Tuesday, January 15, 2008
Getting hammered by spam bounces
Wow, claar.org is getting hammered by email bounces. 600+, and the hits just keep coming. 
Looking at the IPs, it appears that some zombie army of spambots is sending "medical" spams and forging the "from" address as somejunk@claar.org. A lot of the emails identify their originating system as gosha+stuff, although the IP address keeps changing, so this is clearly a lie. Hopefully they keep telling the same lie, it makes it easier to block!
I am going to write a rule to block these bounces, because I'm getting like 4 a minute. Actually, I'll add it to my bounce blocker. (The "known names" have been changed to protect the innocent).
There. Done. I love procmail.
Update: Sh*t. This doesn't get all of them; the d**n thing is mutating. I've added a few of the URLs, but that's mutating, too. Clearly, they've got a set of nameservers that will generate random domains. And the domains map to a bunch of IP addresses, probably more zombies. It really feels like fighting zombies: The stupid thing won't die!
The message is mutating, too: Almost every message has a different way to say "your...thing can be bigger".
I just hope this doesn't get claar.org blacklisted!
Looking at the IPs, it appears that some zombie army of spambots is sending "medical" spams and forging the "from" address as somejunk@claar.org. A lot of the emails identify their originating system as gosha+stuff, although the IP address keeps changing, so this is clearly a lie. Hopefully they keep telling the same lie, it makes it easier to block!
I am going to write a rule to block these bounces, because I'm getting like 4 a minute. Actually, I'll add it to my bounce blocker. (The "known names" have been changed to protect the innocent).
# Throw out bounces
# If From postmaster, mailer-daemon, or mailer, add 1
# If To a known name, -1
# If total is > 0, then
# If header includes Received:.*gosha-v, toss.
# If body includes Received:.*gosha-v, toss.
# If body contains Content-Type of gif, jpeg, x-msdownload,
# and Encoding of base64, toss
:0
* 1^0 ^From.*postmaster
* 1^0 ^From.*mailer-daemon
* 1^0 ^From.*mailer
* -1^0 ^To.*ME
* -1^0 ^To.*MYSELF
* -1^0 ^To.*I
{
:0
* Received:.*gosha
/dev/null
:0 B
* -1^0
* 1^0 ^Content-Type: *image/gif
* 1^0 ^Content-Type: *application/x-msdownload
* 1^0 ^Content-Type: *image/jpeg
* 1^0 ^Content-Transfer-Encoding: *base64
* 2^0 ^Received:.*gosha
/dev/null
}
There. Done. I love procmail.
Update: Sh*t. This doesn't get all of them; the d**n thing is mutating. I've added a few of the URLs, but that's mutating, too. Clearly, they've got a set of nameservers that will generate random domains. And the domains map to a bunch of IP addresses, probably more zombies. It really feels like fighting zombies: The stupid thing won't die!
The message is mutating, too: Almost every message has a different way to say "your...thing can be bigger".
:0 B
* -1^0
* 1^0 ^Content-Type: *image/gif
* 1^0 ^Content-Type: *application/x-msdownload
* 1^0 ^Content-Type: *image/jpeg
* 1^0 ^Content-Transfer-Encoding: *base64
* 2^0 ^Received:.*gosha
* 2^0 hurryrecord.com
* 2^0 guessbegan.com
* 2^0 coverhuman.com
* 2^0 buteat.com
/dev/null
I just hope this doesn't get claar.org blacklisted!
Subscribe to Posts [Atom]
