You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Vlad Mazek <v...@vladville.com> on 2008/02/05 19:58:30 UTC
flooded with jr* spam
Has anyone else noticed a similar pattern or does someone out there hate me?
:) The top 100 SPAM senders on my network (1 minute snapshot below) are all
forgeries starting with jr- or jq-
24 jqmqm@crowechizek.com
22 jramstad@state.nd.us
22 jramos@raidersfan.net
22 jqzvuesw@investors.com
21 jquijano2@ljisd.com
20 jqoww@weber.edu
20 jrapplegate@tei-usa.com
19 jqsvd@ter.com
19 jquire@dcr.net
19 jqueiros@pachecos.com
18 jqsyiusbmmh@ghsa.com
18 jr.shaw@gpcvb.org
18 jraq1@123click.cl
18 jr.jvalentine@tyrekamins.com
18 jqyuehutmqluz@epilot.com
17 jqocdj@ferndalelabs.com
17 jrankin@polyprep.org
17 jra54449@cs.columbia.edu
16 jramos4@edd.ca.gov
16 jraborn@rccl.com
16 jr@jrhl.com
16 jradwich@isurusmrc.com
16 jqxtvtngoo@takacho.com
16 jqocpldn@baroid.com
15 jra19@humboldt.edu
15 jraine68@avantages.net
14 jr@cgafin.com.au
14 jr109@email.msn.com
14 jramakrishnan@gs.com
13 jrappaport@ymcanyc.org
13 jramos@apu.edu
13 jrapacz@inforelay.com
13 jr31178w@pace.edu
13 jqr@csi.com
13 jquodack@bestbuy.com
13 jquesada@dtiglobal.com
13 jragland@fuse.net
12 jr@judith-rod.de
12 jqtyfb.cccbb@msa.hinet.net
12 jr2004@uol.com.br
12 jrabad@eic.ictnet.es
11 jquijada@tecnoconsult.com
11 jrajski@hipageco.com
11 jracine@usxpress.com
11 jrae@forestmanagement.com
11 jquiros@segurosbilbao.com
11 jraqn@hq.com
11 jrana@fayar.net
11 jr@fdf.dk
11 jrabbat@horizonfcb.co.ae
11 jquinones@devida.gob.pe
11 jr.nelson@instalo.com.br
11 jr_harriman@cnt.com
10 jqxu@epscn.com
10 jradueg@gobreck.com
10 jradio@ameripath.com
10 jr.francis@wanadoo.fr
10 jrandall@adtastik.net
10 jquick@bellamylaw.com
10 jramirez@central.unicor.gov
10 jraab@ucla.edu
10 jramire65@characterlink.net
10 jr@danmarkbynight.dk
10 jquon@sapiens.com
10 jr.johnbarker@kirco.com
10 jquiaro@dinaut.com.ve
9 jr16@icqmail.com
9 jqztj@express-scripts.com
9 jraleigh@bitcorp.net
9 jr@drillerssupply.com
9 jrader@faculty.ed.umuc.edu
9 jrad@jradrocks.com
9 jquenta@pucp.edu.pe
9 jr131@bellsouth.net
9 jqxia@xilinx.com
9 jramirez@bppr.com
9 jqsdq@jhg.com
8 jraj@bresnan.net
8 jrapp314@cedarville.edu
8 jra@mapfre.com.br
8 jr.kaf4863@garnet.acns.fsu.edu
8 jquiroz@padresok.cl
8 jqyay@quintiles.com
8 jrapoport@exponent.com
8 jrafert471@hersheys.com
8 jr69_6969f@telus.com
7 jqtxw@public.taptt.sd.cn
7 jr_sandre@uol.com.br
7 jqsvd@hofstra.edu
7 jr.f15@bol.com.br
7 jr70734@alltel.net
7 jramadhar@tstt.net.tt
7 jramey1@bellsouth.net
7 jransaction@ebay.co.uk
7 jram78@checkpoint.com
The annoying thing is, nothing particularly similar about the SPAM being
relayed...
