You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Michael Monnerie <mi...@it-management.at> on 2006/06/12 08:53:39 UTC

New spam type - sender domain quickly deleted

Dear list,

yesterday I've got some new kind of spam:

X-Envelope-From: ahlers@abruxateatro.com
Received: from abruxateatro.com (unknown [210.245.161.31])
	by power2u.goelsen.net (Postfix) with SMTP id ____________
	for <_____________>; Sun, 11 Jun 2006 18:25:57 +0200 (CEST)

X-Envelope-From: ahlers@acidstufftv.com
Received: from acidstufftv.com (unknown [210.245.161.31])
	by power2u.goelsen.net (Postfix) with SMTP id ____________
	for <_____________>; Sun, 11 Jun 2006 18:25:58 +0200 (CEST)

These domains don't exist now, but obviously did yesterday. Did anybody 
else see such SPAM? How can I check if a domain ever existed? 
Is anybody working on a check for new domains, so that you could say "if 
a domain is newer than 2 days, temporary reject"?

mfg zmi
-- 
// Michael Monnerie, Ing.BSc    -----      http://it-management.at
// Tel: 0660/4156531                          .network.your.ideas.
// PGP Key:   "lynx -source http://zmi.at/zmi3.asc | gpg --import"
// Fingerprint: 44A3 C1EC B71E C71A B4C2  9AA6 C818 847C 55CB A4EE
// Keyserver: www.keyserver.net                 Key-ID: 0x55CBA4EE

Re: New spam type - sender domain quickly deleted

Posted by Michael Monnerie <mi...@it-management.at>.

On Montag, 12. Juni 2006 10:03 Jamie L. Penman-Smithson wrote:
> On 12 Jun 2006, at 07:53, Michael Monnerie wrote:
> > yesterday I've got some new kind of spam:
> >
> > X-Envelope-From: ahlers@abruxateatro.com
> > Received: from abruxateatro.com (unknown [210.245.161.31])
> > 	by power2u.goelsen.net (Postfix) with SMTP id ____________
> > 	for <_____________>; Sun, 11 Jun 2006 18:25:57 +0200 (CEST)
> >
> > X-Envelope-From: ahlers@acidstufftv.com
> > Received: from acidstufftv.com (unknown [210.245.161.31])
> > 	by power2u.goelsen.net (Postfix) with SMTP id ____________
> > 	for <_____________>; Sun, 11 Jun 2006 18:25:58 +0200 (CEST)
> >
> > These domains don't exist now, but obviously did yesterday. Did
> > anybody
> > else see such SPAM? How can I check if a domain ever existed?
> > Is anybody working on a check for new domains, so that you could
> > say "if
> > a domain is newer than 2 days, temporary reject"?
>
> abruxateatro.com still exists in DNS. although it looks like just a
> "domain parked" site:

Oh, I got fooled by:
# whois abruxateatro.com
NO DOMAIN (1)

So, that domain at least exists. Could there be a check for whether a 
domain has an MX record, and if not give it some points? Would make 
sense, I guess, because normally e-mail is two-way...

And what about the acidstufftv.com domain?

mfg zmi
-- 
// Michael Monnerie, Ing.BSc    -----      http://it-management.at
// Tel: 0660/4156531                          .network.your.ideas.
// PGP Key:   "lynx -source http://zmi.at/zmi3.asc | gpg --import"
// Fingerprint: 44A3 C1EC B71E C71A B4C2  9AA6 C818 847C 55CB A4EE
// Keyserver: www.keyserver.net                 Key-ID: 0x55CBA4EE

Re: New spam type - sender domain quickly deleted

Posted by "Jamie L. Penman-Smithson" <li...@silverdream.org>.

On 12 Jun 2006, at 07:53, Michael Monnerie wrote:
> yesterday I've got some new kind of spam:
>
> X-Envelope-From: ahlers@abruxateatro.com
> Received: from abruxateatro.com (unknown [210.245.161.31])
> 	by power2u.goelsen.net (Postfix) with SMTP id ____________
> 	for <_____________>; Sun, 11 Jun 2006 18:25:57 +0200 (CEST)
>
> X-Envelope-From: ahlers@acidstufftv.com
> Received: from acidstufftv.com (unknown [210.245.161.31])
> 	by power2u.goelsen.net (Postfix) with SMTP id ____________
> 	for <_____________>; Sun, 11 Jun 2006 18:25:58 +0200 (CEST)
>
> These domains don't exist now, but obviously did yesterday. Did  
> anybody
> else see such SPAM? How can I check if a domain ever existed?
> Is anybody working on a check for new domains, so that you could  
> say "if
> a domain is newer than 2 days, temporary reject"?

abruxateatro.com still exists in DNS. although it looks like just a  
"domain parked" site:

;; QUESTION SECTION:
;www.abruxateatro.com.          IN      A

;; ANSWER SECTION:
www.abruxateatro.com.   300     IN      A       69.25.212.153

;; AUTHORITY SECTION:
abruxateatro.com.       172671  IN      NS      ns.1.name.net.
abruxateatro.com.       172671  IN      NS      ns.2.name.net.

You might want to take a look at red.uribl.com, althought it's not  
"actively maintained" ..yet:

# red.uribl.com - Experimental list for new domain registrations and  
mass moves between registries that we define as spam supporters or  
facilitators. This zone is not actively maintained currently, but we  
have big plans for it ;) Oh ya, use at your own risk.

-j