You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Chris <cp...@earthlink.net> on 2005/11/30 03:09:20 UTC
OT? Threats from twtelecom over spam reports
Since about the 22nd or 23nd I've been getting virus laden (Sober.U) spam
from an address at twtelecom.net (66.162.83.190). All my spam reporting is
done via two scripts, one is reporter.pl which runs sa-learn and reports to
Razor, Pyzor and DCC. The other script, which was written by Karsten Self,
called Spam Tools, actually reports the spam to the abuse addresses(s) and
to NANAS. After getting a couple of hundred infected message I wrote a
nice email to one of the contacts, he replied:
Please note that the propagation of this address is spoofed. The address you
are questioning is a global IP for a firewall and is not sending or passing
the virus.
I've continued reporting the spam using Spam Tools. I also advised him that
that ip is now blacklisted at Spamhaus.org. It was listed in the composite
blacklist but was removed today. This afternoon I got the following email:
I can assure you that it is indeed a mistake. These need to be removed
at once or this will get very ugly!
Below are complete headers from one of the messages from this ip, are these
in fact from the ip I mentioned?
Status: U
Return-Path: <Ad...@cscfleet.com>
Received: from pop.earthlink.net [209.86.93.201]
by localhost with POP3 (fetchmail-6.2.5)
for cpollock@localhost (single-drop); Tue, 29 Nov 2005 00:50:16
-0600 (CST)
Received: from picpba.com ([66.162.83.190])
by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP
id 1eGZi22e13Nl34g0
Tue, 29 Nov 2005 01:48:26 -0500 (EST)
From: Admin@cscfleet.com
To: smntp7500@earthlink.net
Date: Tue, 29 Nov 2005 06:37:15 UTC
Subject: Registration Confirmation
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <c7...@cscfleet.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=1bba52a03.f0cb"
Content-Transfer-Encoding: 7bit
X-SenderIP: 66.162.83.190
X-ASN: ASN-4323
X-CIDR: 66.162.83.0/24
I've received another 18 infected messages from this ip again today. I'm
almost afraid to run my scripts. Can this guy do anything. I mean its not
my fault that this ip is being blacklisted. I'll hold off running the
scripts hoping I'll get some advice from some of you more knowledgable on
this stuff.
Thanks
Chris
--
Chris
Registered Linux User 283774 http://counter.li.org
19:46:59 up 5 days, 4:26, 1 user, load average: 2.18, 2.10, 1.54
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
Re: OT? Threats from twtelecom over spam reports
Posted by Duane Hill <d....@yournetplus.com>.
Ultimately twtelecom.net should be responsible. It's their customer
they've allocated IP space for. Here is where the IP space was
allocated to according to ARIN:
http://ws.arin.net/whois/?queryinput=!%20NET-66-162-83-176-1
On Wednesday, November 30, 2005 at 2:09:20 AM, cpollock@earthlink.net confabulated:
> Since about the 22nd or 23nd I've been getting virus laden (Sober.U) spam
> from an address at twtelecom.net (66.162.83.190). All my spam reporting is
> done via two scripts, one is reporter.pl which runs sa-learn and reports to
> Razor, Pyzor and DCC. The other script, which was written by Karsten Self,
> called Spam Tools, actually reports the spam to the abuse addresses(s) and
> to NANAS. After getting a couple of hundred infected message I wrote a
> nice email to one of the contacts, he replied:
> Please note that the propagation of this address is spoofed. The address you
> are questioning is a global IP for a firewall and is not sending or passing
> the virus.
> I've continued reporting the spam using Spam Tools. I also advised him that
> that ip is now blacklisted at Spamhaus.org. It was listed in the composite
> blacklist but was removed today. This afternoon I got the following email:
> I can assure you that it is indeed a mistake. These need to be removed
> at once or this will get very ugly!
> Below are complete headers from one of the messages from this ip, are these
> in fact from the ip I mentioned?