-Vlad
Re: flooded with jr* spam
Posted by Jari Fredriksson <ja...@iki.fi>.
Dunno, but after this message those addresses certainly will get another boost for us all, and as targets to spam...
> Has anyone else noticed a similar pattern or does someone
> out there hate me? :) The top 100 SPAM senders on my
> network (1 minute snapshot below) are all forgeries
> starting with jr- or jq-
>
> 24 jqmqm@crowechizek.com
> 22 jramstad@state.nd.us
> 22 jramos@raidersfan.net
> 22 jqzvuesw@investors.com
> 21 jquijano2@ljisd.com
> 20 jqoww@weber.edu
> 20 jrapplegate@tei-usa.com
> 19 jqsvd@ter.com
> 19 jquire@dcr.net
> 19 jqueiros@pachecos.com
> 18 jqsyiusbmmh@ghsa.com
> 18 jr.shaw@gpcvb.org
> 18 jraq1@123click.cl
> 18 jr.jvalentine@tyrekamins.com
> 18 jqyuehutmqluz@epilot.com
> 17 jqocdj@ferndalelabs.com
> 17 jrankin@polyprep.org
> 17 jra54449@cs.columbia.edu
> 16 jramos4@edd.ca.gov
> 16 jraborn@rccl.com
> 16 jr@jrhl.com
> 16 jradwich@isurusmrc.com
> 16 jqxtvtngoo@takacho.com
> 16 jqocpldn@baroid.com
> 15 jra19@humboldt.edu
> 15 jraine68@avantages.net
> 14 jr@cgafin.com.au
> 14 jr109@email.msn.com
> 14 jramakrishnan@gs.com
> 13 jrappaport@ymcanyc.org
> 13 jramos@apu.edu
> 13 jrapacz@inforelay.com
> 13 jr31178w@pace.edu
> 13 jqr@csi.com
> 13 jquodack@bestbuy.com
> 13 jquesada@dtiglobal.com
> 13 jragland@fuse.net
> 12 jr@judith-rod.de
> 12 jqtyfb.cccbb@msa.hinet.net
> 12 jr2004@uol.com.br
> 12 jrabad@eic.ictnet.es
> 11 jquijada@tecnoconsult.com
> 11 jrajski@hipageco.com
> 11 jracine@usxpress.com
> 11 jrae@forestmanagement.com
> 11 jquiros@segurosbilbao.com
> 11 jraqn@hq.com
> 11 jrana@fayar.net
> 11 jr@fdf.dk
> 11 jrabbat@horizonfcb.co.ae
> 11 jquinones@devida.gob.pe
> 11 jr.nelson@instalo.com.br
> 11 jr_harriman@cnt.com
> 10 jqxu@epscn.com
> 10 jradueg@gobreck.com
> 10 jradio@ameripath.com
> 10 jr.francis@wanadoo.fr
> 10 jrandall@adtastik.net
> 10 jquick@bellamylaw.com
> 10 jramirez@central.unicor.gov
> 10 jraab@ucla.edu
> 10 jramire65@characterlink.net
> 10 jr@danmarkbynight.dk
> 10 jquon@sapiens.com
> 10 jr.johnbarker@kirco.com
> 10 jquiaro@dinaut.com.ve
> 9 jr16@icqmail.com
> 9 jqztj@express-scripts.com
> 9 jraleigh@bitcorp.net
> 9 jr@drillerssupply.com
> 9 jrader@faculty.ed.umuc.edu
> 9 jrad@jradrocks.com
> 9 jquenta@pucp.edu.pe
> 9 jr131@bellsouth.net
> 9 jqxia@xilinx.com
> 9 jramirez@bppr.com
> 9 jqsdq@jhg.com
> 8 jraj@bresnan.net
> 8 jrapp314@cedarville.edu
> 8 jra@mapfre.com.br
> 8 jr.kaf4863@garnet.acns.fsu.edu
> 8 jquiroz@padresok.cl
> 8 jqyay@quintiles.com
> 8 jrapoport@exponent.com
> 8 jrafert471@hersheys.com
> 8 jr69_6969f@telus.com
> 7 jqtxw@public.taptt.sd.cn
> 7 jr_sandre@uol.com.br
> 7 jqsvd@hofstra.edu
> 7 jr.f15@bol.com.br
> 7 jr70734@alltel.net
> 7 jramadhar@tstt.net.tt
> 7 jramey1@bellsouth.net
> 7 jransaction@ebay.co.uk
> 7 jram78@checkpoint.com
>
> The annoying thing is, nothing particularly similar about
> the SPAM being relayed...
