Re: spamassassin hole again?

[Andrew Fried <andrew.fried () gmail com>]

Thanks, Paul.  The #1 spam I'm seeing right now has the subject line
"Subject: Why Internet was born?"; the domains from the URLs appear to
be listed in Spamhaus DBL.  Obviously a different batch.

Andy

Andrew Fried
andrew.fried () gmail com

On 4/13/14, 3:59 AM, Paul Thornton wrote:
> On 13/04/2014 08:10, Andrew Fried wrote:
> > Any chance you could provide a *clue* as to what you're seeing, eg
> > message subject, from, etc???
>
> The subjects seem to vary; but appear to involve animals, sex and cute
> women in various orders (apologies to anyone offended by that).
>
> Content is a one-liner link to porn sites.
>
> I agree with the RIPE DB scrape - the From: line on one of these is
>
> From: "Registry ripenotify" <info () audiovisualcs com>
> and the CC line contains our notify: E-mail (plus a load more of this
> junk to noc|peering|named contacts).
>
> These seem to be botted machines sending mails 'legitimately' ie:
> headers appear to show that the first hop was relayed out through a
> normal route rather than just port 25 spray.  Some are even kindly
> pre-marked as spam.
>
> We've had >250 turn up since 23:34 UTC yesterday (12 April).  Appears to
> have slowed/stopped around 05:00 UTC today (13 April).
>
> Paul.