> Status: U
> Return-Path: <Ad...@cscfleet.com>
> Received: from pop.earthlink.net [209.86.93.201]
> by localhost with POP3 (fetchmail-6.2.5)
> for cpollock@localhost (single-drop); Tue, 29 Nov 2005 00:50:16
> -0600 (CST)
> Received: from picpba.com ([66.162.83.190])
> by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP
> id 1eGZi22e13Nl34g0
> Tue, 29 Nov 2005 01:48:26 -0500 (EST)
> From: Admin@cscfleet.com
> To: smntp7500@earthlink.net
> Date: Tue, 29 Nov 2005 06:37:15 UTC
> Subject: Registration Confirmation
> Importance: Normal
> X-Priority: 3 (Normal)
> Message-ID: <c7...@cscfleet.com>
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary="=1bba52a03.f0cb"
> Content-Transfer-Encoding: 7bit
> X-SenderIP: 66.162.83.190
> X-ASN: ASN-4323
> X-CIDR: 66.162.83.0/24
> I've received another 18 infected messages from this ip again today. I'm
> almost afraid to run my scripts. Can this guy do anything. I mean its not
> my fault that this ip is being blacklisted. I'll hold off running the
> scripts hoping I'll get some advice from some of you more knowledgable on
> this stuff.
> Thanks
> Chris
--
"This message is made of 100% recycled electrons."
Re: OT? Threats from twtelecom over spam reports
Posted by mouss <us...@free.fr>.
Menno van Bennekom a écrit :
> Mouss wrote:
>
>>twtelecom.net is in the US.
>
> Yes, I'm doing too many things at a time today so I was only triggered by
> the 'tw' ;-)
would be "fun" to block Time Warner because of that:)
>>I'm not certain many spammers do really care to clean up the address
>>lists...
>
> Dunno but I certainly do not want to help them. Also the address you use
> for reporting will be added to the spam-list.
>
you can use a disposable one that is unique to the contacted site. this
way, if the address gets spam, you get further evidence.
Re: OT? Threats from twtelecom over spam reports
Posted by Menno van Bennekom <mv...@xs4all.nl>.
Mouss wrote:
>
> twtelecom.net is in the US.
Yes, I'm doing too many things at a time today so I was only triggered by
the 'tw' ;-)
>
>> By the way, I wouldn't report spam to the abuse-addresses, the reports
>> are
>> often forwarded to the spammer. It is often only used as a confirmation
>> that the spammer has found a working mail-address and you will get more
>> spam.
>> Spamcop offers an option to report the spam without sending mails to the
>> abuse addressess.
>
> I'm not certain many spammers do really care to clean up the address
> lists...
Dunno but I certainly do not want to help them. Also the address you use
for reporting will be added to the spam-list.
Menno
Re: OT? Threats from twtelecom over spam reports
Posted by mouss <us...@free.fr>.
Menno van Bennekom a écrit :
>
>
> I know some ip-addresses here that try to send me viruses for over a year!
> Posting this to the abuse I did once or twice and indeed doesn't help
> always but I also block the ip at the MTA level (postfix) and that does
> help ;-)
> Some I have even blocked at the firewall because they wasted too much of
> precious cpu-time. Countries like TW, CN, KR I have blocked at the MTA
> level, although only in big (/16) ip-ranges and domain-names, this tiny TW
> ip-range you mentioned here I have not blocked.
twtelecom.net is in the US.
> By the way, I wouldn't report spam to the abuse-addresses, the reports are
> often forwarded to the spammer. It is often only used as a confirmation
> that the spammer has found a working mail-address and you will get more
> spam.
> Spamcop offers an option to report the spam without sending mails to the
> abuse addressess.
I'm not certain many spammers do really care to clean up the address
lists...
Re: OT? Threats from twtelecom over spam reports
Posted by Menno van Bennekom <mv...@xs4all.nl>.
Chris wrote:
> Since about the 22nd or 23nd I've been getting virus laden (Sober.U) spam
> from an address at twtelecom.net (66.162.83.190). All my spam reporting
> is done via two scripts, one is reporter.pl which runs sa-learn and
> reports to Razor, Pyzor and DCC. The other script, which was written by
> Karsten Self, called Spam Tools, actually reports the spam to the abuse
> addresses(s) and to NANAS. After getting a couple of hundred infected
> message I wrote a nice email to one of the contacts, he replied:
I know some ip-addresses here that try to send me viruses for over a year!