>
> -Vlad
Re: flooded with jr* spam
Posted by Joseph Brennan <br...@columbia.edu>.
--On Tuesday, February 5, 2008 1:58 PM -0500 Vlad Mazek <v...@vladville.com>
wrote:
> Has anyone else noticed a similar pattern or does someone out there hate
> me? :) The top 100 SPAM senders on my network (1 minute snapshot below)
> are all forgeries starting with jr- or jq-
>
> 24 jqmqm@crowechizek.com
> 22 jramstad@state.nd.us
> 22 jramos@raidersfan.net
> 22 jqzvuesw@investors.com
> 21 jquijano2@ljisd.com
> 20 jqoww@weber.edu
> 20 jrapplegate@tei-usa.com
> 19 jqsvd@ter.com
> 19 jquire@dcr.net
> 19 jqueiros@pachecos.com
> 18 jqsyiusbmmh@ghsa.com
> 18 jr.shaw@gpcvb.org
> 18 jraq1@123click.cl
> 18 jr.jvalentine@tyrekamins.com
> 18 jqyuehutmqluz@epilot.com
> 17 jqocdj@ferndalelabs.com
> 17 jrankin@polyprep.org
> 17 jra54449@cs.columbia.edu
Yeah, we noticed.
We get 3 million BOUNCES a day for jra54449@cs.columbia.edu, from
stupid systems that don't reject for unknown users, but accept and
then mail a bounce. If 3 million are undeliverable just to badly
configured systems, imagine how many are really undeliverable, and
then imagine how many are being sent! And for just that one sender.
Note, jra54449@cs.columbia.edu does not exist and never did-- it is
totally safe to reject all mail from it. We refuse the bounces at
the RCPT command, but it's still a lot of useless smtp connections.
The spam is from the Herbal King, for organ enlargement, isn't it?
Unfortunately we cannot deliver to one mailbox fast enough to collect
very many samples, but that's what we saw last time we tried it.
The messages have a faked Received header that looks pretty good.
Note that Senderbase shows cs.columbia.edu as a columbia.edu's biggest
single sender of email, despite the fact that it sends NO mail, based
entirely on Senderbase believing Recieved headers.
It makes you want to add points for senders starting with jr or jq,
doesn't it?
Joseph Brennan
Columbia University Information Technology
Re: flooded with jr* spam
Posted by Michael W Cocke <co...@catherders.com>.
On Thu, 07 Feb 2008 12:51:51 +0100, you wrote:
>Michael W Cocke wrote:
>
>>
>> They use DHCP. Netops has to trace it, and I seem to be about 5Kth on
>> the list. <sigh> Ironic as hell, considering the effort I put into
>> avoiding MIT netops about 20 years ago.
>
>But you should be able to run tcpdump locally on your own machine?
>Unless the addresse changes rapidly, you catch one such ICMP then
>report the IP to your netops guys.
>
>
>/Per Jessen, Zürich
All that shows is their external address. They use NAT. Anyway, it's
academic - netops seems to have found it and pulled it offline.
Mike-
--
If you're not confused, you're not trying hard enough.
--
Please note - Due to the intense volume of spam, we have installed
site-wide spam filters at catherders.com. If email from you bounces,
try non-HTML, non-encoded, non-attachments,
Re: flooded with jr* spam
Posted by Per Jessen <pe...@computer.org>.
Michael W Cocke wrote:
>
> They use DHCP. Netops has to trace it, and I seem to be about 5Kth on
> the list. <sigh> Ironic as hell, considering the effort I put into
> avoiding MIT netops about 20 years ago.
