More from this prolific spammer that I'm calling F3Y for the moment (because the fake email address in the WHOIS details always consists of a Female name plus 3 numbers and is hosted by Yahoo!).
IP address belong to Global Layer BV in the US who say that they have already terminated them.
IPs:
162.222.193.53
162.222.193.54
162.222.193.55
162.222.193.56
162.222.193.58
Domains:
improvewindowshutters.mobi
entirerussianbrides.mobi
med-enrollmentpick.mobi
starmiraclecure.mobi
mostasiandating.mobi
Example subjects:
Re: Timberlane - The World???s Finest Handcrafted Shutters Catalog: 5825659
Hey, Ilsa, Sasha, Sonya and others want to say Hello
Re: Are you still eligible to change your Medicare Plan? Find out today. Notice #3850150
Fwd: 5 Diseases You Thought Couldn't Be Cured, Blog: 16602444
Hey, Meet Ming our top pick of the week. No. 15318724
Fake WHOIS details:
Registrant ID:657a6ba9372a5461
Registrant Name:Alisons Foley
Registrant Organization:n/a
Registrant Street1:6418 N Us Highway 41
Registrant City:Jacksonville
Registrant State/Province:FL
Registrant Postal Code:33572
Registrant Country:US
Registrant Phone:+1.8136490339
Registrant Email:alisonsfoleym634@yahoo.com
12 comments:
Today's run:
63.223.78.101 Hey, Walk-in Tub means Peace of Mind http://requestnow.calm-walkin-tub.com
63.223.78.104 Hi. Announcing: Connection Week at Brazilia Women http://encounter.enter-latin-bride.com
63.223.78.100 Hey, Attention: Medicare Open Enrollment Begins Soon. http://check.pro-medicare-plans.com
63.223.78.98 Fwd: Garage Floor Coatings before Winter Rain and Snow http://safe.put-floor-epoxy.com
63.223.78.97 Re: 5 Diseases You Thought Couldn't Be Cured http://learnmore.hope-miracle-cure.com
63.223.78.96 Fwd: Are you still eligible to change your Medicare Plan? Find out today. http://trynow.full-medicare-plans.com
They're getting through Spam Assassin because they score well in Bayes, among other things:
-0.7 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
107.150.45.243
107.150.45.244
107.150.45.245
107.150.45.246
173.208.176.194
173.208.176.195
173.208.176.196
173.208.176.197
173.208.176.198
173.208.176.199
173.208.176.200
173.208.176.201
173.208.176.202
More...
They are really really aggressive today! Not going to bother with the subject names, it's same ones over and over for the past week.
More from the same 173.208.176.* range:
173.208.176.203
173.208.176.204
173.208.176.205
I expect more from this new one that appeared just now:
205.234.152.99
and here they come...
205.234.152.102
205.234.152.103
205.234.152.104
205.234.152.106
205.234.152.107
49 Spem received so far today.
And a few more...
205.234.152.108
205.234.152.109
205.234.152.110
Did a lookup and the IPs belong to Velocity Servers.net in Buffalo NY, owners of ColoCrossing which we've already received the same spam from.
Received over 100 today so far, there seems no end to it, its just getting worse :( and its my main business address i've had for over 15 years. Scum.
Nothing today so far (it's 6.15pm here). First time in ages there hasn't been. Odd. Temporary relief, no doubt.
Relief indeed, I even devised a set of Spam Rules last night to combat this, and was going to test whether it worked against it this morning.
I got a few today, but nothing like the scale of the last load... maybe like 10+ or so.
Any reports? I'm not getting anymore spam from these guys for days. Good news indeed.
It slowed down to maybe a handful per day, but today i've been receiving a lot, one every 15-20 mins since noon.
Brees M-Patch
Compare Today
My Shed
Fidelity Life
Diabetic Guide....
FYI: My own site's attack profile by country: http://www.dudek.org/static/dudek/hackerspie.png
inspired partly by your reportage
Post a Comment