[170933] in North American Network Operators' Group
Re: spamassassin hole again?
daemon@ATHENA.MIT.EDU (Andrew Fried)
Sun Apr 13 04:10:06 2014
Date: Sun, 13 Apr 2014 04:09:41 -0400
From: Andrew Fried <andrew.fried@gmail.com>
To: nanog@nanog.org
In-Reply-To: <534A43CE.8020607@prt.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Thanks, Paul. The #1 spam I'm seeing right now has the subject line
"Subject: Why Internet was born?"; the domains from the URLs appear to
be listed in Spamhaus DBL. Obviously a different batch.
Andy
Andrew Fried
andrew.fried@gmail.com
On 4/13/14, 3:59 AM, Paul Thornton wrote:
> On 13/04/2014 08:10, Andrew Fried wrote:
>> Any chance you could provide a *clue* as to what you're seeing, eg
>> message subject, from, etc???
>
> The subjects seem to vary; but appear to involve animals, sex and cute
> women in various orders (apologies to anyone offended by that).
>
> Content is a one-liner link to porn sites.
>
> I agree with the RIPE DB scrape - the From: line on one of these is
>
> From: "Registry ripenotify" <info@audiovisualcs.com>
> and the CC line contains our notify: E-mail (plus a load more of this
> junk to noc|peering|named contacts).
>
> These seem to be botted machines sending mails 'legitimately' ie:
> headers appear to show that the first hop was relayed out through a
> normal route rather than just port 25 spray. Some are even kindly
> pre-marked as spam.
>
> We've had >250 turn up since 23:34 UTC yesterday (12 April). Appears to
> have slowed/stopped around 05:00 UTC today (13 April).
>
> Paul.
>