But you should be able to run tcpdump locally on your own machine?
Unless the addresse changes rapidly, you catch one such ICMP then
report the IP to your netops guys.
/Per Jessen, Zürich
Re: flooded with jr* spam
Posted by Michael W Cocke <co...@catherders.com>.
They use DHCP. Netops has to trace it, and I seem to be about 5Kth on
the list. <sigh> Ironic as hell, considering the effort I put into
avoiding MIT netops about 20 years ago.
Mike-
On Tue, 05 Feb 2008 21:01:04 +0100, you wrote:
>Michael W Cocke wrote:
>
>> I'll trade you - somewhere in MIT (20K+ computers) is hitting me twice
>> per second with ICMP packets, and netops can't find who....
>
>tcpdump ?
>
>
>/Per Jessen, Zürich
--
If you're not confused, you're not trying hard enough.
--
Please note - Due to the intense volume of spam, we have installed
site-wide spam filters at catherders.com. If email from you bounces,
try non-HTML, non-encoded, non-attachments,
Re: flooded with jr* spam
Posted by Per Jessen <pe...@computer.org>.
Michael W Cocke wrote:
> I'll trade you - somewhere in MIT (20K+ computers) is hitting me twice
> per second with ICMP packets, and netops can't find who....
tcpdump ?
/Per Jessen, Zürich
Re: flooded with jr* spam
Posted by Michael W Cocke <co...@catherders.com>.
Yes, I do have a lot more detail. It's all been reported to MIT per
their procedure. Unfortunately it comes down to "whatever is
happening is happening in the MIT network, we'll take it from here,
have a nice day" (Without a pause for breath even)
Up to a large point I have sympathy for them - it's no damn fun
finding a specific system on any campus, and MIT is bigger than
anything I've seen, even Berkeley.
Mike-
On Tue, 5 Feb 2008 20:09:10 +0000 (GMT), you wrote:
>the inline snort station should show some more detail. do you have access to your routers and switches ?
>
>Regards,
>
>--
>--[ UxBoD ]--
>// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
>// Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84
>// Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84
>// Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net
>
>----- "Michael W Cocke" <co...@catherders.com> wrote:
>
>> I'll trade you - somewhere in MIT (20K+ computers) is hitting me
>> twice
>> per second with ICMP packets, and netops can't find who....
>>
>> I had to degrade the logging on my snort-inline because the system
>> was
>> drowning.
>>
>> Mike-
>>
>>
>> On Tue, 5 Feb 2008 13:58:30 -0500, you wrote:
--
If you're not confused, you're not trying hard enough.
--
Please note - Due to the intense volume of spam, we have installed
site-wide spam filters at catherders.com. If email from you bounces,
try non-HTML, non-encoded, non-attachments,
Re: flooded with jr* spam
Posted by "--[ UxBoD ]--" <ux...@splatnix.net>.
the inline snort station should show some more detail. do you have access to your routers and switches ?
Regards,
--
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84
// Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84
// Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net
----- "Michael W Cocke" <co...@catherders.com> wrote:
> I'll trade you - somewhere in MIT (20K+ computers) is hitting me
> twice
> per second with ICMP packets, and netops can't find who....
>
> I had to degrade the logging on my snort-inline because the system
> was
> drowning.
>
> Mike-
>
>
> On Tue, 5 Feb 2008 13:58:30 -0500, you wrote:
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Re: flooded with jr* spam
Posted by Michael W Cocke <co...@catherders.com>.
I'll trade you - somewhere in MIT (20K+ computers) is hitting me twice
per second with ICMP packets, and netops can't find who....
I had to degrade the logging on my snort-inline because the system was
drowning.
Mike-
On Tue, 5 Feb 2008 13:58:30 -0500, you wrote:
>Has anyone else noticed a similar pattern or does someone out there hate me?
