Full Version: BellSouth.Net
SpamX seems to be idenfying 90% of the spam I get, mostly miscellaneous characters in the message, as coming from BellSouth.Net, which seems suspicious to me. Anyone else getting a large percentage of spam from that domain?
I don't know anything about BellSouth, but I have found over time that one originating IP always seems to be the major source for a while, then another and another. How long has it been for this one provider? Maybe in a while you'll find it's another ISP. I'd be curious to know your observations.
That'a an unusual amount from one ISP. Is Bell South your ISP? If so, do you have them added to your 'do not send' list?
No, BellSouth is not my ISP. I'll contact my ISP to see if there's any relationship. I'm getting about 2/3 of my spam reported as coming from BellSouth.net, and those spam reports do not identify any other organization.
Since I've been using SpamX regularly, my spam emails have just about doubled. I'm now up to more than 100 a day. I'm going to give it a little more time, and if the spam continues to increase I'm considering changing my email address, much as I hate to do that.
Since I've been using SpamX regularly, my spam emails have just about doubled. I'm now up to more than 100 a day. I'm going to give it a little more time, and if the spam continues to increase I'm considering changing my email address, much as I hate to do that.
I got to thinking after my last response that if BellSouth.net were somehow connected to my ISP, they should be showing up on every reported spam, but they're not. Some of the spam messages do not show up as BellSouth.net origins.
The spams which do show up as a BellSouth.net origin, do not report any other ISP's in the SpamX report.
The spams which do show up as a BellSouth.net origin, do not report any other ISP's in the SpamX report.
Hi Tim,
It sounds like you have something else going on with your machine. For your spam to increase as dramatically as you've described, I'm thinking you may have a spybot, or spyware that has infected your machine.
There are many software tools available to help you check this. I use a combination of HiJack This, and AdAware. I have been able to demonstrate an increase in spam with the presence of this type of software on my computer (my son also uses my computer, and visits all sorts of crazy game sites that leave all sorts of 'presents' on my computer).
I haven't had anyone report or observe an increase in spam that they could link with reporting spam with SpamX. I'm open for reports to the contrary.
I hope this helps....
Regs,
-Jeff
It sounds like you have something else going on with your machine. For your spam to increase as dramatically as you've described, I'm thinking you may have a spybot, or spyware that has infected your machine.
There are many software tools available to help you check this. I use a combination of HiJack This, and AdAware. I have been able to demonstrate an increase in spam with the presence of this type of software on my computer (my son also uses my computer, and visits all sorts of crazy game sites that leave all sorts of 'presents' on my computer).
I haven't had anyone report or observe an increase in spam that they could link with reporting spam with SpamX. I'm open for reports to the contrary.
I hope this helps....
Regs,
-Jeff
I use Adaware and Spybot Search and Destroy regularly, as well as Norton Anti-Virus and Internet Firewall. But I'll check when I get home to see if there's anything new there.
No one else uses my computer normally. My wife has her own and her own internet account from the same ISP. She gets no spam.
No one else uses my computer normally. My wife has her own and her own internet account from the same ISP. She gets no spam.
Would it be possible for you to post one or two of the BellSouth headers so I can run them here?
Have you used your email address to purchase/register/etc... with a vendor that uses BellSouth as an ISP??
Have you used your email address to purchase/register/etc... with a vendor that uses BellSouth as an ISP??
Here's a typical one from this morning:
[QUOTE]Here is the SMTP information.
SMTP Info Start ====================================
Received: from 68.216.93.16 [211.178.20.238] by iclub.org
(SMTPD32-8.12) id A1B546F01AA; Wed, 23 Jun 2004 05:47:33 -0400
Received: from [120.28.30.85] by 68.216.93.16 id N7yZ3P7CKoSG; Wed, 23 Jun 2004 14:46:00 +0500
Message-ID: <ts7p8j9$4j42v2--8bq3-$m-f@h5l70aqab5>
From: "±èÀå¿Á" <tyhuehfme@bepop.it>
Reply-To: "±èÀå¿Á" <tyhuehfme@bepop.it>
To: <snip>@iclub.org
Subject: Á÷ÀåÀÎ,°ø¹«¿ø,°æÂû,±ºÀÎ,±³»ç,Àü¹®Á÷´ëÃâ-½Åû¼¸¸ ÀÛ¼ºÇÏ¸é ³¡! 4 pdgnabsdzrm
Date: Wed, 23 Jun 04 14:46:00 GMT
X-Mailer: QUALCOMM Windows Eudora Version 5.1
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="C7E7..0D._.D0F"
X-Priority: 3
X-MSMail-Priority: Normal
X-RBL-Warning: AHBL: "Open Proxy - http://www.ahbl.org/tools/lookup.php?ip=21...78.20.238"
X-RBL-Warning: DSBL: "http://dsbl.org/listing?ip=211.178.20.238"
X-RBL-Warning: SORBS-HTTP: "HTTP Proxy See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?...78.20.238"
X-RBL-Warning: SORBS-SOCKS: "HTTP Proxy See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?...78.20.238"
X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [a010010f].
