Wednesday, February 23, 2011

Spamware Hiccups

Once again I find my mail server logs filled with crap from a broken spam spewer, illustrating the inner workings of the spam software. In this case it's a snowshoe spammer residing in 66.197.139.208/28

66.197.139.213 - drd309.savvywayze.com
66.197.139.214 - drd310.savvywayze.com
66.197.139.215 - drd311.savvywayze.com
66.197.139.216 - drd312.savvywayze.com
66.197.139.217 - drd313.savvywayze.com

For well over 24 hours, they have been attempting to send email from "<info@##domain_rotation##>" and each time they have been had a 4xx message returned stating that the domain is unrouteable as per the default Exim config.

This shows that the spam software they are using would normally be configured with a range of domains, one of which is used for every message sent out. These computers are obviously misconfigured - either without a list of domains to use, or some kind of stuff up with the token replacement.

These particular spammers have reached my limit of allowable behaviour and are now firewalled from contacting any servers I manage. The state these IPs will be tested once a month for 6 months, then every 6 months thereafter, and only delisted once they no longer host a snowshoe spammer.

Whois info
network:Class-Name:network
network:ID:net-66.197.139.208/28
network:Auth-Area:66.197.128.0/17
network:Network-Name:NET-66.197.139.208/28
network:IP-Network:66.197.139.208/28
network:Organization;I:org-139-8830208-0
network:Org-Name:DMEHosting.com c/o Network Operations Center, Inc.
network:Street-Address:PO Box 591
network:City:Scranton
network:State-Prov:PA
network:Postal-Code:18510-0591
network:Country-Code:US

Looking at the hostname, I decided to look around the other IP addresses in the area and was quite shocked to find EVERY IP address that wasn't assigned to a seemingly legitimate customer was assigned to a snowshoe spammer. Surely, no legitimate host would do this? If I was sent a request to provide rDNS with this kind of smell to it, I'd be telling the customer go take a long walk off a short pier.

