[Mimedefang] Anyone noticing...

[Paul Murphy]

> I don't know if it's the same place, but I've got a bunch of these
> going back to Dec 20 (as far back as my logs go).
> 
> ret at amoroot.info
> ret at bigggtimez007.info
> ret at bigggtimez016.info
> ret at bigtownrewards.net
> 
> I'm guessing the ret@ e-mail is a particular spam bot signature.

Probably.  However, blocking all mail from any "ret@" is doomed to generate
false positives.

> All of mine have been coming from the same netblock (morphed a 
> couple of times).  It's currently 216.22.47.0/24.

Back in the middle of 2004, I ended up using a script to block packets in
IPTables from selected networks which were persistently sending SPAM which SA
scored 15+, but who didn't get the hint when everything got a 5.7.1 error.  I
was seeing 500+ per day on a site where the daily mail volume was 4000.
Worse still, they retried after greylisting.  While the sites they came from
were visibly related, it was hard to provide any sort of program logic to
match on the host name.  Some examples below:

12.129.167.64 mx83b.e-shapeconnection.com.
12.129.167.66 mx83b.i-bewellconnection.com.
12.129.167.67 mx83b.i-playingallnite.com.
12.129.167.68 mx83b.mybewellnetwork.com.
12.129.167.69 mx83b.myshapenet.net.
12.129.167.70 mx83b.myshapestructure.com.
12.129.167.71 mx83b.ourbewellconnection.com.
12.129.167.74 mx83b.ourshapenexus.com.
12.129.167.76 mx83b.playingallnite.com.
12.129.167.80 mx84b.i-bewellhookup.com.
12.129.167.81 mx84b.bewellnet.net.
12.129.167.82 mx84b.yourbewellnet.net.
12.129.167.83 mx84b.ourbewellnet.net.
12.129.167.84 mx84b.i-bewellnet.net.
12.129.167.85 mx84b.bewellnexus.com.
12.129.167.86 mx84b.bewellstructure.com.
64.156.172.10 mx95.mytanningdays.com.
64.156.172.11 mx95.yourtanningdays.com.
64.156.172.12 mx95.myshoptobreathe.com.
64.156.172.13 mx95.yourshoptobreathe.com.
64.156.172.14 mx95.mybeingenergetic.com.
64.156.172.15 mx95.yourbeingenergetic.com.
64.156.172.16 mx96.weekendlifers.com.
64.156.172.17 mx96.myweekendlifers.com.
64.156.172.18 mx96.TanningTime.com.
64.156.172.19 mx96.tanninghour.com.
64.156.172.21 mx96.myshoptobe.com.
64.156.172.22 mx96.beinganimated.com.
64.156.172.23 mx96.mybeinganimated.com.
64.156.172.8 mx95.myweekendtolive.com.
64.156.172.9 mx95.yourweekendtolive.com.
65.216.114.10 mx91.yourfunkingdom.net.
65.216.114.100 out6.mydigitalknowshow.com.
65.216.114.101 out6.ipinpoint.info.
65.216.114.102 out6.myfultondirect.com.
65.216.114.105 out6.myjackpotgamingoffers.com.
65.216.114.107 out6.eusahealthyweb.com.
65.216.114.11 mx91.jackpotgamingoffers.com.
65.216.114.110 out6.myinternetgamingoffers.com.
65.216.114.113 out6.ibargaintimes.com.
65.216.114.114 out6.ivendarefinancial.com.
65.216.114.115 out6.yourclubofferstoday.com.
65.216.114.116 out6.yourusa-wellbeing.com.
65.216.114.117 out6.edealfinders.net.
65.216.114.118 out6.yourdigitalknowshow.com.
65.216.114.119 out6.yourpinpoint.info.
65.216.114.12 mx91.jackpotgamingdeals.com.
65.216.114.120 out6.yourfultondirect.com.
65.216.114.121 out6.yourmemberselect.com.
65.216.114.122 out6.yourblinkpayday.com.
65.216.114.123 out6.ejackpotgamingoffers.com.
65.216.114.124 out6.evacationsforus.com.
65.216.114.13 mx91.jackpotgamingbargains.com.
65.216.114.130 out7.mybargaintimes.com.
65.216.114.131 out7.ecasinoreport.net.
65.216.114.132 out7.mysport-times.com.
