Jump to content

Noticeable increase in spam


DavidT
 Share

Recommended Posts

I've seen a rather disturbing sudden increase in spam received at multipe addresses on several domains. A lot of them have the Subject "Re: my PHxxxARMA" (with the "xxx" being three random lowercase letters), which account for much of the increased volume, but not all (I don't keep careful statistics). Thankfully, the SpamAssassin implementation on my SC email account is catching almost all of it.

I think that the SA testing probably happens before BL checking, because out of 55 messages in my Held Mail this morning, 52 of them were put there due to the SA scoring, and 3 due to being listed on the CBL. Similar stats with my other SC email account. I think that for the next few days, I'll regularly scan the folder for anything blocked due to "bl.spamcop.net" because I think that's usually the case with a significant portion of what winds up in my Held Mail folder.

DT

Link to comment
Share on other sites

I've seen a rather disturbing sudden increase in spam received at multipe addresses on several domains. A lot of them have the Subject "Re: my PHxxxARMA" (with the "xxx" being three random lowercase letters), which account for much of the increased volume, but not all (I don't keep careful statistics). Thankfully, the SpamAssassin implementation on my SC email account is catching almost all of it.

Yes, I agree that whomever is pumping out this PH***ARMA stuff (and also PHA***RMA) seems to be more active.

Using a SpamCop Email account with the various spam blocking functions fairly keenly set I'm not seeing any arriving in the mailbox but the held mail folder is certainly a little more full :)

I've noted for a long time that SpamAssassin identifies more spam that the various BLs but I'm unsure which test comes first in the chain. Presumably, if SpamAssassin is the first check then much of the junk gets weeded out before a BL check. It would be interesting but otherwise not necessary for me to know.

Andrew

Link to comment
Share on other sites

I've seen a rather disturbing sudden increase in spam received at multipe addresses on several domains. A lot of them have the Subject "Re: my PHxxxARMA"
Yes that subject sure is the current leader, as many as 30-40 a day to my domain. But as stated in an other thread my overall spam count is fairly flat, 145-185 per day.
Link to comment
Share on other sites

Yes that subject sure is the current leader, as many as 30-40 a day to my domain. But as stated in an other thread my overall spam count is fairly flat, 145-185 per day.

I am also seeing a lot of these spams including this one from 5 minutes ago: PHmkARcMA ...You would certainly suspect that they all came from the same spammer creep. Perhaps if this one scum bag could be tracked down and stopped (or shot) there would be a slight but noticeable drop in spam??? This guy certainly leaves a lot of tracks around the Internet. Surely law enforcement somewhere could devote a little time to this. How many tax dollars has spam[at]uce.gov wasted doing nothing to this point? Here's a novel idea: perhaps all the wasted dollars on enforcement for CAN spam should be lavished on spam COP where they might do some good.

Link to comment
Share on other sites

  • 2 weeks later...

Another frequent one... several dozen since yesterday.

But I doubt you'll find the actual spammer -- I believe it's

a zombie propagated to user PCs.

I've done a bit of hand tracking on that one and it does bounce around

quite a bit all over the world.

This is another of those cases where the SPAMVERTISER should be

the trail, and NOT the sender.

If you follow the money trail up the chain, it comes back to a Canadian

attempting to get associate fees from one of the bigger online

pharmacys. The host of which will not respond, and denies that

they're hosting the spamvertised site.

/-(

Link to comment
Share on other sites

FOLLOW UP

I tracked five of the SAME emails this morning... to three different

"honey pot" addresses, and found they ALL came from the SAME

IP ...

However, when tracking that IP I came up empty handed...

Response said:

> Server Used: [ none ]

> ERROR: IP Range Reserved by IANA.org

So, the big question is:

? How does the spammer use a "none" server to send spam, and

? What is a "reserved" IP by IANA, and

? Why would IANA allow this use of a "reserved" IP

doesn't make sense.

I think I should post this as a new topic.

Fred

Link to comment
Share on other sites

Both the PHAxxxRMA and the MExxxDS spams are from ROKSO #2 most wanted, Leo Kuvayev.

Leo has an outomated domain registration system. It generates a domain name by putting together a random selection of syllables. You will see names like hadegerfuntion and quijindesfuma etc. Every hour his autoregistrator registers a name with Beijing Innovstive Technology. If you want to view the pattern of his registrations, try this link

His technique is to create a site and spam it every hour, then move on to the next, in the hopes of staying ahead of SpamCop.

If you look up the name servers for these spamvertized sites, you will find that they are limited to just these few. Look up the registrars for the name servers, and there are only two. My team have requested the registrars to remove the name servers to close down access to over 2,500 of his sites. Only one pair of nameservers were removed, resulting in over 70 sites being made inaccessible. Of the two registrars, XIN Net is the slower to move. If you have the ability to add addressees to your SpamCop reports, select the ones listed below, and copy/paste a request to remove these nameservers.

The stated reason for your request is that the Registrar is sponsoring a known criinal, Leo Kuvayev, who was tried and found guilty in a court in Massachussets. He escaped the country without paying a fine of several million dollars.

NAME SERVER . . . . . . . . . . . REGISTRAR

ns0.shionmkindefunjas.com XIN Net

ns0.quijindeshkinmas.com Beijing Innovative

ns0.avuihdesunhawio.com Beijing Innovative << DONE >>

ns0.sadewunmkedefuna.com Beijing Innovative << DONE >>

ns0.hertunjinkdastion.com XIN Net

ns0.vckionldesunjas.com Beijing Innovative

ns0.hadesunjadukinma.com XIN Net

ns0.hadegandestui.com Beijing Innovative << DONE >>

ns2.yadesaxinmer.com XIN Net

ns3.ovdesaxinme.com Beijing Innovative << DONE >>

Addressees

-------------

Beijing Innovative . . . . liwei[at]dns.com.cn, huyan[at]dns.com.cn, abuse[at]anti-spam.cn, spam[at]ccert.edu.cn

XIN Net. . . . . . . . . . . . registrar[at]xinnet.com, abuse[at]anti-spam.cn, spam[at]ccert.edu.cn

Edited by TerryNZ
Link to comment
Share on other sites

  • 2 years later...

Dear US and Canada Capitalist Pigs,

If you'll notice, each XIN NET spam email will contain a simple http graphics file call to display a picture in your email. This simple code allows our Chinese government to grab and log your personal IP on our servers for our planned cyber attack support on your spoiled and selfish country! It also provides some information on times you check email. Think of what a country could do with a complete list of active and sniffed out list of IPs of its enemy. Your internet will be of no use. You're country is too Open. Long live the People's Republic!

Please wake up, spread the word and do everything to stop XIN NET now!

Link to comment
Share on other sites

Speaking of spam. The first copy got a smile. The second... Well your newness is showing.
Yeah - cross posting is never encouraged, he did the same thing at CastleCops. Heart is no doubt in the right place but that's no excuse for bad manners. Tempted to let it stand as a visible reminder (though illustrating what not to do is rarely a good idea) - and since this is an appropriate topic.
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...