Tuesday, January 15, 2008
Spam update
So, as of 6:30 PM, we've received 2726 bounces from this spam attack. Heaven only knows how many went through, or were silently dropped by spam filters. Sheesh.
I hate programs that steal focus
I use a program at work named Fanfare SVT. It is horrible about stealing focus! This means that, at random times, it will decide that you don't really want to be using that browser, you want to be talking to it! So it takes the things you were typing into that other unimportant application, and puts it into fanfare.
...Which explains how kp.org ended up in a Fanfare test case, and why I had to clean coffee spew off of my screen!
...Which explains how kp.org ended up in a Fanfare test case, and why I had to clean coffee spew off of my screen!
Getting hammered by spam bounces
Wow, claar.org is getting hammered by email bounces. 600+, and the hits just keep coming. 
Looking at the IPs, it appears that some zombie army of spambots is sending "medical" spams and forging the "from" address as somejunk@claar.org. A lot of the emails identify their originating system as gosha+stuff, although the IP address keeps changing, so this is clearly a lie. Hopefully they keep telling the same lie, it makes it easier to block!
I am going to write a rule to block these bounces, because I'm getting like 4 a minute. Actually, I'll add it to my bounce blocker. (The "known names" have been changed to protect the innocent).
There. Done. I love procmail.
Update: Sh*t. This doesn't get all of them; the d**n thing is mutating. I've added a few of the URLs, but that's mutating, too. Clearly, they've got a set of nameservers that will generate random domains. And the domains map to a bunch of IP addresses, probably more zombies. It really feels like fighting zombies: The stupid thing won't die!
The message is mutating, too: Almost every message has a different way to say "your...thing can be bigger".
I just hope this doesn't get claar.org blacklisted!
Looking at the IPs, it appears that some zombie army of spambots is sending "medical" spams and forging the "from" address as somejunk@claar.org. A lot of the emails identify their originating system as gosha+stuff, although the IP address keeps changing, so this is clearly a lie. Hopefully they keep telling the same lie, it makes it easier to block!
I am going to write a rule to block these bounces, because I'm getting like 4 a minute. Actually, I'll add it to my bounce blocker. (The "known names" have been changed to protect the innocent).
# Throw out bounces
# If From postmaster, mailer-daemon, or mailer, add 1
# If To a known name, -1
# If total is > 0, then
# If header includes Received:.*gosha-v, toss.
# If body includes Received:.*gosha-v, toss.
# If body contains Content-Type of gif, jpeg, x-msdownload,
# and Encoding of base64, toss
:0
* 1^0 ^From.*postmaster
* 1^0 ^From.*mailer-daemon
* 1^0 ^From.*mailer
* -1^0 ^To.*ME
* -1^0 ^To.*MYSELF
* -1^0 ^To.*I
{
:0
* Received:.*gosha
/dev/null
:0 B
* -1^0
* 1^0 ^Content-Type: *image/gif
* 1^0 ^Content-Type: *application/x-msdownload
* 1^0 ^Content-Type: *image/jpeg
* 1^0 ^Content-Transfer-Encoding: *base64
* 2^0 ^Received:.*gosha
/dev/null
}
There. Done. I love procmail.
Update: Sh*t. This doesn't get all of them; the d**n thing is mutating. I've added a few of the URLs, but that's mutating, too. Clearly, they've got a set of nameservers that will generate random domains. And the domains map to a bunch of IP addresses, probably more zombies. It really feels like fighting zombies: The stupid thing won't die!
The message is mutating, too: Almost every message has a different way to say "your...thing can be bigger".
:0 B
* -1^0
* 1^0 ^Content-Type: *image/gif
* 1^0 ^Content-Type: *application/x-msdownload
* 1^0 ^Content-Type: *image/jpeg
* 1^0 ^Content-Transfer-Encoding: *base64
* 2^0 ^Received:.*gosha
* 2^0 hurryrecord.com
* 2^0 guessbegan.com
* 2^0 coverhuman.com
* 2^0 buteat.com
/dev/null
I just hope this doesn't get claar.org blacklisted!
Subscribe to Posts [Atom]
