[170932] in North American Network Operators' Group
Re: spamassassin hole again?
daemon@ATHENA.MIT.EDU (Paul Thornton)
Sun Apr 13 03:59:39 2014
Date: Sun, 13 Apr 2014 08:59:10 +0100
From: Paul Thornton <prt@prt.org>
To: nanog@nanog.org
In-Reply-To: <534A387A.5050008@gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 13/04/2014 08:10, Andrew Fried wrote:
> Any chance you could provide a *clue* as to what you're seeing, eg
> message subject, from, etc???
The subjects seem to vary; but appear to involve animals, sex and cute
women in various orders (apologies to anyone offended by that).
Content is a one-liner link to porn sites.
I agree with the RIPE DB scrape - the From: line on one of these is
From: "Registry ripenotify" <info@audiovisualcs.com>
and the CC line contains our notify: E-mail (plus a load more of this
junk to noc|peering|named contacts).
These seem to be botted machines sending mails 'legitimately' ie:
headers appear to show that the first hop was relayed out through a
normal route rather than just port 25 spray. Some are even kindly
pre-marked as spam.
We've had >250 turn up since 23:34 UTC yesterday (12 April). Appears to
have slowed/stopped around 05:00 UTC today (13 April).
Paul.
--
Paul Thornton