65.216.114.133 out7.mydeal-finders.net.
65.216.114.134 out7.mydigitalknowshow.com.
65.216.114.135 out7.ipinpoint.info.
65.216.114.138 out7.myblinkpayday.com.
65.216.114.14 mx91.jackpotcasinodeals.com.
65.216.114.142 out7.my-vacay.com.
65.216.114.143 out7.myclubofferstoday.com.
65.216.114.144 out7.myinternetgamingoffers.com.
65.216.114.146 out7.yourset-for-life.net.
65.216.114.147 out7.ibargaintimes.com.
65.216.114.148 out7.ivendarefinancial.com.
65.216.114.149 out7.yourclubofferstoday.com.
65.216.114.15 mx91.jackpotcasinobargains.com.
65.216.114.151 out7.edealfinders.net.
65.216.114.152 out7.yourdigitalknowshow.com.
65.216.114.153 out7.yourpinpoint.info.
65.216.114.154 out7.yourfultondirect.com.
65.216.114.155 out7.yourmemberselect.com.
65.216.114.156 out7.yourblinkpayday.com.
65.216.114.157 out7.ejackpotgamingoffers.com.
65.216.114.159 out7.yourusawellbeing.com.
65.216.114.16 mx92.jackpotcasinotoday.com.
65.216.114.17 mx92.jackpotcasinonow.com.
65.216.114.19 mx92.myjackpotgamingbargains.com.
65.216.114.20 mx92.yourjackpotgamingbargains.com.
65.216.114.21 mx92.ijackpotgamingbargains.com.
65.216.114.24 mx02.leedirect.net.
65.216.114.25 mx02.greaterfun.com.
65.216.114.26 mx02.gamingplayer.com.
65.216.114.27 mx02.ibargainday.net.
65.216.114.28 mx02.idealpursuit.net.
65.216.114.29 mx02.ijackpotjoy.net.
65.216.114.32 mx8.ivendarefinancial.com.
65.216.114.33 mx8.yourclubofferstoday.com.
65.216.114.34 mx8.yourusa-wellbeing.com.
65.216.114.35 mx8.edealfinders.net.
65.216.114.36 mx8.yourdigitalknowshow.com.
65.216.114.37 mx8.yourpinpoint.info.
65.216.114.42 mx03.mybigaward.com.
65.216.114.43 mx03.mybiggestprizes.com.
65.216.114.44 mx03.memberselects.com.
65.216.114.45 mx03.iwilliamsdirect.info.
65.216.114.46 mx03.keepslender.com.
65.216.114.47 mx03.mybigeprizes.com.
65.216.114.48 mx03.mydealpioneer.com.
65.216.114.49 mx03.mydealpursuit.net.
65.216.114.51 mx04.mytargets.net.
65.216.114.52 mx04.myvacations.info.
65.216.114.53 mx04.perfectcluboffers.com.
65.216.114.54 mx04.net.certificates.info.
65.216.114.55 mx04.net.gamingoffers.net.
65.216.114.56 mx04.pinpointed.net.
65.216.114.57 mx04.phiscalphinances.com.
65.216.114.58 mx04.prizenet.info.
65.216.114.60 mx05.manybigprizes.com.
65.216.114.69 mx9.yourfultondirect.com.
65.216.114.70 mx9.yourmemberselect.com.
65.216.114.71 mx9.yourblinkpayday.com.
65.216.114.72 mx9.ejackpotgamingoffers.com.
65.216.114.73 mx9.evacationsforus.com.
65.216.114.74 mx9.yourusawellbeing.com.
65.216.114.87 mx01.slimmerandsexier.com.
65.216.114.88 mx01.checkoutstore.net.
65.216.114.89 mx01.blinkpay.com.
65.216.114.90 mx01.bigreward.info.
65.216.114.91 mx01.e-ambition.info.
65.216.114.92 mx01.dealseeker.info.
65.216.114.96 out6.mybargaintimes.com.
65.216.114.97 out6.ecasinoreport.net.
65.216.114.98 out6.mysport-times.com.
65.216.114.99 out6.mydeal-finders.net.
66.55.175.64 mx73.mobiletechnetwork.com.
66.55.175.65 mx73.yourfuntime.com.
66.55.175.66 mx73.fabulouslookingyou.com.
66.55.175.67 mx73.deluxebuys.com.
66.55.175.69 mx73.myglisteninghealth.com.
66.55.175.70 mx73.realdealsdaily.com.
66.55.179.17 mx15.idealhunt.net.
66.55.179.18 mx15.idigiknowhowe.com.
66.55.179.20 mx15.jackpotclubbenefit.com.
66.55.179.26 mx15.majesticmediagroup.com.
66.55.179.28 mx15.membersprime.com.
66.55.179.30 mx15.mybigprizes.net.
66.55.179.31 mx15.sportchronicle.net.
