Spam from net.tw (was: Re: anybody else been spammed by "no-ip.com" yet?)

[Avleen Vig <lists-nanog () silverwraith com>]

Well I just started getting a *LOT* of these (read 30+ an hour) to my
nannog list address. Am I going to have to start filtering all emails
from net.tw ?:

Return-Path: <ucD4xv () hotmail com>
Delivered-To: silverwraith.com-lists-nanog () silverwraith com
Received: (qmail 38418 invoked from network); 3 May 2002 21:15:41 -0000
Received: from 61-220-202-229.hinet-ip.hinet.net (HELO Hacker)
(61.220.202.229)
  by apple.silverwraith.com with SMTP; 3 May 2002 21:15:41 -0000
Received: from kimo
        by saturn.seed.net.tw with SMTP id iHhWXQgWgHOu7kU5MupXr0;
        Sat, 04 May 2002 05:16:24 +0800
Message-ID: <dOO5A0cBPTks () mail ht net tw>
From: goodluck () ms16 hinet net
To: 8qw_y15
Subject:goodluck everyone TLxzltPT08kAVaZWfJvsidzt



On Fri, 3 May 2002, Simon Higgs wrote:

> At 05:25 PM 5/3/2002 +0100, you wrote:
>
> I got some of these a few weeks ago. I believe these test messages are sent
> to find the non-deliverables in their mailing list. Right after I got these
> test messages, they started sending quite a bit of spam. I filtered
> sohu.com and it went away.
>
> > Not me, but I am getting an awful lot of emails from this one person, to
> > my nanog address lately:
> >
> > Return-Path: <test () sohu com>
> > Delivered-To: silverwraith.com-lists-nanog () silverwraith com
> > Received: (qmail 21586 invoked from network); 3 May 2002 03:09:28 -0000
> > Received: from unknown (HELO sohu.com) (203.240.184.78)
> >   by apple.silverwraith.com with SMTP; 3 May 2002 03:09:28 -0000
> > Reply-To: test () sohu com
> > Return-Path: test () sohu com
> > From: richard <test () sohu com>
> > To:  <lists-nanog () silverwraith com>
> > Subject: test
> > Sender: richard <test () sohu com>
> > Mime-Version: 1.0
> > Content-Type: text/html; charset="ks_c_5601-1987"
> > Date: Fri, 3 May 2002 12:09:13 +0900
> >
> >     [ The following text is in the "ks_c_5601-1987" character set. ]
> >     [ Your display is set for the "ISO-8859-1" character set.  ]
> >     [ Some characters may be displayed incorrectly. ]
> >
> > test
> >
> >
> >
> >
> > On Fri, 3 May 2002, Paul Vixie wrote:
> >
> > > as a coauthor of rfc2136, my curiousity is always
> > > piqued when spammers use the technology.  can i get
> > > private forwards of other similar messages?  (see
> > > below.)
> > >
> > > (and yes, i'll also be in touch with level3, who
> > > serves 166.90.15.236, from whence this message came.)
> > >
> > > (time was, anyone who could use postfix and php would
> > > also know better than to spam, or at least, to spam *me*.
> > > <grump> <grumble>.)
> > >
> > > re:
> > >
> > > ------- Forwarded Message
> > >
> > > Return-Path: nobody () www no-ip com
> > > Delivery-Date: Fri May  3 07:44:25 2002
> > > Return-Path: <nobody () www no-ip com>
> > > Delivered-To: vixie () as vix com
> > > Received: from isrv3.isc.org (isrv3.isc.org [204.152.184.30])
> > >       by as.vix.com (Postfix) with ESMTP id 2360D28B6B
> > >       for <vixie () as vix com>; Fri,  3 May 2002 07:44:25 -0700 (PDT)
> > >       (envelope-from nobody () www no-ip com)
> > > Received: from www.no-ip.com (yoka.vitalwerks.com [166.90.15.236])
> > >       by isrv3.isc.org (8.11.2/8.9.1) via ESMTP id g43EiOT08718
> > >       for <vix () vix com>; Fri, 3 May 2002 14:44:25 GMT
> > >       env-from (nobody () www no-ip com)
> > > Received: by www.no-ip.com (Postfix, from userid 99)
> > >       id 4A10F833A4; Fri,  3 May 2002 07:54:40 -0700 (PDT)
> > > To: vix () vix com
> > > Subject: Your password for no-ip.com
> > > From: No-IP Registration <webmaster () no-ip com>
> > > Reply-To: webmaster () no-ip com
> > > X-Mailer: PHP/4.1.2
> > > Message-Id: <20020503145440.4A10F833A4 () www no-ip com>
> > > Date: Fri,  3 May 2002 07:54:40 -0700 (PDT)
> > >
> > > Hello,
> > >
> > > Welcome to No-IP.com.
> > > Your number one stop for dynamic dns services.
> > >
> > > Your password is: jnMgta
> > >
> > > To logon to no-ip.com go to http://www.no-ip.com/ and enter your email
> > > address and the password above.  Once you logon you may change your
> > > password by clicking the "Change Password" link.
> > >
> > > Remember that you can use our dynamic update client to keep our system
> > > is sync with your IP address. These clients are available at
> > > http://www.no-ip.com/downloads.php
> > >
> > > Also, keep in mind that No-IP offers services for use with personal
> > > domain names. This service, No-IP Plus, allows you to use YOUR domain
> > > name with our dynamic dns, and other facilities. More information on
> > > this and other services is at http://www.no-ip.com/services.php.
> > >
> > > If you have any further questions about this service, please refer to
> > > our FAQ at http://www.no-ip.com/faq.php. If the FAQ doesn't answer your
> > > question(s) contact us at support () no-ip com.
> > >
> > >
> > >
> > > Enjoy!
> > >
> > >
> > > The No-IP Team
> > > webmaster () no-ip com
> > > http://www.no-ip.com/
> > >
> > >
> > >
> > > ------- End of Forwarded Message
> >
> > --
> > Avleen Vig
> > Work Time: Unix Systems Administrator
> > Play Time: Network Security Officer
> > Smurf Amplifier Finding Executive: http://www.ircnetops.org/smurf
>
>
> Best Regards,
>
> Simon
>
> --
> ###

-- 
Avleen Vig
Work Time: Unix Systems Administrator
Play Time: Network Security Officer
Smurf Amplifier Finding Executive: http://www.ircnetops.org/smurf