X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command .
X-RBL-Warning: HELOBOGUS: Domain 68.216.93.16 has no MX or A records [0301].
X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 211.178.20.238 with no reverse DNS entry.
X-RBL-Warning: ROUTING: This E-mail was routed in a poor manner consistent with spam [a010010f].
X-RBL-Warning: *SPAM* : This message may be spam.
X-Declude-Sender: tyhuehfme@bepop.it [211.178.20.238]
X-Spam-Tests-Failed: AHBL, DSBL, SORBS-HTTP, SORBS-SOCKS, BADHEADERS, CMDSPACE, HELOBOGUS, REVDNS, ROUTING, WEIGHT10, WEIGHT20, WEIGHT25, WEIGHT30, WEIGHT40, WEIGHT50, WEIGHT60, WEIGHT200 [115]
X-IMAIL-SPAM-HTML-FEATURES: (51ac046f01aa16fa, Image Tag)
X-RCPT-TO: <tsingleton@iclub.org>
Status: U
X-UIDL: -1294232835
<table id="Table_01" width="620" height="800" border="0" cellpadding="0" cellspacing="0" align="center">
<tr>
<td>
<a href="http://maniloan.com/request_doc03.asp?id=best"><img src="http://maniloan.com/mail/new_03/images/mail_img_17_01.jpg" width="620" height="262" alt="" border="0"></a></td>
</tr>
<tr>
<td>
<a href="http://maniloan.com/request_doc04.asp?id=best"><img src="http://maniloan.com/mail/new_03/images/mail_img_17_02.jpg" width="620" height="228" alt="" border="0"></a></td>
</tr>
<tr>
<td>
<a href="http://maniloan.com/request_doc05.asp?id=best"><img src="http://maniloan.com/mail/new_03/images/mail_img_17_03.jpg" width="620" height="245" alt="" border="0"></a></td>
</tr>
<tr>
<td>
<a href="http://maniloan.com/nomail.htm"><img src="http://maniloan.com/mail/new_03/images/mail_img_17_04.gif" width="620" height="65" alt="" border="0"></a></td>
</tr>
</table>
nltpvhbb iwz
dmannzflfiwg nghtp z koo xro qlybebumwzrxfwa
hasuizkec t o
s
SMTP Info End ======================================
Generated by SpamX Version 1.2.7d
http://www.hendricom.com
<!--Quote
[QUOTE]Here is the SMTP information.
SMTP Info Start ====================================
Received: from 68.216.93.16 [211.178.20.238] by iclub.org
(SMTPD32-8.12) id A1B546F01AA; Wed, 23 Jun 2004 05:47:33 -0400
Received: from [120.28.30.85] by 68.216.93.16 id N7yZ3P7CKoSG; Wed, 23 Jun 2004 14:46:00 +0500
Message-ID: <ts7p8j9$4j42v2--8bq3-$m-f@h5l70aqab5>
From: "±èÀå¿Á" <tyhuehfme@bepop.it>
Reply-To: "±èÀå¿Á" <tyhuehfme@bepop.it>
To: <snip>@iclub.org
Subject: Á÷ÀåÀÎ,°ø¹«¿ø,°æÂû,±ºÀÎ,±³»ç,Àü¹®Á÷´ëÃâ-½Åû¼¸¸ ÀÛ¼ºÇÏ¸é ³¡! 4 pdgnabsdzrm
Date: Wed, 23 Jun 04 14:46:00 GMT
X-Mailer: QUALCOMM Windows Eudora Version 5.1
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="C7E7..0D._.D0F"
X-Priority: 3
X-MSMail-Priority: Normal
X-RBL-Warning: AHBL: "Open Proxy - http://www.ahbl.org/tools/lookup.php?ip=21...78.20.238"
X-RBL-Warning: DSBL: "http://dsbl.org/listing?ip=211.178.20.238"
X-RBL-Warning: SORBS-HTTP: "HTTP Proxy See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?...78.20.238"
X-RBL-Warning: SORBS-SOCKS: "HTTP Proxy See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?...78.20.238"
X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [a010010f].
