You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Dennis German <dg...@Real-World-Systems.com> on 2010/09/06 03:46:34 UTC
spam caught, now how to catch spammer
In the last several weeks I have been receiving a lot of spam with email addresses of the form:
learningmadeeasy.??????@??????.yourseemlost.net
learningmadeeasy.??????@??????.hisoftenusing.net
learningmadeeasy.??????@??????.wheatdrinkcontrol.net
learningmadeeasy.???????@??????.actbookfelt.net
learningmadeeasy.???????@??????.stillstationwhether.net
learningmadeeasy.???????@??????.legbottleloss.net
and
accountingeducation.gpxtxy@oiteew.badpeoplepaper.net
accountingeducation.ihdwuu@aapufx.stillstationwhether
accountingeducation.ionmtap@wxnuab.legbottleloss.net
accountingeducation.iqleaau@mlmuwx.stillstationwhethe
and
affordablelifeinsurance.ajoxk@wiogif.constum.net
affordablelifeinsurance.kiuua@pzodkk.injecou.net
How do we stop this guy?
Re: spam CAUGHT, now how to catch spammer
Posted by Chris <cp...@embarqmail.com>.
On Tue, 2010-09-07 at 10:02 -0700, John Hardin wrote:
> On Tue, 7 Sep 2010, Per Jessen wrote:
>
> > John Hardin wrote:
> >
> >>> Sorry to mislead. SPAM was caught by spamassassin.
> >>> How can I get this guy stopped?
> >>> IP addresses are: 67.50.37.35,.36,.69,.75
> >>
> >> Ah. Yes, that's a different question.
> >>
> >> (1) Find out who owns those network addresses.
> >>
> >> Use tools like http://enc.com.au/itools/inetnum.php and
> >> http://enc.com.au/itools/person.php to do that.
> >
> > whois will also tell you.
>
> True, but at the time I was composing that message both command-line whois
> and several US-based web UIs were returning a "unable to return results
> due to high traffic" message.
>
John, I missed the beginning of this post so I guess you originally sent
it. Anyway here is a way you can track this down:
first telnet to whois.cymru.com port 43:
which gives you:
67.50.37.35
AS | IP | AS Name
7385 | 67.50.37.35 | INTEGRATELECOM - Integra Telecom, Inc.
Then telnet to whois.ra.net port 43:
telnet whois.ra.net 43
Trying 198.108.0.8...
Connected to radb3.merit.edu (198.108.0.8).
Escape character is '^]'.
as7385
aut-num: AS7385
as-name: Integra
descr: INTEGRA TELECOM
admin-c: Network Services
tech-c: Network Services
import: from AS12003
action pref=1;
accept ANY AND NOT {0.0.0.0/0}
import: from AS3549
action pref=1;
accept ANY AND NOT {0.0.0.0/0}
import: from AS22899
accept <^AS22154+$> AND NOT {0.0.0.0/0}
import: from AS2914
action pref=1;
accept ANY AND NOT {0.0.0.0/0}
import: from AS7911
action pref=1;
accept ANY AND NOT {0.0.0.0/0}
import: from AS13857
accept <^AS13857+$> AND NOT {0.0.0.0/0}
import: from AS18463
accept <^AS18463+$> AND NOT {0.0.0.0/0}
import: from AS4587
accept <^AS4587+$> AND NOT {0.0.0.0/0}
import: from AS22154
accept <^AS22154+$> AND NOT {0.0.0.0/0}
import: from AS22899
accept <^AS22154+$> AND NOT {0.0.0.0/0}
import: from AS26676
accept <^AS26676+$> AND NOT {0.0.0.0/0}
import: from AS19441
accept <^AS19441+$> AND NOT {0.0.0.0/0}
import: from AS29984
accept <^AS29984+$> AND NOT {0.0.0.0/0}
import: from AS30629
accept <^AS30629+$> AND NOT {0.0.0.0/0}
import: from AS32810
accept <^AS32810+$> AND NOT {0.0.0.0/0}
import: from AS33338
accept <^AS33338+$> AND NOT {0.0.0.0/0}
import: from AS36740
accept <^AS36740+$> AND NOT {0.0.0.0/0}
import: from AS16933
accept <^AS16933+$> AND NOT {0.0.0.0/0}
import: from AS32879
accept <^AS32879+$> AND NOT {0.0.0.0/0}
import: from AS39986
accept <^AS39986+$> AND NOT {0.0.0.0/0}
export: to AS2914
announce AS-INTEGRA