The complete list of rDNS lookups for 66.197.139.0/24

66.197.139.0 - none
66.197.139.1 - 66-197-139-1.hostnoc.net.
66.197.139.2 - 66-197-139-2.hostnoc.net.
66.197.139.3 - 66-197-139-3.hostnoc.net.
66.197.139.4 - 66-197-139-4.hostnoc.net.
66.197.139.5 - drd101.powerservz.com.
66.197.139.6 - drd102.powerservz.com.
66.197.139.7 - drd103.powerservz.com.
66.197.139.8 - drd104.powerservz.com.
66.197.139.9 - drd105.powerservz.com.
66.197.139.10 - drd106.powerservz.com.
66.197.139.11 - drd107.powerservz.com.
66.197.139.12 - drd108.powerservz.com.
66.197.139.13 - drd109.powerservz.com.
66.197.139.14 - drd110.powerservz.com.
66.197.139.15 - drd111.powerservz.com.
66.197.139.16 - drd112.powerservz.com.
66.197.139.17 - drd113.powerservz.com.
66.197.139.18 - drd114.powerservz.com.
66.197.139.19 - drd115.majestywest.com.
66.197.139.20 - drd116.majestywest.com.
66.197.139.21 - drd117.majestywest.com.
66.197.139.22 - drd118.majestywest.com.
66.197.139.23 - drd119.majestywest.com.
66.197.139.24 - drd120.majestywest.com.
66.197.139.25 - drd121.majestywest.com.
66.197.139.26 - drd122.majestywest.com.
66.197.139.27 - drd123.majestywest.com.
66.197.139.28 - drd124.majestywest.com.
66.197.139.29 - drd125.majestywest.com.
66.197.139.30 - drd126.majestywest.com.
66.197.139.31 - drd127.majestywest.com.
66.197.139.32 - drd128.majestywest.com.
66.197.139.33 - drd129.majestywest.com.
66.197.139.34 - drd130.majestywest.com.
66.197.139.35 - drd131.majestywest.com.
66.197.139.36 - drd132.majestywest.com.
66.197.139.37 - drd133.majestywest.com.
66.197.139.38 - drd134.majestywest.com.
66.197.139.39 - drd135.majestywest.com.
66.197.139.40 - drd136.mileyfestz.com.
66.197.139.41 - drd137.mileyfestz.com.
66.197.139.42 - drd138.mileyfestz.com.
66.197.139.43 - drd139.mileyfestz.com.
66.197.139.44 - drd140.mileyfestz.com.
66.197.139.45 - drd141.mileyfestz.com.
66.197.139.46 - drd142.mileyfestz.com.
66.197.139.47 - drd143.mileyfestz.com.
66.197.139.48 - drd144.mileyfestz.com.
66.197.139.49 - drd145.mileyfestz.com.
66.197.139.50 - drd146.mileyfestz.com.
66.197.139.51 - drd147.mileyfestz.com.
66.197.139.52 - drd148.mileyfestz.com.
66.197.139.53 - drd149.mileyfestz.com.
66.197.139.54 - drd150.mileyfestz.com.
66.197.139.55 - drd151.mileyfestz.com.
66.197.139.56 - ns1.growmedia.net.au.
66.197.139.57 - ns2.growmedia.net.au.
66.197.139.58 - drd154.mileyfestz.com.
66.197.139.59 - drd155.mileyfestz.com.
66.197.139.60 - drd156.mileyfestz.com.
66.197.139.61 - drd157.morfeast.com.
66.197.139.62 - drd158.morfeast.com.
66.197.139.63 - drd159.morfeast.com.
66.197.139.64 - drd160.morfeast.com.
66.197.139.65 - drd161.morfeast.com.
66.197.139.66 - drd162.morfeast.com.
66.197.139.67 - drd163.morfeast.com.
66.197.139.68 - drd164.morfeast.com.
66.197.139.69 - drd165.morfeast.com.
66.197.139.70 - drd166.morfeast.com.
66.197.139.71 - drd167.morfeast.com.
66.197.139.72 - drd168.morfeast.com.
66.197.139.73 - drd169.morfeast.com.
66.197.139.74 - drd170.morfeast.com.
66.197.139.75 - drd171.morfeast.com.
66.197.139.76 - drd172.morfeast.com.
66.197.139.77 - drd173.morfeast.com.
66.197.139.78 - drd174.morfeast.com.
66.197.139.79 - drd175.morfeast.com.
66.197.139.80 - drd176.morfeast.com.
66.197.139.81 - drd177.morfeast.com.
66.197.139.82 - drd178.jilseyaves.com.
66.197.139.83 - drd179.jilseyaves.com.
66.197.139.84 - drd180.jilseyaves.com.
66.197.139.85 - drd181.jilseyaves.com.
66.197.139.86 - drd182.jilseyaves.com.
