Since about the 22nd or 23nd I've been getting virus laden (Sober.U) spam from an address at twtelecom.net (66.162.83.190). All my spam reporting is done via two scripts, one is reporter.pl which runs sa-learn and reports to Razor, Pyzor and DCC. The other script, which was written by Karsten Self, called Spam Tools, actually reports the spam to the abuse addresses(s) and to NANAS. After getting a couple of hundred infected message I wrote a nice email to one of the contacts, he replied:
Please note that the propagation of this address is spoofed. The address you are questioning is a global IP for a firewall and is not sending or passing the virus. I've continued reporting the spam using Spam Tools. I also advised him that that ip is now blacklisted at Spamhaus.org. It was listed in the composite blacklist but was removed today. This afternoon I got the following email: I can assure you that it is indeed a mistake. These need to be removed at once or this will get very ugly! Below are complete headers from one of the messages from this ip, are these in fact from the ip I mentioned? Status: U Return-Path: <[EMAIL PROTECTED]> Received: from pop.earthlink.net [209.86.93.201] by localhost with POP3 (fetchmail-6.2.5) for [EMAIL PROTECTED] (single-drop); Tue, 29 Nov 2005 00:50:16 -0600 (CST) Received: from picpba.com ([66.162.83.190]) by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1eGZi22e13Nl34g0 Tue, 29 Nov 2005 01:48:26 -0500 (EST) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Tue, 29 Nov 2005 06:37:15 UTC Subject: Registration Confirmation Importance: Normal X-Priority: 3 (Normal) Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=1bba52a03.f0cb" Content-Transfer-Encoding: 7bit X-SenderIP: 66.162.83.190 X-ASN: ASN-4323 X-CIDR: 66.162.83.0/24 I've received another 18 infected messages from this ip again today. I'm almost afraid to run my scripts. Can this guy do anything. I mean its not my fault that this ip is being blacklisted. I'll hold off running the scripts hoping I'll get some advice from some of you more knowledgable on this stuff. Thanks Chris -- Chris Registered Linux User 283774 http://counter.li.org 19:46:59 up 5 days, 4:26, 1 user, load average: 2.18, 2.10, 1.54 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
pgpweCSdXm6Bj.pgp
Description: PGP signature