export: to AS3549
announce AS-INTEGRA
export: to AS4587
announce ANY
export: to AS6993
announce AS-INTEGRA
export: to AS7911
announce AS-INTEGRA
export: to AS13857
announce ANY
export: to AS18463
announce ANY
export: to AS22154
announce ANY
export: to AS22899
announce AS-INTEGRA
export: to AS26676
announce ANY
export: to AS19441
announce ANY
export: to AS29984
announce ANY
export: to AS32810
announce ANY
export: to AS33338
announce ANY
export: to AS36740
announce ANY
export: to AS16933
announce ANY
export: to AS32879
announce ANY
export: to AS39986
announce ANY
export: to AS12003
announce AS-INTEGRA7385
export: to AS3549
announce AS-INTEGRA7385
export: to AS22899
announce AS-INTEGRA7385
mnt-by: MAINT-AS7385
changed: randy.rooney@integratelecom.com 20060726
source: RADB
person: Network Services
address: 15200 NBN Way
address: Blue Ridge Summit, PA 17214
phone: +1-301-459-3132
e-mail: networksupport@hudsonps.com
nic-hdl: NES4-LEVEL3
changed: kelly.macensky@level3.como 20100518
source: LEVEL3
Then telnet whois.radb.net 43
telnet whois.radb.net 43
Trying 198.108.0.18...
Connected to whois.radb.net (198.108.0.18).
Escape character is '^]'.
MAINT-AS7385
mntner: MAINT-AS7385
descr: Maintainer for AS7385
admin-c: Data Engineering
tech-c: Data Engineering
upd-to: bgp@integra.net
mnt-nfy: bgp@integra.net
auth: CRYPT-PW HIDDENCRYPTPW
auth: MAIL-FROM steven.raymond@integratelecom.com
auth: MAIL-FROM kenneth.mcintyre@integratelecom.com
auth: MAIL-FROM bgp@integra.net
auth: MAIL-FROM craig.heidgerken@integratelecom.com
auth: MAIL-FROM randy.rooney@integratelecom.com
auth: MAIL-FROM edward.arneson@integratelecom.com
auth: MAIL-FROM tony.radzwon@integratelecom.com
auth: MAIL-FROM rick.randall@integratelecom.com
remarks: Integra Telecom AS7385 maintainer object
notify: engineeringdata@integratelecom.com
mnt-by: MAINT-AS7385
changed: steven.raymond@integratelecom.com 20090626
source: RADB
Is this any help?
--
Chris
KeyID 0xE372A7DA98E6705C
Re: spam CAUGHT, now how to catch spammer
Posted by John Hardin <jh...@impsec.org>.
On Tue, 7 Sep 2010, jdow wrote:
> From: "John Hardin" <jh...@impsec.org>
> Sent: Tuesday, 2010/September/07 10:02
>
>> On Tue, 7 Sep 2010, Per Jessen wrote:
>>
>> > John Hardin wrote:
>> >
>> > > > Sorry to mislead. SPAM was caught by spamassassin.
>> > > > How can I get this guy stopped?
>> > > > IP addresses are: 67.50.37.35,.36,.69,.75
>> > >
>> > > Ah. Yes, that's a different question.
>> > >
>> > > (1) Find out who owns those network addresses.
>> > >
>> > > Use tools like http://enc.com.au/itools/inetnum.php and
>> > > http://enc.com.au/itools/person.php to do that.
>> >
>> > whois will also tell you.
>>
>> True, but at the time I was composing that message both command-line
>> whois and several US-based web UIs were returning a "unable to return
>> results due to high traffic" message.
>
> Works from here, John.
And it was working again when I composed my 10AM reply.
I simply didn't want to delay my initial response based on what I knew to
be a transient problem, so I offered an alternative that at the time did
work.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
End users want eye candy and the "ooo's and aaaahhh's" experience
when reading mail. To them email isn't a tool, but an entertainment
form. -- Steve Lake
-----------------------------------------------------------------------
9 days until the 223rd anniversary of the signing of the U.S. Constitution
Re: spam CAUGHT, now how to catch spammer
Posted by jdow <jd...@earthlink.net>.
