Posted by Colin Wilson on 05/09/06 23:06

> We all know about these scam merchants - but have to admit, its the
> first one Ive received directly to my in box: Normally, I would just
> delete this crap at source (mailwasher) - but looking at the headers
> (it was sent from "dbaloyi@netscape.net" - I noticed they had sent it
> to an email address from a domain I have which is being used to SEND
> stuff out. (ie forging the from field to make it look I have been
> spamming.) Maybe a coincidence - but given the obvious fraud below,
> makes me wonder if this is the same f*cker causing my inbox to receive
> over a hundred returned undelivered emails a day for the past month!

You`ve been joe-jobbed (google on the term)

You domain won`t be getting used to "send" the email, it will simply be
spoofed headers - if you want to post the full headers I can try to help
you decipher them :-}

PS: if its any use, i`ve got some very strong filters for mailwasher you
can have !

Probably the most effective ones are the ones below, but overall i`m
trapping ~95%+ of the shite automatically.

The first one traps 7+ email addresses in the TO/CC: field (not many
people you don`t have in your friends list are likely to send stuff to
more than 7 people at once), and the rest trap IP ranges from the Asia
Pacific region, Latin America, and a couple from Africa.

Just use a decent text editor, switch off word wrap, and reform the
individual "lines" below to make one whole line :-p

If its of any use, I put these at the top of my filter list, just below
a special section I have for friendly mailing lists I want marking as
safe :-)

[enabled],"multiple to/cc","multiple
to/cc",33023,OR,Delete,To,containsRE,"(?is)([@].*)
{7,}",CC,containsRE,"(?is)([@].*){7,}"

[enabled],AfriNIC,AfriNIC,16711808,OR,Delete,EntireHeader,containsRE,
(\(|\[)41.

[enabled],"APNIC 1","APNIC 1",8388863,OR,Delete,EntireHeader,containsRE,
(\(|\[)58.,EntireHeader,containsRE,(\(|\[)59.,EntireHeader,containsRE,
(\(|\[)60.,EntireHeader,containsRE,(\(|\[)61.,EntireHeader,containsRE,
(\(|\[)121.,EntireHeader,containsRE,(\(|\[)122.,EntireHeader,containsRE,
(\(|\[)123.,EntireHeader,containsRE,(\(|\[)124.,EntireHeader,containsRE,
(\(|\[)125.,EntireHeader,containsRE,(\(|\[)126.

[enabled],"APNIC 2","APNIC 2",8388863,OR,Delete,EntireHeader,containsRE,
(\(|\[)202.,EntireHeader,containsRE,(\(|\[)203.,EntireHeader,containsRE,
(\(|\[)210.,EntireHeader,containsRE,(\(|\[)211.,EntireHeader,containsRE,
(\(|\[)218.,EntireHeader,containsRE,(\(|\[)219.,EntireHeader,containsRE,
(\(|\[)220.,EntireHeader,containsRE,(\(|\[)221.,EntireHeader,containsRE,
(\(|\[)222.

[enabled],"APNIC regexpr 1","APNIC regexpr
1",8388863,OR,Delete,EntireHeader,containsRE,(\(|\[)169\.((20[8-9])|(21
[0-9])|(2[1-2][0-3]))\.,Subject,contains,"### (169.208. -> (169.223.
###",EntireHeader,containsRE,(\(|\[)196\.(19[2-9])
\.,Subject,contains,"### (196.192. -> (196.199. ###"

[enabled],LACNIC,LACNIC,128,OR,Delete,EntireHeader,containsRE,(\(|\[)
189.,EntireHeader,containsRE,(\(|\[)190.,EntireHeader,containsRE,(\(|\[)
200.,EntireHeader,containsRE,(\(|\[)201.

• Next in forum: Re: Anyone want to have a bit of fun?
• Prev in forum: OT: Anyone want to have a bit of fun?
• Thread view: Re: OT: Anyone want to have a bit of fun?

[Reply to this message]