X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command .
X-RBL-Warning: HELOBOGUS: Domain 68.216.93.16 has no MX or A records [0301].
X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 211.178.20.238 with no reverse DNS entry.
X-RBL-Warning: ROUTING: This E-mail was routed in a poor manner consistent with spam [a010010f].
X-RBL-Warning: *SPAM* : This message may be spam.
X-Declude-Sender: tyhuehfme@bepop.it [211.178.20.238]
X-Spam-Tests-Failed: AHBL, DSBL, SORBS-HTTP, SORBS-SOCKS, BADHEADERS, CMDSPACE, HELOBOGUS, REVDNS, ROUTING, WEIGHT10, WEIGHT20, WEIGHT25, WEIGHT30, WEIGHT40, WEIGHT50, WEIGHT60, WEIGHT200 [115]
X-IMAIL-SPAM-HTML-FEATURES: (51ac046f01aa16fa, Image Tag)
X-RCPT-TO: <tsingleton@iclub.org>
Status: U
X-UIDL: -1294232835
<table id="Table_01" width="620" height="800" border="0" cellpadding="0" cellspacing="0" align="center">
<tr>
<td>
<a href="http://maniloan.com/request_doc03.asp?id=best"><img src="http://maniloan.com/mail/new_03/images/mail_img_17_01.jpg" width="620" height="262" alt="" border="0"></a></td>
</tr>
<tr>
<td>
<a href="http://maniloan.com/request_doc04.asp?id=best"><img src="http://maniloan.com/mail/new_03/images/mail_img_17_02.jpg" width="620" height="228" alt="" border="0"></a></td>
</tr>
<tr>
<td>
<a href="http://maniloan.com/request_doc05.asp?id=best"><img src="http://maniloan.com/mail/new_03/images/mail_img_17_03.jpg" width="620" height="245" alt="" border="0"></a></td>
</tr>
<tr>
<td>
<a href="http://maniloan.com/nomail.htm"><img src="http://maniloan.com/mail/new_03/images/mail_img_17_04.gif" width="620" height="65" alt="" border="0"></a></td>
</tr>
</table>
nltpvhbb iwz
dmannzflfiwg nghtp z koo xro qlybebumwzrxfwa
hasuizkec t o
s
SMTP Info End ======================================
Generated by SpamX Version 1.2.7d
http://www.hendricom.com
<!--Quote
And hee's another that was identified by SpamX as coming only from BellSouth.net:
QUOTE
Here is the SMTP information.
SMTP Info Start ====================================
Received: from 68.216.93.16 [203.252.71.75] by iclub.org
(SMTPD32-8.12) id A21A182800A8; Wed, 23 Jun 2004 03:32:42 -0400
Language: English
X-MIME-Autoconverted: Yes
Alternate-Recipient: Allowed
Resent-Reply-To: "Marianne Morris" <gffwgetw@christian.com>
Reply-To: "Marianne Morris" <gffwgetw@christian.com>
From: "Marianne Morris" <gffwgetw@christian.com>
To: <snip>@iclub.org
Subject: dont let it go pervade ares croft
Date: Wed, 23 Jun 2004 04:46:07 -0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--91998390264127276"
Message-Id: <200406230332734.SM01268@68.216.93.16>
X-RBL-Warning: CBL: "Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=203.2...252.71.75"
X-RBL-Warning: DSBL: "http://dsbl.org/listing?ip=203.252.71.75"
X-RBL-Warning: SPAMCOP: "Blocked - see http://www.spamcop.net/bl.shtml?203.252.71.75"
X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [c004020f].
X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command .
X-RBL-Warning: HELOBOGUS: Domain 68.216.93.16 has no MX or A records [0301].
X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [c004020f].
X-RBL-Warning: *SPAM* : This message may be spam.
