It is a new domain, created September 30 with namecheap. An effective "new domain" system would catch lots of similar spam.
Oh, and I'm another satisfied invaluement customer. On 09/30/2014 10:41 AM, David Jones wrote: >> ________________________________________ >> From: Philip Prindeville <philipp_s...@redfish-solutions.com> >> Sent: Tuesday, September 30, 2014 12:30 PM >> To: SpamAssassin >> Subject: Googlasi, blacklotus, etc. >> I’m seeing spams like: >> http://pastebin.com/XXQrNURW >> Notice: >> * the message is almost always text/plain single part; >> * the only Received: line is the local one, even though it was received on >> port 25; >> * the message id contains the string be2aaf2163fd72c9975ec76b00288831, which >> seems to be a SHA1 hash associated with the destination email address; >> * there are two or more nonsense header fields containing the SHA1 hash plus >> some small integer, and both values are repeated in the message body; >> * there’s sometimes a third integer value both in the message and optionally >> in some nonsense header field; >> * the message begins with either “Hello ____” or “Dear ____” as the >> destination email address, >> * the phishing URL is either hosted by googlasi (as an amazon instance >> 54.69.70.160), or else >> blacklotus instance as 192.31.186.4; >> I’m occasionally seeing text/html which also contains the same hash as part >> of the phishing URL. >> Anyone else seeing this? >> I’m currently defeating this by locally blacklisting the 2 IP addresses >> associated with the URL, plus >> finding the SHA1 in the message. >> I’d like to not have to rely on the specific value of the hash for the 2nd >> test. >> -Philip > That IP is in a number of RBLs. Do you have any RBLs in your MTA? > > http://multirbl.valli.org/lookup/206.221.187.70.html > > By the way, I want to saw the Invaluement RBL is awesome. It's is very cheap > and almost as > good as spamhaus based on my reports so I recommend everyone purchase a feed > of it to > knock down the crap before it gets to SA. > > I am not affiliated with the IVM product, just a happy customer. > > Dave
