From owner-freebsd-questions@FreeBSD.ORG Tue Apr 29 01:17:08 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 851D918B for ; Tue, 29 Apr 2014 01:17:08 +0000 (UTC) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id 403951A00 for ; Tue, 29 Apr 2014 01:17:08 +0000 (UTC) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id 5A1363AE0E for ; Mon, 28 Apr 2014 18:16:58 -0700 (PDT) From: "Ronald F. Guilmette" To: freebsd-questions@freebsd.org Subject: Spam to list participants (from openhosting.com & softcom.com) Date: Mon, 28 Apr 2014 18:16:58 -0700 Message-ID: <73354.1398734218@server1.tristatelogic.com> X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2014 01:17:08 -0000 As many of you will have already learned, in recent days it has come to pass that if you post to this mailing list, then in short order you will receive a set of spam e-mail messages, all attempting to entice you into signing up (with your credit card #) for one or another "dating" web site. I myself have received three such spams now. Verbatim full text copies of these spams may be viewed here: ftp://ftp.tristatelogic.com/pub/cases/413978/spam.0 ftp://ftp.tristatelogic.com/pub/cases/413978/spam.1 ftp://ftp.tristatelogic.com/pub/cases/413978/spam.2 (Please note that the final one of these contains a pornographic image file that, I imagine, most parents with minor children would probably prefer not to have them exposed to.) Unfortunately, these spams are slipping past all of the major public blacklists at the present time. I have identified the spammer in question, a citizen of Bangladesh, but that is not important now. What is important is that this same spammer has been active and, until now, mostly targeting Craigslist users since at least November 2012. Now however, with the help and support of two specific and very obliging hosting companies (i.e. openhosting.com and softcom.com), he is currently targeting the FreeBSD community, and its mailing lists. Because the relevant automated spams are being sent directly to people who _post_ to various FreeBSD mailing lists, and not to any of the FreeBSD lists themselves, there isn't a lot that the FreeBSD.Org postmasters can do about this issue/problem. They have no way of directly blocking these spams. (They have however been notified of the problem and are currently seeking solutions.) Based upon my own careful analysis and resarch, I have determined that the set of domains and IPs that this spammer is spamming from are as follows: 63.251.148.15 mx1.msgfresh.com 63.251.153.74 mx1.streamtexts.com 63.251.153.88 mx1.echatmail.com 63.251.153.112 mx1.speedytxts.com 66.151.32.131 mx1.msgtxts.com 66.151.32.216 mx1.flirtymsgs.com 66.151.36.105 mx1.friendstreaming.com 66.151.36.115 mx1.volleymail.com 66.151.36.117 mx1.blingymail.com 69.25.178.46 mx1.chattersmeet.com 69.25.178.59 mx1.justext.in 168.144.155.60 mx1.mailingflow.com 192.30.165.137 mx1.sweetiegram.com 206.191.128.178 mx1.mailingbuddies.com 206.191.128.250 mx1.txtmailing.com 216.224.169.239 mx1.simptxts.com (Note that the above domains have all been registered via/through the notoriously spam-friendly registrar http://www.internetbs.net/, they have all been registered within the relatively recent past, and they all have anonymized WHOIS records.) In each case, the relevant connectivity/hosting provider is helpfully providing the spammer with matching reverse DNS for his IP addresses... an essential property to enable the spammer to get past certain kinds of anti-spam filters, including my own. The specific two providers who are providing this excellent level of service to this specific snowshoe spammer are: openhosting.com softcom.com Assuming that these providers give the same weight to incoming complaints about their paying customers as do most hosting companies these days... which is to say zero... I would like to advise all readers of this mailing list who may be spam-adverse that it is not necessary to wait for the major public blacklists to get around to listing the above spam sources. Rather, I suggest that all e-mail administrators reading this message would be well advised to locally block incoming e-mail from all of the following IP ranges (which contain all of the above current spam sources): 63.251.148.0/23 63.251.153.0/25 66.151.32.128/25 66.151.36.64/26 69.25.178.0/26 168.144.0.0/16 192.30.160.0/20 206.191.128.128/25 216.224.169.0/24 Regards, rfg P.S. In making a determination as to wether or not a given hosting provider is or isn't "spammer friendly", in my personal opinion, actions speak louder than words. As I have noted above, openhosting.com & softcom.com are both helpfully providing matching reverse DNS for the snowshoe spammer in question. Given that the spammer in question is currently sending unsolicited pornographic images to anyone who posts to a mailing list... including, most probably, minors... I personally feel that their actions are nothing short of reprehensible.