>:) The top 100 SPAM senders on my network (1 minute snapshot below) are all
>forgeries starting with jr- or jq-
>
>24 jqmqm@crowechizek.com
>22 jramstad@state.nd.us
>22 jramos@raidersfan.net
>22 jqzvuesw@investors.com
>21 jquijano2@ljisd.com
>20 jqoww@weber.edu
>20 jrapplegate@tei-usa.com
>19 jqsvd@ter.com
>19 jquire@dcr.net
>19 jqueiros@pachecos.com
>18 jqsyiusbmmh@ghsa.com
>18 jr.shaw@gpcvb.org
>18 jraq1@123click.cl
>18 jr.jvalentine@tyrekamins.com
>18 jqyuehutmqluz@epilot.com
>17 jqocdj@ferndalelabs.com
>17 jrankin@polyprep.org
>17 jra54449@cs.columbia.edu
>16 jramos4@edd.ca.gov
>16 jraborn@rccl.com
>16 jr@jrhl.com
>16 jradwich@isurusmrc.com
>16 jqxtvtngoo@takacho.com
>16 jqocpldn@baroid.com
>15 jra19@humboldt.edu
>15 jraine68@avantages.net
>14 jr@cgafin.com.au
>14 jr109@email.msn.com
>14 jramakrishnan@gs.com
>13 jrappaport@ymcanyc.org
>13 jramos@apu.edu
>13 jrapacz@inforelay.com
>13 jr31178w@pace.edu
>13 jqr@csi.com
>13 jquodack@bestbuy.com
>13 jquesada@dtiglobal.com
>13 jragland@fuse.net
>12 jr@judith-rod.de
>12 jqtyfb.cccbb@msa.hinet.net
>12 jr2004@uol.com.br
>12 jrabad@eic.ictnet.es
>11 jquijada@tecnoconsult.com
>11 jrajski@hipageco.com
>11 jracine@usxpress.com
>11 jrae@forestmanagement.com
>11 jquiros@segurosbilbao.com
>11 jraqn@hq.com
>11 jrana@fayar.net
>11 jr@fdf.dk
>11 jrabbat@horizonfcb.co.ae
>11 jquinones@devida.gob.pe
>11 jr.nelson@instalo.com.br
>11 jr_harriman@cnt.com
>10 jqxu@epscn.com
>10 jradueg@gobreck.com
>10 jradio@ameripath.com
>10 jr.francis@wanadoo.fr
>10 jrandall@adtastik.net
>10 jquick@bellamylaw.com
>10 jramirez@central.unicor.gov
>10 jraab@ucla.edu
>10 jramire65@characterlink.net
>10 jr@danmarkbynight.dk
>10 jquon@sapiens.com
>10 jr.johnbarker@kirco.com
>10 jquiaro@dinaut.com.ve
>9 jr16@icqmail.com
>9 jqztj@express-scripts.com
>9 jraleigh@bitcorp.net
>9 jr@drillerssupply.com
>9 jrader@faculty.ed.umuc.edu
>9 jrad@jradrocks.com
>9 jquenta@pucp.edu.pe
>9 jr131@bellsouth.net
>9 jqxia@xilinx.com
>9 jramirez@bppr.com
>9 jqsdq@jhg.com
>8 jraj@bresnan.net
>8 jrapp314@cedarville.edu
>8 jra@mapfre.com.br
>8 jr.kaf4863@garnet.acns.fsu.edu
>8 jquiroz@padresok.cl
>8 jqyay@quintiles.com
>8 jrapoport@exponent.com
>8 jrafert471@hersheys.com
>8 jr69_6969f@telus.com
>7 jqtxw@public.taptt.sd.cn
>7 jr_sandre@uol.com.br
>7 jqsvd@hofstra.edu
>7 jr.f15@bol.com.br
>7 jr70734@alltel.net
>7 jramadhar@tstt.net.tt
>7 jramey1@bellsouth.net
>7 jransaction@ebay.co.uk
>7 jram78@checkpoint.com
>
>The annoying thing is, nothing particularly similar about the SPAM being
>relayed...
>
>-Vlad
--
If you're not confused, you're not trying hard enough.
--
Please note - Due to the intense volume of spam, we have installed
site-wide spam filters at catherders.com. If email from you bounces,
try non-HTML, non-encoded, non-attachments,