Sponsored by..

Thursday 7 August 2014

Aggressive scumbag spammers strike again

The very aggressive scumbag snowshoe spammers [1] [2] [3] [4] [5] strike again, this time burning through a bunch of email servers belonging to Serverel Corp in the Czech Republic:

IPs:
109.206.177.121
109.206.177.122
109.206.177.123
109.206.177.124
109.206.177.125
109.206.177.126

Spamvertised domains:
newfreecredit.com
here-medicaresignup.com
lean-slim-down.com
best-cheap-ins.com
oddmiracle.com
true-refihouse.com

Subjects:
RE: Your TransUnion Score may have recently changed.
Hey, Unhappy with your Plan? Notice #3550165
Re: Foreskolin - Recently featured on The Dr. Oz Show. Order: 22232150
Fwd: Your AutoInsurance-Policy can be lower. Notice #20768701
Fwd: 5 Diseases You Thought Couldn't Be Cured, See Article 24300322
Fwd: How much can you save by lowering our house payment?

Domain registration details:
Registrant Name: BENITA DUFFY
Registrant Organization: MARY KIMBREL
Registrant Street: 1031 WOODLEY RD
Registrant City: MONTGOMERY
Registrant State/Province: AL
Registrant Postal Code: 36106
Registrant Country: US
Registrant Phone: +1.3348343223
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: benitaduffy918@yahoo.com


UPDATE 1:

More from the same spammer, same host but different IP range:

IPs:
109.206.177.151
109.206.177.152
109.206.177.153
109.206.177.154
109.206.177.155
109.206.177.156

Spamvertised domains:
foxy-russianbrides.com
fine-walkintubs.com
many-asianbrides.com
near-enroll-medicare.com
easy-vinylsiding.com
all-rent2own.com

Subjects:
Re: Ilsa, Sasha, Sonya and others want to say Hello
Hey, Learn about the Versatility of a Walk in Bathtub Message: 7541884
Fwd: It's Communication Week. Ting and her friends want to say Hi No: 13142142
Hey, Attention: Medicare Open Enrollment Begins Soon Notice: 12453216
Hey, Help your home keep its value Tip: 21978846
Hi, Stop paying rent! Pymts can go toward owning Notice: 11516529

UPDATE 2:

Yet more but from a different Serverel range..

IPs:
109.206.177.194
109.206.177.195
109.206.177.196

Domains:
woodsurface.com
true-harp-save.com
star-auto-ins.com

Example subjects:
Re: Garage Floor Coatings before Winter Rain and Snow
Fwd: Save Thousands on Your Home Loan. Rpt: 1400334
Re: Are you overpaying for your auto insurance? Msg ID.11929129

And now a batch from Nforce IPs who were seen yesterday, but these are different servers..

IPs:
109.201.148.82
109.201.148.90
109.201.148.178
109.201.148.179

Domains:
protect-home-surfaces01.mobi
instant-oninebackgrounds101.mobi
how-low-mortgage-go.mobi
right-plan-medicare101.mobi

Example subjects:
Garage Floor Coatings before Winter Rain and Snow
Fwd: Safety Notice: Can you trust your friends? Notice: 23746989
Fwd: Save Thousands on Your Home Loan. Rpt: 1455838

These domains have a new fake registrant:
Registrant ID:aab597ea681630c5
Registrant Name:Zoe Clemons
Registrant Organization:n/a
Registrant Street1:21257 N Black Canyon Hwy
Registrant City:Phoenix
Registrant State/Province:AZ
Registrant Postal Code:85027
Registrant Country:US
Registrant Phone:+1.6234347727
Registrant Email:zoeclemons906@yahoo.com

6 comments:

Devolv said...

I've been getting this SPAM. Any ideas which IPs we should block?

FatDiddy said...

Hello,

I am seeing the same messages from the same IPs. I haven't seen anything outside of the IP ranges you posted. Have you seen any more? I am personally on Office 365 so I am reporting these IPs to Microsoft.

FatDiddy said...

Devolv: I blocked the IPs listed above for now. Please let us know if you find similar messages coming from different IPs so they can be added to the list.

Devolv said...

These are some of the IPs I've been receiving on my end.

109.201.148.82
109.201.148.90
109.201.148.169
109.206.177.153
109.206.177.155
109.206.177.156
109.206.177.194
109.206.177.196
109.206.177.195

Conrad Longmore said...

@Devolv - there were some others I saw yesterday but new ones today are:

109.201.148.82
109.201.148.90
109.201.148.178
109.201.148.179

BloggerBen said...

I got 68 emails today from this crap, how did it happen? Will it stop or will i have to ban these IP ranges?? plz answer.