DavidT Posted September 17, 2006 Posted September 17, 2006 I've seen a rather disturbing sudden increase in spam received at multipe addresses on several domains. A lot of them have the Subject "Re: my PHxxxARMA" (with the "xxx" being three random lowercase letters), which account for much of the increased volume, but not all (I don't keep careful statistics). Thankfully, the SpamAssassin implementation on my SC email account is catching almost all of it. I think that the SA testing probably happens before BL checking, because out of 55 messages in my Held Mail this morning, 52 of them were put there due to the SA scoring, and 3 due to being listed on the CBL. Similar stats with my other SC email account. I think that for the next few days, I'll regularly scan the folder for anything blocked due to "bl.spamcop.net" because I think that's usually the case with a significant portion of what winds up in my Held Mail folder. DT
agsteele Posted September 18, 2006 Posted September 18, 2006 I've seen a rather disturbing sudden increase in spam received at multipe addresses on several domains. A lot of them have the Subject "Re: my PHxxxARMA" (with the "xxx" being three random lowercase letters), which account for much of the increased volume, but not all (I don't keep careful statistics). Thankfully, the SpamAssassin implementation on my SC email account is catching almost all of it. Yes, I agree that whomever is pumping out this PH***ARMA stuff (and also PHA***RMA) seems to be more active. Using a SpamCop Email account with the various spam blocking functions fairly keenly set I'm not seeing any arriving in the mailbox but the held mail folder is certainly a little more full I've noted for a long time that SpamAssassin identifies more spam that the various BLs but I'm unsure which test comes first in the chain. Presumably, if SpamAssassin is the first check then much of the junk gets weeded out before a BL check. It would be interesting but otherwise not necessary for me to know. Andrew
Lking Posted September 18, 2006 Posted September 18, 2006 I've seen a rather disturbing sudden increase in spam received at multipe addresses on several domains. A lot of them have the Subject "Re: my PHxxxARMA"Yes that subject sure is the current leader, as many as 30-40 a day to my domain. But as stated in an other thread my overall spam count is fairly flat, 145-185 per day.
epgeek Posted September 20, 2006 Posted September 20, 2006 Yes that subject sure is the current leader, as many as 30-40 a day to my domain. But as stated in an other thread my overall spam count is fairly flat, 145-185 per day. I am also seeing a lot of these spams including this one from 5 minutes ago: PHmkARcMA ...You would certainly suspect that they all came from the same spammer creep. Perhaps if this one scum bag could be tracked down and stopped (or shot) there would be a slight but noticeable drop in spam??? This guy certainly leaves a lot of tracks around the Internet. Surely law enforcement somewhere could devote a little time to this. How many tax dollars has spam[at]uce.gov wasted doing nothing to this point? Here's a novel idea: perhaps all the wasted dollars on enforcement for CAN spam should be lavished on spam COP where they might do some good.
showker Posted October 3, 2006 Posted October 3, 2006 Another frequent one... several dozen since yesterday. But I doubt you'll find the actual spammer -- I believe it's a zombie propagated to user PCs. I've done a bit of hand tracking on that one and it does bounce around quite a bit all over the world. This is another of those cases where the SPAMVERTISER should be the trail, and NOT the sender. If you follow the money trail up the chain, it comes back to a Canadian attempting to get associate fees from one of the bigger online pharmacys. The host of which will not respond, and denies that they're hosting the spamvertised site. /-(
showker Posted October 4, 2006 Posted October 4, 2006 FOLLOW UP I tracked five of the SAME emails this morning... to three different "honey pot" addresses, and found they ALL came from the SAME IP ... However, when tracking that IP I came up empty handed... Response said: > Server Used: [ none ] > ERROR: IP Range Reserved by IANA.org So, the big question is: ? How does the spammer use a "none" server to send spam, and ? What is a "reserved" IP by IANA, and ? Why would IANA allow this use of a "reserved" IP doesn't make sense. I think I should post this as a new topic. Fred
Miss Betsy Posted October 4, 2006 Posted October 4, 2006 Don't quote me, but I think an 'IP reserved..' is for internal use only. I am not an experienced headers reader (only very simple ones), but I think that you went one line too far and got a forged one. Miss Betsy
Telarin Posted October 4, 2006 Posted October 4, 2006 I would have to agree with Miss Betsy on her header analysis assumption. Care to offer up a tracking URL for one of those messages so we can all have a look at what kind of header games the spammer is using?