Posting this to the abuse I did once or twice and indeed doesn't help
always but I also block the ip at the MTA level (postfix) and that does
help ;-)
Some I have even blocked at the firewall because they wasted too much of
precious cpu-time. Countries like TW, CN, KR I have blocked at the MTA
level, although only in big (/16) ip-ranges and domain-names, this tiny TW
ip-range you mentioned here I have not blocked.
By the way, I wouldn't report spam to the abuse-addresses, the reports are
often forwarded to the spammer. It is often only used as a confirmation
that the spammer has found a working mail-address and you will get more
spam.
Spamcop offers an option to report the spam without sending mails to the
abuse addressess.
Regards
Menno van Bennekom
Re: OT? Threats from twtelecom over spam reports
Posted by Dan Hollis <go...@anime.net>.
On Wed, 30 Nov 2005, Mike Jackson wrote:
>> twtelecom is staffed by morons, like most other large providers.
> Eh, I wouldn't go so far as to say they're morons. They're just near-sighted.
> They'll do whatever they need to do - and no more - to protect their own
> interests without considering the implications for others on the net.
There are a couple responsible tier1's on the net. twtelecom is not one of
them. twtelecom is more like an industrial polluter.
> Take AOL. They have some policies that seem to have been written by total morons,
Not really, at least not compared to their old policies.
-Dan
Re: OT? Threats from twtelecom over spam reports
Posted by Mike Jackson <mj...@barking-dog.net>.
> twtelecom is staffed by morons, like most other large providers.
Eh, I wouldn't go so far as to say they're morons. They're just
near-sighted. They'll do whatever they need to do - and no more - to protect
their own interests without considering the implications for others on the
net. Take AOL. They have some policies that seem to have been written by
total morons, but if you step back and think about it, what would you do if
you were the 800-pound (or 363-kilogram) gorilla on the internet and had
millions of users that your marketing department had promised that they'd
receive no spam and had billions of dollars riding on meeting your
institutional goals? You'd probably want to limit the mail that reaches your
system, even if by draconian means, even if it meant that smaller providers
would have to jump through hoops to reach you, even if it meant that there'd
be collateral damage legitimate mail that didn't reach your system. The
farther you get down the internet food chain, the stakes get lower, the less
limiting the decisions, the more the decisions made by people higher up the
chain look foolish. twtelecom isn't a small fish, and I'm sure if you were
in the same position, you'd be upset if some upstart downstream from you was
making your life difficult.
Hey, just trying to keep perspective!
Re: OT? Threats from twtelecom over spam reports
Posted by Dan Hollis <go...@anime.net>.
On Tue, 29 Nov 2005, Chris wrote:
> On Tuesday 29 November 2005 8:26 pm, M. Lewis wrote:
>> Chris,
>> My opinion (opinions are like assholes, everyone has one and they all
>> stink).
>> 1. If the person was legit, he would *not* have responded harshly and
>> 'threatened you' that things would get ugly.
>> 2. There isn't squat he can do to you beyond what he already has.
>> 3. Block the IP in postfix or your firewall. DONE.
>> Just my opinion. I'm curious to see what others might say.
> Thanks Mike, thats been the conseusus of others I've talked to about this
> guy. I'm continuing to report this ip, I have put his address in my
> "undeliverable" list but continue to report to abuse@twtelecom.net and
> others.
twtelecom is staffed by morons, like most other large providers.
-Dan
Re: OT? Threats from twtelecom over spam reports
Posted by Chris <cp...@earthlink.net>.
On Tuesday 29 November 2005 8:26 pm, M. Lewis wrote:
> Chris,
>
> My opinion (opinions are like assholes, everyone has one and they all
> stink).
>
> 1. If the person was legit, he would *not* have responded harshly and
> 'threatened you' that things would get ugly.
>
> 2. There isn't squat he can do to you beyond what he already has.
>
> 3. Block the IP in postfix or your firewall. DONE.
>
> Just my opinion. I'm curious to see what others might say.
>
Thanks Mike, thats been the conseusus of others I've talked to about this
guy. I'm continuing to report this ip, I have put his address in my
"undeliverable" list but continue to report to abuse@twtelecom.net and
others.
--
Chris
Registered Linux User 283774 http://counter.li.org
21:43:31 up 5 days, 6:22, 2 users, load average: 1.26, 1.02, 1.06
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Today is the first day of the rest of the mess.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~