Hi, all.

I put up a closed email relay with -verbose- logging last week.
Sure enough, a spammer tried to (unsuccessfully)[0] relay spam
off of it.  The server logged the unsuccessful attempts to relay
spam.

I don't know if the spammer has the "from" email addressen created
randomly or if it's a static list.  Anyways, I clipped the "from"
email addressen out of the logs.  Would anyone care if I posted the
"from" list this spammer is using?  It's 388 lines long, but can be
easily added to a no-no list.

[0] Did I mention that it's a /closed/ relay? 
--
Mike Raeder      Turn off the local echo to email me
Unix Mercenary-We're not happy until you're not happy
Posted by news://news.nb.nu

[ Post a follow-up to this message ]

John Henry <jhd@inSPAMBLOCKsurgent.orgy> writes:
> I'm not sure if this is a valid approach.  I've seen *my* addresses pop up
> in From: on messages to various accounts, and have had spam complaints
> about messages appearing to originate from my domains.

I've had my old work email address spoofed on spam before also.  This
"from" list is kind of suspect since it uses a generic name followed
by 2 digits.

<snip>
alexander22@btopenworld.com
alexander48@ntlworld.com
alfred45@excite.com
alfred96@btinternet.com
</snip>

The logs show that it was coming from CPE000f66092b54-CM012059931476.cpe.
net.cable.rogers.com with the IP address 24.101.79.48.  I emailed their
abuse account, so we'll see how far that goes.

I suppose it would be a rather heavy handed approach to pop in DENYs for
each email address, but I'm going to keep an eye out and see if this
spammer tries it again and uses the same "from" list.  I guess the whole
spam thing gets so frustrating that one will do anything to make a
spammer's life harder.

--
Mike Raeder      Turn off the local echo to email me
Unix Mercenary-We're not happy until you're not happy
Posted by news://news.nb.nu

[ Post a follow-up to this message ]

Hi, Mike Raeder!  This is a friendly line to let people know who I'm
talking to!

> Hi, all.
>
> I put up a closed email relay with -verbose- logging last week.
> Sure enough, a spammer tried to (unsuccessfully)[0] relay spam
> off of it.  The server logged the unsuccessful attempts to relay
> spam.
>
> I don't know if the spammer has the "from" email addressen created
> randomly or if it's a static list.  Anyways, I clipped the "from"
> email addressen out of the logs.  Would anyone care if I posted the
> "from" list this spammer is using?  It's 388 lines long, but can be
> easily added to a no-no list.

I'm not sure if this is a valid approach.  I've seen *my* addresses pop up
in From: on messages to various accounts, and have had spam complaints
about messages appearing to originate from my domains.

--
John Henry
www.lowgenius.com
Percussus Ergo Sum
Remove the SPAMBLOCK and organize an orgy to reply by e-mail

[ Post a follow-up to this message ]

In article < Xns94F7BEF6D81C9johnhenrylowgeniusco@216
.168.3.44>,
John Henry <jhd@inSPAMBLOCKsurgent.orgy> wrote:

> I'm not sure if this is a valid approach.  I've seen *my* addresses pop up
> in From: on messages to various accounts, and have had spam complaints
> about messages appearing to originate from my domains.

Additionally, I've had spam come in from broken scripts where the
"variables" aren't filled in an I've seen things like "%from@yahoo.com".
So I'd definitely agree that such a list is pointless.  An IP list is
more useful, and even then it's not like a lot of new surprises are
popping up there.

[ Post a follow-up to this message ]