Jump to content

Fantastic spam run


elind

Recommended Posts

Moderator Edit: extracted from http://forum.spamcop.net/forums/index.php?showtopic=8987 after seeing the conclusion that there was no relationship between this spam issue and the 'blackmail threats'

I have received several hundred spam for "Free adult chat site now open", and they are still coming in every few seconds as I write this. They all report to APLUS.NET which seems to be a legit US ISP.

On the basis of the above, I wonder if this could be related?

Perhaps this is directed at APLUS.NET and I will just delete rather than continue to report and make it even worse for them.

Link to comment
Share on other sites

On the basis of the above, I wonder if this could be related?

Not sure how anyone could answer your 'question' (?) You don't show how you think that there's a connection at all. The 'blackmail threats' appear to have been made against "make-fast-maoney-at-home" type sites. IS this what you found at your identified APLUS site?

Providing a Tracking URL would have possibly helped fill in the major missing details, starting with just what context this APLUS URL was referenced. "Report to" doesn't really define anything for me.

Link to comment
Share on other sites

I was hoping something like this was recognized. Once, some time ago there was a wave of all the same spam, but this one is still going on hours later and must be in the many hundreds now. The website in the spam is invalid, so I guess it's an attack on aplus.net for whatever reason (or me at my spamcop email, but I doubt it). If nobody else is getting them, here are the headers.

Content-Type: text/html;

charset="iso-8859-1"

Return-Path: <admin[at]sweet-tequila-nights.com>

Content-Transfer-Encoding: quoted-printable

Received: from hrndva-mxlb.mail.rr.com ([10.128.255.5]) by hrndva-imta08.mail.rr.com with ESMTP id <20071211235402.MXSC26211.hrndva-imta08.mail.rr.com[at]hrndva-mxlb.mail.rr.com> for <ulind[at]tampabay.rr.com>; Tue, 11 Dec 2007 23:54:02 +0000

X-IronPort: hrndva-mx02.mail.rr.com 236862927

X-RR-Connecting-IP: 216.154.195.49

Received: from c60.cesmail.net ([216.154.195.49]) by hrndva-mxlb.mail.rr.com with ESMTP; 11 Dec 2007 23:54:02 +0000

Received: from unknown (HELO beta.cesmail.net) ([192.168.1.150]) by c60.cesmail.net with SMTP; 11 Dec 2007 18:54:02 -0500

Received: (qmail 13147 invoked by uid 0); 11 Dec 2007 23:54:01 -0000

Message-ID: <20071211235401.13146.qmail[at]beta.cesmail.net>

Delivered-To: spamcop-net-xxxxxxxx[at]spamcop.net

Received: (qmail 20815 invoked from network); 11 Dec 2007 23:53:34 -0000

X-spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on filter7

X-spam-Level: *********************

X-spam-Status: hits=21.2 tests=FORGED_MUA_OUTLOOK,FORGED_OUTLOOK_HTML,FORGED_OUTLOOK_TAGS,HEAD_ILLEGAL_CHARS,HTML_FONT_SIZE_LARGE,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_BOUND_DD_DIGITS,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MISSING_MID,MISSING_MIMEOLE,MPART_ALT_DIFF,RCVD_NUMERIC_HELO,RDNS_DYNAMIC,SARE_BADGIRLS,SARE_UNSUB18,SUBJ_ALL_CAPSversion=3.2.3

Received: from unknown (192.168.1.107) by filter7.cesmail.net with QMQP; 11 Dec 2007 23:53:34 -0000

Received: from 69-64-89-90.dedicated.abac.net (HELO 69.64.89.90) (69.64.89.90) by mx70.cesmail.net with SMTP; 11 Dec 2007 23:53:34 -0000

From: =?iso-8859-1?B?ROsv76Pup2ggxfFH66M=?= <admin[at]sweet-tequila-nights.com>

Reply-To: =?iso-8859-1?B?ROsv76Pup2ggxfFH66M=?= <admin[at]sweet-tequila-nights.com>

To: <xxxxx[at]spamcop.net>

X-MSK: Off

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

Subject: FREE ADULT CHAT SITE NOW OPEN!

Date: Tue, 11 Dec 2007 20:44:46 -0300

X-Mailer: Microsoft Outlook, Build 10.0.2616

MIME-Version: 1.0

X-Priority: 3

Link to comment
Share on other sites

If nobody else is getting them, here are the headers.