From: "John Hardin" <jh...@impsec.org>
Sent: Tuesday, 2010/September/07 10:02
> On Tue, 7 Sep 2010, Per Jessen wrote:
>
>> John Hardin wrote:
>>
>>>> Sorry to mislead. SPAM was caught by spamassassin.
>>>> How can I get this guy stopped?
>>>> IP addresses are: 67.50.37.35,.36,.69,.75
>>>
>>> Ah. Yes, that's a different question.
>>>
>>> (1) Find out who owns those network addresses.
>>>
>>> Use tools like http://enc.com.au/itools/inetnum.php and
>>> http://enc.com.au/itools/person.php to do that.
>>
>> whois will also tell you.
>
> True, but at the time I was composing that message both command-line whois
> and several US-based web UIs were returning a "unable to return results
> due to high traffic" message.
Works from here, John.
===8<---
whois 67.50.37.35
[Querying whois.arin.net]
[Redirected to whois.integraonline.com:43]
[Querying whois.integraonline.com]
[whois.integraonline.com]
%rwhois V-1.5:003fff:00 adns5 (by Network Solutions, Inc. V-1.5.7.2)
network:Auth-Area:67.50.0.0/15
network:Class-Name:network
network:ID:67-50-36-0/23-NET
network:Network-Name:67-50-36-0/23-NET
network:IP-Network:67.50.36.0/23
network:Org-Name;I:GIGLINX INC
network:Street-Address:250 STOCKTON AVE
network:City:SANTA CLARA
network:State:CA
network:Postal-Code:95126
network:Country-Code:US
network:Admin-Contact;I:ITIA-ARIN
network:Tech-Contact;I:ITIA-ARIN
network:Updated:2010-02-24
network:Updated-By:tradzwon@integra.net
network:Auth-Area:67.50.0.0/15
network:Class-Name:network
network:ID:67-50-0-0/15-NET
network:Network-Name:67-50-0-0/15-NET
network:IP-Network:67.50.0.0/15
network:Org-Name;I:ELI-NETWORK-ELIX
network:Street-Address:1201 NE Lloyd Blvd, Ste 500
network:City:Portland
network:State:OR
network:Postal-Code:97232
network:Country-Code:US
network:Admin-Contact;I:ITIA-ARIN
network:Tech-Contact;I:ITIA-ARIN
network:Updated:2009-12-03
network:Updated-By:hostmaster@integra.net
%error 350 Invalid Query Syntax
%ok
===8<---
I'm not sure where the error 350 came from. GIGLINX or ELI-NETWORK-ELIX
may have a bad setup.
GIGLINX may be a formal spam source. The address "looks" bad to me. 95126
is San Jose. I don't know if it includes Santa Clara or not. (I'm not
familiar with that area.) I'd email integra.net about it at abuse,
hostmaster, and after an MTR run integra's upstream provider.
It's easier to simply let it accumulate and get a decent picture of what
the spam hydra is doing of late, which is about 3 times the volume of a
month ago. <sigh>
{^_^}
Re: spam CAUGHT, now how to catch spammer
Posted by John Hardin <jh...@impsec.org>.
On Tue, 7 Sep 2010, Per Jessen wrote:
> John Hardin wrote:
>
>>> Sorry to mislead. SPAM was caught by spamassassin.
>>> How can I get this guy stopped?
>>> IP addresses are: 67.50.37.35,.36,.69,.75
>>
>> Ah. Yes, that's a different question.
>>
>> (1) Find out who owns those network addresses.
>>
>> Use tools like http://enc.com.au/itools/inetnum.php and
>> http://enc.com.au/itools/person.php to do that.
>
> whois will also tell you.
True, but at the time I was composing that message both command-line whois
and several US-based web UIs were returning a "unable to return results
due to high traffic" message.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
So Microsoft's invented the ASCII equivalent to ugly ink spots that
appear on your letter when your pen is malfunctioning.
-- Greg Andrews, about Microsoft's way to encode apostrophes
-----------------------------------------------------------------------
10 days until the 223rd anniversary of the signing of the U.S. Constitution
Re: spam CAUGHT, now how to catch spammer
Posted by Per Jessen <pe...@computer.org>.
John Hardin wrote:
>> Sorry to mislead. SPAM was caught by spamassassin.
>> How can I get this guy stopped?
>> IP addresses are: 67.50.37.35,.36,.69,.75
>
> Ah. Yes, that's a different question.
>
> (1) Find out who owns those network addresses.
