In message <15295.1467317095@server1.tristatelogic.com>, I wrote:
andre@ox.co.za you wrote:
If you would like to add superblock.ascams.com - these seem like good links:
Exim : http://www.exim.org/howto/rbl.html postfix :https://www.howtoforge.com/block_spam_at_mta_level_postfix
Note: The specific domains and IPs I have just posted are pointless to block in mail server configs, because the final "landing page" domains that are actually spreading the infectious agents are never seen, and will never be seen in e-mails. Rather, there _is_ spam... lots of it... trying to get people to go to these infection domains, but only via a sequence of one or two redirections (through other domains) first.
Conveniently, to further this point, these same spammers just sent me ANOTHER one of their standard spams. ** WARNING ** Browsing to the URL below may result in infection! Spam body/payload: ============================================================================= Hello, Here is some information that inspired me a lot, read it please, it may be helpful <http://xishentothi.politicalresumes.com/xyrzxk> Yours faithfully, fistvani@andrew.cmu.edu Hello, Here is some information that inspired me a lot, read it please, it may be helpful [1]http://xishentothi.politicalresumes.com/xyrzxk Yours faithfully, fistvani@andrew.cmu.edu References 1. http://xishentothi.politicalresumes.com/xyrzxk ============================================================================= Please note that actually, the domain "politicalresumes.com" does not... except in a very limited sense... "belong" to the spammer(s). Rather, as has been reported by (I believe) Cisco/Talos, the actual owner of this domain has simply been infected, and whatever credentials he uses to control/manipulate the DNS for his domain have been absconded with by the spammer(s). They in turn have *added* several new subdomains to this base domain name. These currently include, at the very least: fekudamo.politicalresumes.com lardipruto.politicalresumes.com rdostapidy.politicalresumes.com wongakyma.politicalresumes.com xishentothi.politicalresumes.com Anyway, following the link in the above spam payload/body gets you to a trivial redirector... kindly hosted by Godaddy... which then attempts to take you to this new URL: http://gooodweightlossgood.com/?a=388338&c=wl_con&s=33 There is another redirection once you get there. When you get to the final landing page, that's the one where you get infected with/by Javascript malware. Regards, rfg