66.197.139.87 - drd183.jilseyaves.com.
66.197.139.88 - drd184.jilseyaves.com.
66.197.139.89 - drd185.jilseyaves.com.
66.197.139.90 - drd186.jilseyaves.com.
66.197.139.91 - drd187.jilseyaves.com.
66.197.139.92 - drd188.jilseyaves.com.
66.197.139.93 - drd189.jilseyaves.com.
66.197.139.94 - drd190.jilseyaves.com.
66.197.139.95 - drd191.jilseyaves.com.
66.197.139.96 - drd192.jilseyaves.com.
66.197.139.97 - drd193.jilseyaves.com.
66.197.139.98 - drd194.jilseyaves.com.
66.197.139.99 - drd195.jilseyaves.com.
66.197.139.100 - drd196.jilseyaves.com.
66.197.139.101 - drd197.jilseyaves.com.
66.197.139.102 - drd198.jilseyaves.com.
66.197.139.103 - drd199.jinglesnaps.com.
66.197.139.104 - drd200.jinglesnaps.com.
66.197.139.105 - drd201.jinglesnaps.com.
66.197.139.106 - drd202.jinglesnaps.com.
66.197.139.107 - drd203.jinglesnaps.com.
66.197.139.108 - drd204.jinglesnaps.com.
66.197.139.109 - drd205.jinglesnaps.com.
66.197.139.110 - drd206.jinglesnaps.com.
66.197.139.111 - drd207.jinglesnaps.com.
66.197.139.112 - drd208.jinglesnaps.com.
66.197.139.113 - drd209.jinglesnaps.com.
66.197.139.114 - drd210.jinglesnaps.com.
66.197.139.115 - drd211.jinglesnaps.com.
66.197.139.116 - drd212.jinglesnaps.com.
66.197.139.117 - drd213.jinglesnaps.com.
66.197.139.118 - drd214.jinglesnaps.com.
66.197.139.119 - drd215.jinglesnaps.com.
66.197.139.120 - drd216.jinglesnaps.com.
66.197.139.121 - drd217.jinglesnaps.com.
66.197.139.122 - drd218.jinglesnaps.com.
66.197.139.123 - drd219.jinglesnaps.com.
66.197.139.124 - drd220.jinglesnaps.com.
66.197.139.125 - drd221.kensingtonaves.com.
66.197.139.126 - drd222.kensingtonaves.com.
66.197.139.127 - drd223.kensingtonaves.com.
66.197.139.128 - drd224.kensingtonaves.com.
66.197.139.129 - drd225.kensingtonaves.com.
66.197.139.130 - drd226.kensingtonaves.com.
66.197.139.131 - drd227.kensingtonaves.com.
66.197.139.132 - drd228.kensingtonaves.com.
66.197.139.133 - drd229.kensingtonaves.com.
66.197.139.134 - drd230.kensingtonaves.com.
66.197.139.135 - drd231.kensingtonaves.com.
66.197.139.136 - drd232.kensingtonaves.com.
66.197.139.137 - drd233.kensingtonaves.com.
66.197.139.138 - drd234.kensingtonaves.com.
66.197.139.139 - drd235.kensingtonaves.com.
66.197.139.140 - drd236.kensingtonaves.com.
66.197.139.141 - drd237.kensingtonaves.com.
66.197.139.142 - drd238.kensingtonaves.com.
66.197.139.143 - drd239.kensingtonaves.com.
66.197.139.144 - drd240.kensingtonaves.com.
66.197.139.145 - drd241.kensingtonaves.com.
66.197.139.146 - drd242.lesterfeld.com.
66.197.139.147 - drd243.lesterfeld.com.
66.197.139.148 - drd244.lesterfeld.com.
66.197.139.149 - drd245.lesterfeld.com.
66.197.139.150 - drd246.lesterfeld.com.
66.197.139.151 - drd247.lesterfeld.com.
66.197.139.152 - drd248.lesterfeld.com.
66.197.139.153 - drd249.lesterfeld.com.
66.197.139.154 - drd250.lesterfeld.com.
66.197.139.155 - drd251.lesterfeld.com.
66.197.139.156 - drd252.lesterfeld.com.
66.197.139.157 - drd253.lesterfeld.com.
66.197.139.158 - drd254.lesterfeld.com.
66.197.139.159 - drd255.lesterfeld.com.
66.197.139.160 - drd256.lesterfeld.com.
66.197.139.161 - drd257.lesterfeld.com.
66.197.139.162 - drd258.lesterfeld.com.
66.197.139.163 - drd259.lesterfeld.com.
66.197.139.164 - drd260.lesterfeld.com.
66.197.139.165 - ablate.centpinch.com.
66.197.139.166 - able.centpinch.com.
66.197.139.167 - abye.centpinch.com.
66.197.139.168 - acoustic.centpinch.com.
66.197.139.169 - aegean.centpinch.com.