TerryNZ Posted October 5, 2006 Posted October 5, 2006 Both the PHAxxxRMA and the MExxxDS spams are from ROKSO #2 most wanted, Leo Kuvayev. Leo has an outomated domain registration system. It generates a domain name by putting together a random selection of syllables. You will see names like hadegerfuntion and quijindesfuma etc. Every hour his autoregistrator registers a name with Beijing Innovstive Technology. If you want to view the pattern of his registrations, try this link His technique is to create a site and spam it every hour, then move on to the next, in the hopes of staying ahead of SpamCop. If you look up the name servers for these spamvertized sites, you will find that they are limited to just these few. Look up the registrars for the name servers, and there are only two. My team have requested the registrars to remove the name servers to close down access to over 2,500 of his sites. Only one pair of nameservers were removed, resulting in over 70 sites being made inaccessible. Of the two registrars, XIN Net is the slower to move. If you have the ability to add addressees to your SpamCop reports, select the ones listed below, and copy/paste a request to remove these nameservers. The stated reason for your request is that the Registrar is sponsoring a known criinal, Leo Kuvayev, who was tried and found guilty in a court in Massachussets. He escaped the country without paying a fine of several million dollars. NAME SERVER . . . . . . . . . . . REGISTRAR ns0.shionmkindefunjas.com XIN Net ns0.quijindeshkinmas.com Beijing Innovative ns0.avuihdesunhawio.com Beijing Innovative << DONE >> ns0.sadewunmkedefuna.com Beijing Innovative << DONE >> ns0.hertunjinkdastion.com XIN Net ns0.vckionldesunjas.com Beijing Innovative ns0.hadesunjadukinma.com XIN Net ns0.hadegandestui.com Beijing Innovative << DONE >> ns2.yadesaxinmer.com XIN Net ns3.ovdesaxinme.com Beijing Innovative << DONE >> Addressees ------------- Beijing Innovative . . . . liwei[at]dns.com.cn, huyan[at]dns.com.cn, abuse[at]anti-spam.cn, spam[at]ccert.edu.cn XIN Net. . . . . . . . . . . . registrar[at]xinnet.com, abuse[at]anti-spam.cn, spam[at]ccert.edu.cn
Axxxim Posted December 11, 2008 Posted December 11, 2008 Dear US and Canada Capitalist Pigs, If you'll notice, each XIN NET spam email will contain a simple http graphics file call to display a picture in your email. This simple code allows our Chinese government to grab and log your personal IP on our servers for our planned cyber attack support on your spoiled and selfish country! It also provides some information on times you check email. Think of what a country could do with a complete list of active and sniffed out list of IPs of its enemy. Your internet will be of no use. You're country is too Open. Long live the People's Republic! Please wake up, spread the word and do everything to stop XIN NET now!
Lking Posted December 11, 2008 Posted December 11, 2008 Dear US and Canada Capitalist Pigs, Speaking of spam. The first copy got a smile. The second... Well your newness is showing.
Farelf Posted December 11, 2008 Posted December 11, 2008 Speaking of spam. The first copy got a smile. The second... Well your newness is showing.Yeah - cross posting is never encouraged, he did the same thing at CastleCops. Heart is no doubt in the right place but that's no excuse for bad manners. Tempted to let it stand as a visible reminder (though illustrating what not to do is rarely a good idea) - and since this is an appropriate topic.
agsteele Posted December 12, 2008 Posted December 12, 2008 Dear US and Canada Capitalist Pigs, I'd like to place on record that I'm deeply offended to have been left out of the farm... Andrew
Farelf Posted December 12, 2008 Posted December 12, 2008 I'd like to place on record that I'm deeply offended to have been left out of the farm... We colonials cordially revile you as the source of all those bloody convicts - does that compensate? http://img519.imageshack.us/img519/1264/convictsss3.jpg
Recommended Posts
Archived
This topic is now archived and is closed to further replies.