66.55.179.40 mx16.yourcasinobrief.net.
66.55.179.42 mx16.yourdamondirect.net.
66.55.189.16 mx17.fizcalfinancial.com.
66.55.189.17 mx17.ekeepitoff.com.
66.55.189.19 mx17.onlinegamingoffer.net.
66.55.189.20 mx17.edigitalknowhowe.com.
66.55.189.21 mx17.myjackpotcasinodeals.com.
66.55.189.25 mx17.mydiginohow.com.
66.55.189.29 mx17.ibigprizesclubbargains.com.
66.55.189.30 mx17.iusa-wellness.com.
66.55.189.32 mx18.usawellnet.com.
66.55.189.33
66.55.189.35 mx18.sportztime.com.
66.55.189.36 mx18.internetgamingoffers.com.
66.55.189.37 mx18.gibbonsdirect.com.
66.55.189.39 mx18.yourbiggestprizes.com.
66.55.189.41 mx19.yourvendarefinancials.com.
66.55.189.42 mx19.ewilliamsdirect.info.
66.55.189.43 mx19.emembersmark.info.
66.55.189.47 mx19.yourusa-wellbeing.com.
66.55.189.48 mx20.ebargaindaze.net.
66.55.189.49 mx20.evendaresecurities.com.
66.55.189.50 mx20.eclarkdirect.net.
66.55.189.51 mx20.emembersbest.com.
66.55.189.52 mx20.ejackpotclubdeals.com.
66.55.189.53 mx20.ejackpotclubbenefit.com.
66.55.189.54 mx20.ebigprizesclubdeals.com.
66.55.189.57 mx21.myvendaresecurities.com.
66.55.189.58 mx21.myphillipsdirect.net.
66.55.189.59 mx21.mymembersexclusive.com.
66.55.189.61 mx21.myjackpotclubgiveaway.com.
66.55.189.63 mx21.myusawellnet.com.
67.108.142.16 mx101.bargaincities.info.
67.108.142.17 mx101.bargain-city.info.
67.108.142.18 mx101.bargainsite.info.
67.108.142.19 mx101.bargainsites.info.
67.108.142.20 mx101.cuttingedgeinfoage.info.
67.108.142.21 mx101.cuttingedgeinfotech.info.
67.108.142.22 mx101.cuttingedge-infotech.info.
67.108.142.23 mx101.cuttingedgeintech.info.
67.108.142.32 mx102.cuttingedge-tech.info.
67.108.142.34 mx102.cuttingedgetechs.info.
67.108.142.35 mx102.cuttingedgetimes.info.
67.108.142.37 mx102.evirtualgoldmine.info.
67.108.142.38 mx102.evirtualgoldminez.com.
67.108.142.39 mx102.evirtualgoldpalace.info.
213.31.217.227 mx1.yourGamertoday.info.
213.31.217.228 mx1.ourGamertoday.info.
213.31.217.229 mx1.e-Gamertoday.info.
213.31.217.230 mx2.myGamingnow.info.
213.31.217.231 extraprizes.com.
213.31.217.232 mail1.extraprizes.com.
213.31.217.233 mail2.extraprizes.com.
213.31.217.234 mail3.extraprizes.com.
213.31.217.235 bonusgiveaway.com.
213.31.217.236 mail1.bonusgiveaway.com.
213.31.217.237 mail2.bonusgiveaway.com.
213.31.217.238 mail3.bonusgiveaway.com.
213.31.217.240 mail1.icasinoprizes.com.
213.31.217.241 mail2.icasinoprizes.com.
213.31.217.242 mail3.icasinoprizes.com.
213.31.217.243 gaming-plus.com.
213.31.217.244 mail1.gaming-plus.com.
213.31.217.245 mail2.gaming-plus.com.
213.31.217.246 mail3.gaming-plus.com.
213.31.217.247 mx6.yourHoopla.info.
213.31.217.248 mx6.ourHoopla.info.
213.31.217.249 mx6.e-Hoopla.info.
216.144.239.10 mx95.lifetimeofbonanzas.com.
216.144.239.11 mx95.e-lifetimeofbonanzas.com.
216.144.239.12 mx95.yourpremiertone.net.
216.144.239.13 mx95.ourpremiervigor.com.
216.144.239.14 mx95.i-funnysideofverve.com.
216.144.239.15 mx95.i-itssuchagrin.com.
216.144.239.16 mx96.ourlifetimeofblowouts.com.
216.144.239.17 mx96.yourpremierwellbeing.com.
216.144.239.18 mx96.ourfunnysideofvitality.com.
216.144.239.19 mx96.myfunnysideofliveliness.com.
216.144.239.20 mx96.mysweetsweeps.com.
216.144.239.21 mx96.ourvipsweeps.com.
216.144.239.22 mx96.i-itssuchalaugh.com.
216.144.239.23 mx96.e-itssuchachuckle.com.
216.144.239.9 mx95.i-lifetimeofsavings.com.