66.197.139.170 - drd266.questnorth.com.
66.197.139.171 - drd267.questnorth.com.
66.197.139.172 - drd268.questnorth.com.
66.197.139.173 - drd269.questnorth.com.
66.197.139.174 - drd270.questnorth.com.
66.197.139.175 - drd271.questnorth.com.
66.197.139.176 - drd272.questnorth.com.
66.197.139.177 - drd273.questnorth.com.
66.197.139.178 - drd274.questnorth.com.
66.197.139.179 - drd275.questnorth.com.
66.197.139.180 - drd276.questnorth.com.
66.197.139.181 - drd277.questnorth.com.
66.197.139.182 - drd278.questnorth.com.
66.197.139.183 - drd279.questnorth.com.
66.197.139.184 - drd280.questnorth.com.
66.197.139.185 - drd281.questnorth.com.
66.197.139.186 - drd282.questnorth.com.
66.197.139.187 - drd283.questnorth.com.
66.197.139.188 - drd284.questnorth.com.
66.197.139.189 - drd285.questnorth.com.
66.197.139.190 - drd286.questnorth.com.
66.197.139.191 - drd287.questwest5.com.
66.197.139.192 - drd288.questwest5.com.
66.197.139.193 - drd289.questwest5.com.
66.197.139.194 - drd290.questwest5.com.
66.197.139.195 - drd291.questwest5.com.
66.197.139.196 - drd292.questwest5.com.
66.197.139.197 - linux.bigmidia-safira.com.br.
66.197.139.198 - drd294.questwest5.com.
66.197.139.199 - drd295.questwest5.com.
66.197.139.200 - drd296.questwest5.com.
66.197.139.201 - drd297.questwest5.com.
66.197.139.202 - drd298.questwest5.com.
66.197.139.203 - drd299.questwest5.com.
66.197.139.204 - drd300.questwest5.com.
66.197.139.205 - drd301.questwest5.com.
66.197.139.206 - drd302.questwest5.com.
66.197.139.207 - drd303.questwest5.com.
66.197.139.208 - drd304.questwest5.com.
66.197.139.209 - drd305.questwest5.com.
66.197.139.210 - drd306.questwest5.com.
66.197.139.211 - drd307.questwest5.com.
66.197.139.212 - drd308.questwest5.com.
66.197.139.213 - drd309.savvywayze.com.
66.197.139.214 - drd310.savvywayze.com.
66.197.139.215 - drd311.savvywayze.com.
66.197.139.216 - drd312.savvywayze.com.
66.197.139.217 - drd313.savvywayze.com.
66.197.139.218 - drd314.savvywayze.com.
66.197.139.219 - drd315.savvywayze.com.
66.197.139.220 - drd316.savvywayze.com.
66.197.139.221 - drd317.savvywayze.com.
66.197.139.222 - drd318.savvywayze.com.
66.197.139.223 - drd319.savvywayze.com.
66.197.139.224 - drd320.savvywayze.com.
66.197.139.225 - drd321.savvywayze.com.
66.197.139.226 - drd322.savvywayze.com.
66.197.139.227 - drd323.savvywayze.com.
66.197.139.228 - drd324.savvywayze.com.
66.197.139.229 - server1.hireritesolutions.com.
66.197.139.230 - drd326.savvywayze.com.
66.197.139.231 - drd327.savvywayze.com.
66.197.139.232 - drd328.savvywayze.com.
66.197.139.233 - drd329.senicwest.com.
66.197.139.234 - drd330.senicwest.com.
66.197.139.235 - drd331.senicwest.com.
66.197.139.236 - drd332.senicwest.com.
66.197.139.237 - drd333.senicwest.com.
66.197.139.238 - drd334.senicwest.com.
66.197.139.239 - drd335.senicwest.com.
66.197.139.240 - drd336.senicwest.com.
66.197.139.241 - drd337.senicwest.com.
66.197.139.242 - drd338.senicwest.com.
66.197.139.243 - drd339.senicwest.com.
66.197.139.244 - drd340.senicwest.com.
66.197.139.245 - archie.makemeweb.com.
66.197.139.246 - ns1.makemeweb.com.
66.197.139.247 - ns2.makemeweb.com.
66.197.139.248 - drd344.senicwest.com.
66.197.139.249 - drd345.senicwest.com.
66.197.139.250 - drd346.senicwest.com.
66.197.139.251 - drd347.senicwest.com.
66.197.139.252 - drd348.senicwest.com.
66.197.139.253 - drd349.senicwest.com.
66.197.139.254 - drd350.senicwest.com.
66.197.139.255 - none

No comments: