fritz2cat Posted August 20, 2008 Share Posted August 20, 2008 Hello, I have several hosts that connect several times a day, all targeting one single user hosted in my server. They have in common: - they are using dedicated hosts - they set-up correctly their host name, and reverse, their MX and even their SPF - their hostname is named ssl.* - they send from an address within their domain. Didn't check whether the user part in the address is valid. - they send thru real MTA's, that defeat greylisting - the message itself is either in plaintext, html, or both (multipart/alternative) - all the links contain tracking data - usually, they have an unsubscribe link which is highly suspect. Here is the lists of hosts seen in the last 7 days: ssl.moinchtail.com [208.110.69.190] ssl.amazillypretty.info [64.187.120.83] ssl.arcfinal.info [64.187.120.85] ssl.armsideways.com [64.187.120.87] ssl.waspinger.com [64.187.120.89] ssl.asponnilia.com [64.187.120.91] ssl.buyournest.com [64.187.126.156] ssl.bullish-commerce.com [64.187.127.72] ssl.svcsources.info [64.187.127.73] ssl.illetrades.info [64.187.127.74] ssl.theboatsail.biz [64.187.127.79] ssl.rebollo.biz [64.187.127.80] ssl.deacorntrail.com [64.187.127.85] ssl.undrawnera.com [64.187.127.89] ssl.bumaspring.com [66.63.168.130] ssl.onlinesequoiatypes.com [66.63.168.98] ssl.rush-trades-now.com [66.63.188.167] ssl.scarduaconsulting.com [67.205.113.241] ssl.thebecksourcer.com [67.205.113.244] ssl.thebacksorter.com [67.205.113.248] ssl.autoprofilesearch.info [67.205.113.249] ssl.bagthorr.com [67.205.113.250] ssl.bailtired.com [67.205.113.251] ssl.bakerwildy.com [67.205.113.252] ssl.fardilla.com [69.42.97.17] ssl.warayson.com [69.42.97.18] ssl.suarkovery.com [69.42.97.19] ssl.benger16.com [69.42.97.25] Some are operating since months ago. 67.205.64.0/18 (hosted by iWeb) is blocked here since 4 months... Here is the e-mail addresses they have used (in the RFC_2821 envelope) , also during the 7 last days 123Inkjets[at]amazillypretty.info 123Inkjets[at]onlinesequoiatypes.com 24HourSaleonprinter_inkcartridges[at]amazillypretty.info 24HourSaleonprinter_inkcartridges[at]svcsources.info AbRocket[at]armsideways.com AbRocket[at]theboatsail.biz BusinessCards[at]bagthorr.com CashFinder[at]bakerwildy.com CashFinder[at]fardilla.com CherylTiegs[at]amazillypretty.info CherylTiegs[at]fardilla.com CherylTiegs[at]undrawnera.com ChurchDating[at]arcfinal.info ChurchDating[at]bumaspring.com Clarisonic[at]theboatsail.biz Collectiblestoday[at]arcfinal.info Collectiblestoday[at]bumaspring.com CreditReportSpecialists[at]amazillypretty.info DIRECTSatelliteTV[at]arcfinal.info Dollars4Gold.com[at]bullish-commerce.com Dollars4Gold.com[at]onlinesequoiatypes.com EndurRxSpecialOffer[at]autoprofilesearch.info EndurRxSpecialOffer[at]deacorntrail.com ENSupport[at]armsideways.com ENSupport[at]buyournest.com ENSupport[at]theboatsail.biz FederalGrantAdvisors[at]buyournest.com FoodSampleSurvey[at]bumaspring.com FoodSampleSurvey[at]moinchtail.com GiftDepotDirect[at]bumaspring.com Glycogone[at]benger16.com Glycogone[at]deacorntrail.com Glycogone[at]illetrades.info GrantsOnline[at]amazillypretty.info GrantsOnline[at]buyournest.com GrantsOnline[at]fardilla.com GrassSeed[at]asponnilia.com GrassSeed[at]benger16.com GrassSeed[at]buyournest.com GrassSeed[at]svcsources.info GroceryCoupons[at]rush-trades-now.com HealthyCredit[at]armsideways.com HealthyLegs[at]theboatsail.biz HomeownersInsurance[at]theboatsail.biz HumanResources[at]bakerwildy.com HumanResources[at]bumaspring.com HumanResources[at]fardilla.com InsuranceCompany[at]fardilla.com InsuranceCompany[at]rush-trades-now.com