Sorry ... I don't see any connection whatsoever with the subject of this Topic. Your APLUS.NET seems to be the e-mail address/Domain of the contact for the current owner of the 69.64.64.0/19 IP Block ... hardly a "web-site" ....

You offer up the headers of an e-mail, talk about the abuse contact point for the source of that e-mail ....

This Topic was about the threatened inclusion of a URL within spam e-mails (look up the term spamvertised in the Glossary or WIki) .... there is no connection at this point between your query, sample, and the actual Topic here.

Link to comment
Share on other sites

Seems you are more interested in finding reason to dismiss a post than address it.

Yes, it is not the same in that it is not an inclusion of a web site in an email, but it would appear to be a malicious attack against an ISP which seem to be common with the thread and it uses my spamcop email address, unless it is something dumber, like a programming error.

The spamcop tracing labels it as an open proxy, and a little further searching also finds a company called Abacus which is hosted by Aplus.net and that company also has a few google hits that cause some suspicion as to what business they are really in.

However, in all my years with spamcop I have never seen a surge like this. It suddenly shut off somewhere around 3 am this morning, but by then I had received well over 500 identical spam pointing to a non existent web site.

I had hoped someone else might also have received them or at least had more information to satisfy my curiosity.

Instead I get a petty analysis as to why the question is technically not identical to the thread topic.

Forget it.

Link to comment
Share on other sites

Elind, I think the point is that you might get more response if this was in its own topic. Anyone having a similar experience might have passed by this part of the discussion, perhaps not even reading it. I will give you the option, do you want this split off into its own topic? 69-64-89-90.dedicated.abac.net was certainly well and truly listed last I saw and I would interpret that to mean they were compromised somehow. So sure, they are under attack, the same way as every other service is. And aplus.net has its share of detractors as you note - see also the reviewer comments for http://www.siteadvisor.com/sites/aplus.net - I'm not sure they deserve any sympathy but reports can only help them track down the injection point, if they have a mind to do that.

Link to comment
Share on other sites

At one moment in time, I actually had the line "Moderator Edit: extracted from <this Topic>" edited into elind's first post here ... had all the relating posts tagged and was actually going to "split out and move" this whole section .... that it until it came time to give it a new Subject Line/Title and select a location ....

Based on the limited data provided .....

  • It wasn't a Reporting issue - addresses involved matched the header sample provided
  • It wasn't a SpamCopDNSBL issue
  • It wasn't a spam submittal issue, as it was stated that report targets were generated and had been sent
  • It wasn't a Lounge issue, based on that the query seemed to be about tying this spam to the 'blackmail threats'
  • It definitely had nothing to do with a SpamCop.net e-mail account problem

It was at this point that I re-edited elind's initial post to remove my 'extracted from' note ... posted my last 'there is no connection' post.

And for all that, someone feels rejected/ignored/slighted ?????

Seems you are more interested in finding reason to dismiss a post than address it.

Issue was addressed in the framework of trying to join your query to the Topic it was posted into and painted as a question about that relationship.

Yes, it is not the same in that it is not an inclusion of a web site in an email, but it would appear to be a malicious attack against an ISP which seem to be common with the thread

?? I don't follow that at all. Topic was started about an e-mail received that threatened possible action against web-sites.

The only thing you've offered thus far is a spam e-mail header that would seem to be pointed to the person/entity in charge of an IPA Block as far as reporting goes. Where are the similarities?

The spamcop tracing labels it as an open proxy,

Someone else lists 'open proxies' ... the parsing tool checks those other lists.

and a little further searching also finds a company called Abacus which is hosted by Aplus.net

Yes, that's the way the SpamCop.net Parsing & Reporting code works ...

However, in all my years with spamcop I have never seen a surge like this. It suddenly shut off somewhere around 3 am this morning, but by then I had received well over 500 identical spam pointing to a non existent web site.

Funny, I see it all the time. There are multiple instances of folks posting about seemingly similar instances, some are the spam recipients, others are the folks wondering why their e-mail (server) has been blocked .. on adn on ..

I had hoped someone else might also have received them or at least had more information to satisfy my curiosity.

Instead I get a petty analysis as to why the question is technically not identical to the thread topic.

My focus was on trying to sort out why you wanted to see a connection between your spam and the 'blackmail threats' that the Topic was actually about.

At this point, it sounds like a Post into the Lounge are with the actual questions you are wondering about would have generated a totally different kind of response ... maybe even from 'all those others that should have seen your spam' ....

At this point, I'm not sure just what your question really is. I don't see anything 'new' in your described scenario.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...