperion.net
changed: hostmaster[at]ripe.net 20010816
source: RIPE

1019602680[/CODEBOX]

I suggest that you send a Report or Manual Report for this spam to the immediate upstream abuse[at]sprintlink.net because "emperion does not want reports from spamcop, per email from Kim Wohlert at Emperion."

Edit: added in a few new-lines to bring the window width back to something a but more reasonable.

Edited by Wazoo

Share this post


Link to post
Share on other sites
The actual spammer in this case is most probably abusing the "Confirmed open http-post proxy" (as listed by SORBS with code 127.0.0.6) at IP Address 80.88.128.12 in inetnum 80.88.128.0 - 80.88.128.127 with netname EMP-MFG-NOC to post via HTTP using MSN commercial account

Edit: added in a few new-lines to bring the window width back to something a but more reasonable.

hi jeff g - i implement a sorbs bl at my mail server. are you saying that, in order to get around being on the sorbs list, spammers are using bl servers to send spam through other legitimite avenues?

thanks, paul

Share this post


Link to post
Share on other sites

Yes, I'm afraid so. :(

Share this post


Link to post
Share on other sites
Yes, I'm afraid so. :(

well that bites the big one. what's the point of using bl lists like sorbs if the spammers will just use the bl'd machines to post spam through a web-based imap host?

does this mean anyone running squirrelmail or the like will need to start checking web visitors against bl's? egad, it will never stop, will it.............?

anyway, to get back to my original question, has anyone else noticed a significant increase in spam coming from hotmail as the last stop before reaching your local server?

thanks, paul

Share this post


Link to post
Share on other sites
anyway, to get back to my original question, has anyone else noticed a significant increase in spam coming from hotmail as the last stop before reaching your local server?

thanks, paul

30464[/snapback]

I'm starting to get a persistant spammer (porn) to what was a clean hotmail account with a "hard_2_guess[at]hotmail.com" address

The best defence is attack report all spam in the case of hotmail I not only report through spamcop but also put it in hotmails "junk" folder then delete/trash it and hotmail will then present a popup to allow you to report it as "junk" Hotmail atively hunts down spammers worldwide

Once reported it pays to use Blocklists however when using a selectable numbe of blocklists as well as personal blacklists these need to beoverridden by your personal Whitelist (simpler to get the only email address you will ever need

Share this post


Link to post
Share on other sites
The best defence is attack report all spam in the case of hotmail I not only report through spamcop but also put it in hotmails "junk" folder then delete/trash it and hotmail will then present a popup to allow you to report it as "junk" Hotmail atively hunts down spammers worldwide

i don't use hotmail, i have my own server and about 50 email addresses. most are published, and i used to receive quite a bit of spam. but since declaring war on spam 2 years ago, i've been able to get it from 600-1000 per day down to less than 30. and the 30 i get are the hardcore porn viagra cheap windoze software low mortgage home loan penis enlarging international lotto winners with the best stock picks. as if i'd need viagra with all that hardcore porn anyway, but i digress.....

regards, paul

Share this post


Link to post
Share on other sites

In my case, kornet and scum like that is getting desperate, tapping my firewalled ports, and sending all kinds of disgusting spam. Nothing seems to stop them..

Are you alone, bored and would like to meet the

best of your city!?

Ladies and gentlemen, meet the love of your life,

search for a .5EX partner now!

..whatever 5 Ex is, I only had 3...

Edited by dra007

Share this post


Link to post
Share on other sites

So I've wondered... What exactly does Hotmail do when I report to them that a message is spam? Sure, I get the nifty pop-up box, then it deletes the mail, but what is their meaning of "report as junk" ?

anyone?

Share this post


Link to post
Share on other sites

I hope they go after the spammers. I report that spam manually here since SC is no longer able to pop from hotmail. I also report there both on the junkmail button and the pop up on delet then select for reporting. Time consuming and I have noticed no change in the amount and source of spam I get there as yet. Mostly kornet/cnc-noc and russian filthy scum.. I hope eventually they will be blocked if enough people report them.. but I don't think a server as large as hotmail is taking individual reporting seriously...One can only hope..

Edited by dra007

Share this post


Link to post
Share on other sites

What is rather disturbing is that recently Korean and Chinese sources seem to be mixed in the same spam...as if difiently, this is one I just reported. In this case the subject line had information which clearly identified me as a reciever:

Please make sure this email IS spam:

From: Wendy Wett <WendyWett[at]massagecastle.com> (SEXUALLY-EXPLICIT: Sweet cuties and their precious golden liquor IDENTIFIER REMOVED!)

This is a multipart mes

sage in MIME format.

/snip

Report spam to:

Re: 221.5.2.12 (Administrator of network where email originates)

To: postmaster#cnc-noc.net[at]devnull.spamcop.net (Notes)

To: abuse[at]chinanet.cn.net (Notes)

Re: Forwarded spam (User defined recipient)

To: spam[at]UCE.GOV (Notes)

Re: http://www.ezlapdance.com/nomoremail (Administrator of network hosting website referenced in spam)

To: abuse[at]kornet.net (Notes)

Share this post


Link to post
Share on other sites
, I get the nifty pop-up box, then it deletes the mail, but what is their meaning of "report as junk" ?

anyone?

30496[/snapback]

This has just recently changed from "report as spam" not sure why

However sites of spammers as well as spam copanies seem to regually end up before the courts

Share this post


Link to post
Share on other sites
SC is no longer able to pop from hotmail.

30499[/snapback]

What exactly do you mean by that? It's working for me just fine with multiple MSN Hotmail accounts at present. :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×