Hi,
since some days my servers are hit by 50.000-80.000 Spams a day and for
some minutes they have spamed today 18 accounts out of 98.000 with MORE then
100.000 spams.
All spams coming from the same network:
xxx.root.static.coolserver.info
xxx.root.static.starsweet.info
where xxx change every time and the servers IP too (they resolv)
In the body of the messages I found those domains:
advocatebuying.info aidpurchase.info encouragebuying.info
ensurepurchase.info guidebuying.info motivatebuying.info
providebuying.info purchaseadvocate.info purchaseaid.info
purchaseassist.info purchasecoach.info purchaseguide.info
purchasesimplify.info purchasesupport.info simplifybuying.info
supportbuying.info techsweet.info topsweet.info
It hits bayes99 and is well over the threshold for me (example.com is my
edit):
Jun 16 02:55:38 mail01 postfix/smtpd[13098]: 947E913D4015:
client=46.wc.static.coolserver.info[173.245.204.46]
Jun 16 02:55:39 mail01 amavis[11055]: (11055-315) SPAM,
<lonnyear...@supportbuying.info> -> <26...@example.com>, Y
es, hits=18.9 tag1=-300.0 tag2=5.0 kill=5.0 use_bayes=1 tests=BAYES_99,
BOTNET, KHOP_DNSBL_BUMP, RAZOR2_CF_RANGE_51_100, RAZOR2
_CF_RANGE_E8_51_100, RAZOR2_CHECK, RCVD_IN_BRBL_LASTEXT,
RCVD_IN_HOSTKARMA_BL, RCVD_IN_UCEPROTECT2, RCVD_IN_UCEPROTECT3, RELAYC
OUNTRY_LOW, SEM_URI, SEM_URIRED, SPF_HELO_PASS, SPF_PASS,
TO_NO_BRKTS_DIRECT, TO_NO_BRKTS_NOTLIST, URIBL_BLACK, quarantine spam
-da25d90871b51f12e9de15bd5c5192cc-20110616-025538-11055-315
(spam-quarantine)
I have a few thousand as well, and none have appeared to not be tagged
properly. I've also now blocked the /23 at the SMTP level.
Regards,
Dave