>
> Use tools like http://enc.com.au/itools/inetnum.php and
> http://enc.com.au/itools/person.php to do that.
whois will also tell you.
/Per Jessen, Zürich
Re: spam CAUGHT, now how to catch spammer
Posted by John Hardin <jh...@impsec.org>.
On Mon, 6 Sep 2010, Dennis German wrote:
>> On Sun, 5 Sep 2010, Dennis German wrote:
>>
>>> In the last several weeks I have been receiving a lot of spam with email addresses of the form:
>>>
>>> learningmadeeasy.??????@??????.yourseemlost.net
>>> learningmadeeasy.??????@??????.hisoftenusing.net
>>> learningmadeeasy.??????@??????.wheatdrinkcontrol.net
>>> learningmadeeasy.???????@??????.actbookfelt.net
>>> learningmadeeasy.???????@??????.stillstationwhether.net
>>> learningmadeeasy.???????@??????.legbottleloss.net
>>>
>>> and
>>> accountingeducation.gpxtxy@oiteew.badpeoplepaper.net
>>> accountingeducation.ihdwuu@aapufx.stillstationwhether
>>> accountingeducation.ionmtap@wxnuab.legbottleloss.net
>>> accountingeducation.iqleaau@mlmuwx.stillstationwhethe
>>>
>>> and
>>>
>>> affordablelifeinsurance.ajoxk@wiogif.constum.net
>>> affordablelifeinsurance.kiuua@pzodkk.injecou.net
>>>
>>> How do we stop this guy?
>
> John, thanks for the reply.
>
> Sorry to mislead. SPAM was caught by spamassassin.
> How can I get this guy stopped?
> IP addresses are: 67.50.37.35,.36,.69,.75
Ah. Yes, that's a different question.
(1) Find out who owns those network addresses.
Use tools like http://enc.com.au/itools/inetnum.php and
http://enc.com.au/itools/person.php to do that.
(I provide .au tools as the ones in .us are overloaded at the moment.)
That tells us:
Network Number 67.50.0.0 - 67.51.255.255
Origin AS7385
NIC Handle NET-67-50-0-0-1
Status Direct Allocation
DNS Servers NS2.INTEGRAONLINE.COM
NS.INTEGRAONLINE.COM
Created 2003-06-20
2000-07-05
Changed 2008-11-03
2010-03-04
Description Integra Telecom, Inc.
1201 NE Lloyd
Suite 500
Portland
OR
97232
Country United States (US)
Abuse Contact ABUSE91-ARIN
Tech Contact ITIA-ARIN
NIC Handle ABUSE91-ARIN
Description Integra Telecom Inc.
19545 NW Von Neumann
Beaverton
OR
97006
Country United States (US)
Created 2002-10-30
Changed 2002-10-30
Phone +1-503-748-4511 (Office)
Email abuse@integratelecom.com
(2) Report the abuse to them.
Send an email to the abuse address reporting the offending IP addresses
and the nature of the abuse.
They may be resellers so they may send you on to a smaller entity that
owns those particular IP addresses
The owner will either have terms of service that prohibit spamming and
will try to stop the abuse, or are "spam-friendly" and will ignore you,
or possibly are a small company that is clueless and won't have any idea
what to do.
Keep logs of the traffic for evidence. The ISP may ask for them.
Best of luck.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
After ten years (1998-2008) of draconian gun control in the State
of Massachusetts, the results are in: firearms-related assaults up
78%, firearms-related homicides up 67%, assault-related emergency
room visits up 331%. Gun Control does not reduce violent crime.
-----------------------------------------------------------------------
10 days until the 223rd anniversary of the signing of the U.S. Constitution
Re: spam caught, now how to catch spammer
Posted by Daniel McDonald <da...@austinenergy.com>.
On 9/5/10 8:46 PM, "Dennis German" <dg...@Real-World-Systems.com> wrote:
> In the last several weeks I have been receiving a lot of spam with email
> addresses of the form:
>
> learningmadeeasy.??????@??????.yourseemlost.net
>
> accountingeducation.gpxtxy@oiteew.badpeoplepaper.net
>
> affordablelifeinsurance.ajoxk@wiogif.constum.net
>
> How do we stop this guy?
>
Greylisting and a good snowshoe-spammer rbl like invaluement. Invaluement
costs a little, but our snowshoe spam has pretty much disappeared since we
enabled it.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281