Date: Mon, 28 Apr 2014 18:16:58 -0700 From: "Ronald F. Guilmette" <rfg@tristatelogic.com> To: freebsd-questions@freebsd.org Subject: Spam to list participants (from openhosting.com & softcom.com) Message-ID: <73354.1398734218@server1.tristatelogic.com>
next in thread | raw e-mail | index | archive | help
As many of you will have already learned, in recent days it has
come to pass that if you post to this mailing list, then in short
order you will receive a set of spam e-mail messages, all attempting
to entice you into signing up (with your credit card #) for one or
another "dating" web site. I myself have received three such spams
now. Verbatim full text copies of these spams may be viewed here:
ftp://ftp.tristatelogic.com/pub/cases/413978/spam.0
ftp://ftp.tristatelogic.com/pub/cases/413978/spam.1
ftp://ftp.tristatelogic.com/pub/cases/413978/spam.2
(Please note that the final one of these contains a pornographic image
file that, I imagine, most parents with minor children would probably
prefer not to have them exposed to.)
Unfortunately, these spams are slipping past all of the major public
blacklists at the present time.
I have identified the spammer in question, a citizen of Bangladesh,
but that is not important now. What is important is that this same
spammer has been active and, until now, mostly targeting Craigslist
users since at least November 2012. Now however, with the help and
support of two specific and very obliging hosting companies (i.e.
openhosting.com and softcom.com), he is currently targeting the FreeBSD
community, and its mailing lists.
Because the relevant automated spams are being sent directly to people
who _post_ to various FreeBSD mailing lists, and not to any of the
FreeBSD lists themselves, there isn't a lot that the FreeBSD.Org
postmasters can do about this issue/problem. They have no way of
directly blocking these spams. (They have however been notified of
the problem and are currently seeking solutions.)
Based upon my own careful analysis and resarch, I have determined that
the set of domains and IPs that this spammer is spamming from are as
follows:
63.251.148.15 mx1.msgfresh.com
63.251.153.74 mx1.streamtexts.com
63.251.153.88 mx1.echatmail.com
63.251.153.112 mx1.speedytxts.com
66.151.32.131 mx1.msgtxts.com
66.151.32.216 mx1.flirtymsgs.com
66.151.36.105 mx1.friendstreaming.com
66.151.36.115 mx1.volleymail.com
66.151.36.117 mx1.blingymail.com
69.25.178.46 mx1.chattersmeet.com
69.25.178.59 mx1.justext.in
168.144.155.60 mx1.mailingflow.com
192.30.165.137 mx1.sweetiegram.com
206.191.128.178 mx1.mailingbuddies.com
206.191.128.250 mx1.txtmailing.com
216.224.169.239 mx1.simptxts.com
(Note that the above domains have all been registered via/through the
notoriously spam-friendly registrar http://www.internetbs.net/, they
have all been registered within the relatively recent past, and they
all have anonymized WHOIS records.)
In each case, the relevant connectivity/hosting provider is helpfully
providing the spammer with matching reverse DNS for his IP addresses...
an essential property to enable the spammer to get past certain kinds of
anti-spam filters, including my own. The specific two providers who are
providing this excellent level of service to this specific snowshoe
spammer are:
openhosting.com
softcom.com
Assuming that these providers give the same weight to incoming complaints
about their paying customers as do most hosting companies these days...
which is to say zero... I would like to advise all readers of this
mailing list who may be spam-adverse that it is not necessary to wait for
the major public blacklists to get around to listing the above spam
sources. Rather, I suggest that all e-mail administrators reading this
message would be well advised to locally block incoming e-mail from all
of the following IP ranges (which contain all of the above current spam
sources):
63.251.148.0/23
63.251.153.0/25
66.151.32.128/25
66.151.36.64/26
69.25.178.0/26
168.144.0.0/16
192.30.160.0/20
206.191.128.128/25
216.224.169.0/24
Regards,
rfg
P.S. In making a determination as to wether or not a given hosting provider
is or isn't "spammer friendly", in my personal opinion, actions speak louder
than words. As I have noted above, openhosting.com & softcom.com are both
helpfully providing matching reverse DNS for the snowshoe spammer in
question. Given that the spammer in question is currently sending
unsolicited pornographic images to anyone who posts to a mailing list...
including, most probably, minors... I personally feel that their actions
are nothing short of reprehensible.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?73354.1398734218>