JohnCummuta[at]autoprofilesearch.info JohnCummuta[at]thebecksourcer.com MightyPutty[at]arcfinal.info Moneyisavailable[at]autoprofilesearch.info Moneyisavailable[at]deacorntrail.com noreply[at]amazillypretty.info noreply[at]arcfinal.info noreply[at]armsideways.com noreply[at]autoprofilesearch.info noreply[at]bailtired.com noreply[at]bakerwildy.com noreply[at]benger16.com noreply[at]bumaspring.com noreply[at]buyournest.com noreply[at]deacorntrail.com noreply[at]fardilla.com noreply[at]illetrades.info noreply[at]moinchtail.com noreply[at]onlinesequoiatypes.com noreply[at]rush-trades-now.com noreply[at]svcsources.info noreply[at]thebecksourcer.com noreply[at]theboatsail.biz noreply[at]undrawnera.com noreply[at]warayson.com noreply[at]waspinger.com ParkRoyalCancun[at]autoprofilesearch.info ParkRoyalCancun[at]deacorntrail.com PCServiceNews[at]armsideways.com PCServiceNews[at]bakerwildy.com PCServiceNews[at]illetrades.info PCServiceNews[at]undrawnera.com PDFSolution[at]amazillypretty.info PDFSolution[at]svcsources.info PerfectSmile[at]armsideways.com PerfectSmile[at]bakerwildy.com quotes[at]armsideways.com quotes[at]theboatsail.biz RobertAllen[at]deacorntrail.com RobertAllen[at]illetrades.info RobertAllen[at]undrawnera.com SellTimeshare[at]amazillypretty.info SellTimeshare[at]buyournest.com SellTimeshare[at]fardilla.com SmokeFreeIn30Days[at]svcsources.info SmokeFreeIn30Days[at]theboatsail.biz StopForeclosureOption[at]illetrades.info SuperFoodsRxMessage[at]illetrades.info SuperGreenTeaPatch[at]bailtired.com SuperGreenTeaPatch[at]fardilla.com SuperGreenTeaPatch[at]theboatsail.biz swimmingpoolquotes[at]amazillypretty.info swimmingpoolquotes.com[at]bagthorr.com swimmingpoolquotes.com[at]waspinger.com TimeshareCash[at]armsideways.com TimeshareCash[at]bakerwildy.com Trade-In[at]amazillypretty.info Trade-In[at]onlinesequoiatypes.com UnlimitedInternetMovieDownloadCenter[at]arcfinal.info UnlimitedInternetMovieDownloadCenter[at]thebecksourcer.com Vegas4Free[at]illetrades.info Vegas4Free[at]warayson.com Victoria[at]moinchtail.com Victoria[at]waspinger.com VitalAcai[at]autoprofilesearch.info Weightloss[at]autoprofilesearch.info WorldSeriesOfPokerSeatOpportunity[at]arcfinal.info WorldSeriesOfPokerSeatOpportunity[at]thebecksourcer.com WRF[at]svcsources.info WRF[at]thebacksorter.com YourDebtSource[at]benger16.com YourDebtSource[at]onlinesequoiatypes.com Most of these messages bear a postal address, e.g. Entertainment Publications, Inc., 1414 East Maple Road, Troy, MI 48083 1-866-826-1619 Pedi Paws is located at P.O Box 600991 San Diego, CA 92160 6965 El Camino Real Suite 105 - 698 La Costa, CA 92009 Consumer Service 9-334 Queen Street South, Suite 200, Bolton, Ontario, Canada L7E-2N9 Technical Support 30 East 23 rd. St. New York, NY 10010 Pure Play, 660 4TH Street, Ste 294, San Francisco, CA 94107 Sorry for this long post. But I would be glad to have your advice. Frédéric Link to comment Share on other sites More sharing options...
turetzsr Posted August 20, 2008 Share Posted August 20, 2008 <snip>Sorry for this long post. But I would be glad to have your advice. Frédéric ...Did I miss your question? I did not see one. Link to comment Share on other sites More sharing options...
Wazoo Posted August 20, 2008 Share Posted August 20, 2008 I have several hosts that connect several times a day, all targeting one single user hosted in my server. Taking a stab at providing something ...???? If it was me, I'd suspect the user of doing something a bit silly. However, that statement made on very little actual/specific data. Link to comment Share on other sites More sharing options...
Farelf Posted August 21, 2008 Share Posted August 21, 2008 ... I have several hosts that connect several times a day, all targeting one single user hosted in my server. They have in common: - they are using dedicated hosts - they set-up correctly their host name, and reverse, their MX and even their SPF - their hostname is named ssl.* - they send from an address within their domain. Didn't check whether the user part in the address is valid. - they send thru real MTA's, that defeat greylisting - the message itself is either in plaintext, html, or both (multipart/alternative) - all the links contain tracking data - usually, they have an unsubscribe link which is highly suspect. Here is the lists of hosts seen in the last 7 days: ssl.moinchtail.com [208.110.69.190] ssl.amazillypretty.info [64.187.120.83] ssl.arcfinal.info [64.187.120.85] ssl.armsideways.com [64.187.120.87] ssl.waspinger.com [64.187.120.89] ssl.asponnilia.com [64.187.120.91] ssl.buyournest.com [64.187.126.156] ssl.bullish-commerce.com [64.187.127.72] ssl.svcsources.info [64.187.127.73] ssl.illetrades.info [64.187.127.74] ssl.theboatsail.biz [64.187.127.79] ssl.rebollo.biz [64.187.127.80] ssl.deacorntrail.com [64.187.127.85] ssl.undrawnera.com [64.187.127.89] ssl.bumaspring.com [66.63.168.130] ssl.onlinesequoiatypes.com [66.63.168.98] ssl.rush-trades-now.com [66.63.188.167] ssl.scarduaconsulting.com [67.205.113.241] ssl.thebecksourcer.com [67.205.113.244] ssl.thebacksorter.com [67.205.113.248] ssl.autoprofilesearch.info [67.205.113.249] ssl.bagthorr.com [67.205.113.250] ssl.bailtired.com [67.205.113.251] ssl.bakerwildy.com [67.205.113.252] ssl.fardilla.com [69.42.97.17] ssl.warayson.com [69.42.97.18] ssl.suarkovery.com [69.42.97.19] ssl.benger16.com [69.42.97.25] ... Hi Frédéric - another point of similarity sems to be that the registrants of the above domains are using Protected Domain Services (protecteddomainservices.com) for anonymity (not that I checked them all). They don't look very promising: Protected Domain Services 125 Rampart Way Suite 300 Denver CO 80230 US (... which is the same address as *their* registrar domainsite.com/Spot Domain LLC). Sometimes complaints work - see http://forum.spamcop.net/forums/index.php?showtopic=9613 and I suppose it wouldn't hurt to try with domainsite.com. But the website for protecteddomainservices.com seems to have gone into hibernation (who knows what AUP/TOS/CRA provisions there might be) and I see no specific grounds for service termination for spamming in www.domainsite.com/registration_agreement.php. It is fair to say you seem to have tagged a substantial spam group - that is the sort of stuff that might be a better fit for CastleCops and/or Spamhaus than it is for SpamCop. But it is of more than passing interest 'here' if they routinely evade the SCbl. And on the 'unsubscribe link which is highly suspect' - yes they (almost) always are but unfortunately 'the law' will always assume otherwise unless it is actually proven to be unproductive or exploitative and the 'why unsubscribe to something I didn't subscribe to?' common sense is *too* common sense to have legal weight. Just anticipating the usual 'but we're CAN-Ð…Ð ÐÐœ compliant' justification when complaints are made. Link to comment Share on other sites More sharing options...
fritz2cat Posted August 21, 2008 Author Share Posted August 21, 2008 Taking a stab at providing something ...???? If it was me, I'd suspect the user of doing something a bit silly. However, that statement made on very little actual/specific data. Hello Wazoo, No, this person does as much as possible for keeping this address clean, he always uses other throw-away addresses when possible. I can trust him. But, as Farelf suggests, we may be in the presence of a spam gang operating in the "grey zone", barely legal... ...Did I miss your question? I did not see one. Dear turetzsr, the question was more in the subject of the thread: Do you know these ads^H^H^Hspams ? Have a nice week-end ! Frédéric Link to comment Share on other sites More sharing options...
fritz2cat Posted September 16, 2008 Author Share Posted September 16, 2008 Problem solved. I sent couple of mails to their colo hosting services. I warned these people that I would start reporting all offending items to Spamcop the next day. So I did, messages processed in realtime. Those reported messages contained plenty of tracking data, so they obviously knew who was complaining. Two days later, all these hosts were then quiet. [but the reporting filter is still monitoring, and ready to shoot an extra ball] Frédéric Link to comment Share on other sites More sharing options...
Merlyn Posted September 16, 2008 Share Posted September 16, 2008 We put em in our blocklist and they didn't get the clue so they became firewall fodder and everything is fine now. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.