Sponsored by..

Tuesday, 12 August 2014

Aggressive scumbag spam 2014-08-12

More from this prolific spammer that I'm calling F3Y for the moment (because the fake email address in the WHOIS details always consists of a Female name plus 3 numbers and is hosted by Yahoo!).

IP address belong to Global Layer BV in the US who say that they have already terminated them.



Example subjects:
Re: Timberlane - The World???s Finest Handcrafted Shutters Catalog: 5825659
Hey, Ilsa, Sasha, Sonya and others want to say Hello
Re: Are you still eligible to change your Medicare Plan? Find out today. Notice #3850150
Fwd: 5 Diseases You Thought Couldn't Be Cured, Blog: 16602444
Hey, Meet Ming our top pick of the week. No. 15318724

Fake WHOIS details:
Registrant ID:657a6ba9372a5461
Registrant Name:Alisons Foley
Registrant Organization:n/a
Registrant Street1:6418 N Us Highway 41
Registrant City:Jacksonville
Registrant State/Province:FL
Registrant Postal Code:33572
Registrant Country:US
Registrant Phone:+1.8136490339
Registrant Email:alisonsfoleym634@yahoo.com


Andy said...

Today's run: Hey, Walk-in Tub means Peace of Mind http://requestnow.calm-walkin-tub.com Hi. Announcing: Connection Week at Brazilia Women http://encounter.enter-latin-bride.com Hey, Attention: Medicare Open Enrollment Begins Soon. http://check.pro-medicare-plans.com Fwd: Garage Floor Coatings before Winter Rain and Snow http://safe.put-floor-epoxy.com Re: 5 Diseases You Thought Couldn't Be Cured http://learnmore.hope-miracle-cure.com Fwd: Are you still eligible to change your Medicare Plan? Find out today. http://trynow.full-medicare-plans.com

They're getting through Spam Assassin because they score well in Bayes, among other things:
-0.7 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Devolv said...


Devolv said...

They are really really aggressive today! Not going to bother with the subject names, it's same ones over and over for the past week.

More from the same 173.208.176.* range:

I expect more from this new one that appeared just now:

Devolv said...

and here they come...

49 Spem received so far today.

Devolv said...

And a few more...

Did a lookup and the IPs belong to Velocity Servers.net in Buffalo NY, owners of ColoCrossing which we've already received the same spam from.

BloggerBen said...

Received over 100 today so far, there seems no end to it, its just getting worse :( and its my main business address i've had for over 15 years. Scum.

Andy said...

Nothing today so far (it's 6.15pm here). First time in ages there hasn't been. Odd. Temporary relief, no doubt.

Devolv said...

Relief indeed, I even devised a set of Spam Rules last night to combat this, and was going to test whether it worked against it this morning.

BloggerBen said...

I got a few today, but nothing like the scale of the last load... maybe like 10+ or so.

Devolv said...

Any reports? I'm not getting anymore spam from these guys for days. Good news indeed.

BloggerBen said...

It slowed down to maybe a handful per day, but today i've been receiving a lot, one every 15-20 mins since noon.

Brees M-Patch
Compare Today
My Shed
Fidelity Life
Diabetic Guide....

dude said...

FYI: My own site's attack profile by country: http://www.dudek.org/static/dudek/hackerspie.png
inspired partly by your reportage