w7psk Posted October 17, 2012 Share Posted October 17, 2012 I thought this was resolved yesterday? Parsing header: 0: Received: from btinternet2012.info (clickedmedia.mobi [178.239.54.201]) by mx.perfora.net (node=mxus3) with ESMTP (Nemesis) id 0MLNla-1TOg7b0k5K-0013TG for x; Tue, 16 Oct 2012 10:30:06 -0400 No unique hostname found for source: 178.239.54.201 1&1 received mail from sending system 178.239.54.201 Tracking message source: 178.239.54.201: Routing details for 178.239.54.201 Report routing for 178.239.54.201: abuse[at]netrouting.com ISP has indicated spam will cease; ISP resolved this issue sometime after Tuesday, October 16, 2012 6:58:38 AM -0700 Message is 22 hours old Link to comment Share on other sites More sharing options...
Farelf Posted October 17, 2012 Share Posted October 17, 2012 Different IP address (resolutions are by IP address, not ISP), same problem ["This IP is infected (or NATting for a computer that is infected) with a spambot we have not yet been able to identify. For the time being we refer to it as the unknown1501 spambot." according to CBL]. But they're given a little leeway on timing with SC, possibly a shade too early to call a foul on this one, on the basis of the data supplied - received stamp is just 31½ minutes after the 'sometime after' nomination: Received: ... Tue, 16 Oct 2012 10:30:06 -0400 (fairly much the same as the last CBL sighting) ... resolved ... sometime after Tuesday, October 16, 2012 6:58:38 AM -0700 Of course there should be nothing further from 178.239.54.201 if netrouting.com really have sorted it out. You would have to wonder though - seems like they may not have actual control. Or whether any "ISP resolved this issue" from this source is bogus. Time - and if CBL refuse to delist them any more - will tell. Other indications of spamfulness: 178.239.54.192 - 178.239.54.223 (178.239.54.192/27) is Tomora Studio, LLC - domains autotisingen.net, clickedmedia.mobi and wynnertise.me and you have seen spam from at least two of those - but they're all the same group (by behavior - registrars "WhoisGuard Protected" of course). Looking at SenderBase: http://www.senderbase.org/senderbase_queries/detailip?search_string=178.239.54.192%2F27 (=http://www.senderbase.org/senderbase_queries/searchorg?search_string=Tomora+Studio%2C+LLC) - that whole range looks just horrible. Link to comment Share on other sites More sharing options...
SpamCopAdmin Posted October 19, 2012 Share Posted October 19, 2012 I removed the "Will Cease" flag again. Now we wait. - Don D'Minion - SpamCop Admin - - Service[at]Admin.SpamCop.net - Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.