claudeo Posted September 12, 2006 Share Posted September 12, 2006 Been receiving a whole slew of spam from this domain today. They brazenly use an [at]twomarktrk.com return address because they know it won't go anywhere, and they go right through my spamcop email account filter. They're flying under the radar. Whois queries on twomarktrk.com return nothing, but they managed to get DNS because forward.twomarktrk.com, which is the address they use for clicks in their messages, does resolve. A ping of that finds a server that responds. For example, report ID 1917846671 (I don't know whether you can see that -- I forgot to copy the links after filing the report in the web interface. But here is what looks like a full link: http://www.spamcop.net/sc?id=z1062820437z9...14bac4790525b6z Link to comment Share on other sites More sharing options...
Farelf Posted September 12, 2006 Share Posted September 12, 2006 ... They're flying under the radar. Whois queries on twomarktrk.com return nothing, but they managed to get DNS because forward.twomarktrk.com, which is the address they use for clicks in their messages, does resolve. A ping of that finds a server that responds. For example, report ID 1917846671 (I don't know whether you can see that -- I forgot to copy the links after filing the report in the web interface. But here is what looks like a full link: http://www.spamcop.net/sc?id=z1062820437z9...14bac4790525b6z Hi claudeo - yes that link works. The parser results vary over time and that applies to your previous parses (the past "reports" are not static). I can't see the problem as it stands, we have resolution of the sender and the spamvertized links (the same provider, which spammers sometimes do to make them "agile"). I gather this was not happening before or do you disagree with the parser results as shown? - withCached whois for 64.1.215.4 : abuse[at]xo.com Using best contacts abuse[at]algx.net ********************************** Tracking link: <http://forward.twomarktrk.com/clients/pass.aspx?ident=osypwf9atvuufhlxufxexv1smcr2dqicvflfuftduzt7da0aw11u> [report history] Resolves to 64.1.215.4 Routing details for 64.1.215.4 [refresh/show] Cached whois for 64.1.215.4 : abuse[at]xo.com Using best contacts abuse[at]algx.net If that outfit continues to spam at the rate it is, it is certainly making the SCBL (and maybe others) as it goes. http://www.senderbase.org/?searchBy=ipaddr...ng=64.1.215.4 currently givesVolume Statistics for this IP Magnitude Vol Change vs. Average Last day 0.0 -100% Last 30 days 1.3 236% Average 0.8 which seems to show the run on that IP is over. The same outfit appears to be using IP 64.1.215.191 which is listed already. They have a heap of them (SenderBase shows 230), others of which may be already listed (you can feed them one at a time into the SenderBase lookup - or at least those with relatively big differences between the daily and monthly averages - as another way to see if they're blocked, and not just by SC). They probably rotate these things to keep the flow going (the agility thing). No wonder you have the impression you're getting nowhere. Keep at it is all I could advise (others will be reporting them too). Ok yeah - that return email address is "responsive" http://www.dnsstuff.com/tools/mail.ch?doma...0twomarktrk.com which is not to say it exists, just that it is possible (it reaches a mail exchange server). Link to comment Share on other sites More sharing options...
Farelf Posted September 12, 2006 Share Posted September 12, 2006 ... The same outfit appears to be using IP 64.1.215.191 which is listed already. They have a heap of them (SenderBase shows 230), others of which may be already listed (you can feed them one at a time into the SenderBase lookup - or at least those with relatively big differences between the daily and monthly averages - as another way to see if they're blocked, and not just by SC). ... It would be remiss of me not to point out that the quick way is to look up that IP in the SCBL - http://www.spamcop.net/w3m?action=checkblo...ip=64.1.215.191 then just scroll down to "Other hosts in this "neighborhood" with spam reports" and see some 190 of the 230 listed there - reinforcing the rotation of IPs scenario. This outfit is a menace all right - but easily filtered as things stand. Their domain total - http://www.senderbase.org/search?searchBy=...ing=lso-snd.com showsVolume Statistics for this Domain Magnitude Vol Change vs. 30 Day Last day 5.8 97% Last 30 days 5.5 - say 1 million messages per day - lonestaroffers.com 13423 Blanco Road San Antonio US +1 210 635 9116 abuse[at]lonestaroffers.com FWIW (very little, I suspect). Link to comment Share on other sites More sharing options...
StevenUnderwood Posted September 12, 2006 Share Posted September 12, 2006 Been receiving a whole slew of spam from this domain today. They brazenly use an [at]twomarktrk.com return address because they know it won't go anywhere, and they go right through my spamcop email account filter. Reports regarding this spam have already been sent: Re: 64.1.215.205 (Silent report about source of mail) Reportid: 1917890340 To: mole[at]devnull.spamcop.net Re: http://forward.twomarktrk.com/clients/clea...ftduzt7da0aw11u (Silent report about spamvertisement) Reportid: 1917890344 To: mole[at]devnull.spamcop.net Re: http://forward.twomarktrk.com/clients/pass...ftduzt7da0aw11u (Silent report about spamvertisement) Reportid: 1917890346 To: mole[at]devnull.spamcop.net Please be aware that s of the last public information, mole reporting has no value in getting IP addresses listed (and therefore blocked by the SCBL. Please look up the current definition in the FAQ here. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.