I toyed with the idea of refusing connections from any site which resolved to
a name which had two or more parts from a hit list of "my", "your", "our",
"casino", "gaming", "prizes", etc., but in the end I decided I had better
things to do than second-guess the spammer.

My script also tried to block hosts in the same class C net block as the
spammer, with good results - as you can see from the examples above, they
tend to have several Class C addresses available, so if you get a couple of
SPAMs from one address and this triggers you to block that address, they have
252 more to try in that block.  My approach was to try to predict spammer
addresses, so if you received SPAM from the following addresses:

216.144.239.10
216.144.239.14
216.144.239.19

the program would average the last octet (10+14+19/3=14.3), and then block
all known spammer addresses (10,14,19) plus anything within one standard
deviation of the mean (stdev=4.5), so I would also block any address between
10 and 19.

The results of this were great, until of course I got a run of SPAM messages
from an ISP's mail servers, and the script correctly predicted and blocked
most of their outgoing mail systems.  My next step was to put the whole thing
into a database, include success and failure counts per IP, plus
trigger/reset timestamps, and then only block SPAM sending addresses for 30
minutes on the first SPAM, 60 on the second, and so on up to the fifth.  In
addition, any site sending more than 10 messages of which more than 75% were
SPAM would be blocked for 7 days.  Stats would expired if they were more than
30 days old, so addresses which changed from a spammer to an unlucky company
who got a reused address wouldn't be affected for more than a week (assuming
addresses are re-allocated immediately, which I doubt).  Unfortunately, I
never got around to this, as the temporary block worked very well.

For more background, search the mailing list archives for "Blocking spam
senders using IPTables?".

Best Wishes,

Paul.

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 16/01/2006