X-Declude-Sender: gffwgetw@christian.com [203.252.71.75]
X-Spam-Tests-Failed: CBL, DSBL, SPAMCOP, BADHEADERS, CMDSPACE, HELOBOGUS, SPAMHEADERS, WEIGHT10, WEIGHT20, WEIGHT25, WEIGHT30, WEIGHT40, WEIGHT50, WEIGHT60 [97]
X-IMAIL-SPAM-HTML-FEATURES: (3219182800a8ef78, Image Tag)
X-RCPT-TO: <tsingleton@iclub.org>
Status: U
X-UIDL: -1294232846
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Message</TITLE>
<META content="MSHTML 6.00.2800.1400" name=GENERATOR></HEAD> <BODY> <DIV><FONT color ="FFFFFF">face=Arial size=2><SPAN class=906094222-11062004> <a href="http://Madison.amsnbzxw.com/?d=felo&a=g1">
<img src="http://OyeAO9Qw.manbsczx.com./p/2aLxKE"></a>
<br> Sanity is a madness put to good uses. - George Santayana (1863-1952)  <br> If you havent got anything nice to say about anybody come sit next to me. - Alice Roosevelt Longworth (1884-1980) /SPAN></FONT></DIV></BODY></HTML>
SMTP Info End ======================================
Generated by SpamX Version 1.2.7d
http://www.hendricom.com
SMTP Info Start ====================================
Received: from 68.216.93.16 [203.252.71.75] by iclub.org
(SMTPD32-8.12) id A21A182800A8; Wed, 23 Jun 2004 03:32:42 -0400
Language: English
X-MIME-Autoconverted: Yes
Alternate-Recipient: Allowed
Resent-Reply-To: "Marianne Morris" <gffwgetw@christian.com>
Reply-To: "Marianne Morris" <gffwgetw@christian.com>
From: "Marianne Morris" <gffwgetw@christian.com>
To: <snip>@iclub.org
Subject: dont let it go pervade ares croft
Date: Wed, 23 Jun 2004 04:46:07 -0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--91998390264127276"
Message-Id: <200406230332734.SM01268@68.216.93.16>
X-RBL-Warning: CBL: "Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=203.2...252.71.75"
X-RBL-Warning: DSBL: "http://dsbl.org/listing?ip=203.252.71.75"
X-RBL-Warning: SPAMCOP: "Blocked - see http://www.spamcop.net/bl.shtml?203.252.71.75"
X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [c004020f].
X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command .
X-RBL-Warning: HELOBOGUS: Domain 68.216.93.16 has no MX or A records [0301].
X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [c004020f].
X-RBL-Warning: *SPAM* : This message may be spam.
X-Declude-Sender: gffwgetw@christian.com [203.252.71.75]
X-Spam-Tests-Failed: CBL, DSBL, SPAMCOP, BADHEADERS, CMDSPACE, HELOBOGUS, SPAMHEADERS, WEIGHT10, WEIGHT20, WEIGHT25, WEIGHT30, WEIGHT40, WEIGHT50, WEIGHT60 [97]
X-IMAIL-SPAM-HTML-FEATURES: (3219182800a8ef78, Image Tag)
X-RCPT-TO: <tsingleton@iclub.org>
Status: U
X-UIDL: -1294232846
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Message</TITLE>
<META content="MSHTML 6.00.2800.1400" name=GENERATOR></HEAD> <BODY> <DIV><FONT color ="FFFFFF">face=Arial size=2><SPAN class=906094222-11062004> <a href="http://Madison.amsnbzxw.com/?d=felo&a=g1">
<img src="http://OyeAO9Qw.manbsczx.com./p/2aLxKE"></a>
<br> Sanity is a madness put to good uses. - George Santayana (1863-1952)  <br> If you havent got anything nice to say about anybody come sit next to me. - Alice Roosevelt Longworth (1884-1980) /SPAN></FONT></DIV></BODY></HTML>
SMTP Info End ======================================
Generated by SpamX Version 1.2.7d
http://www.hendricom.com
Hi Tim,
This is one of the more interesting spam attacks that I've seen. I appreciate your taking the time to share this information.
For some reason, some spammer in Korea has taken it upon themselves to make your life miserable.
Consider the first entry in both of the examples you posted:
1) Received: from 68.216.93.16 [203.252.71.75] by iclub.org
2) Received: from 68.216.93.16 [211.178.20.238] by iclub.org
Notice both of the 'spoofed' addresses (68.216.93.16) are the same. The chances of this being a coincidence are almost non-existent.
The spam source in example 1 is actually Kangwon National University, ychung@kangwon.ac.kr.
The spam source in example 2 is actually hanaro.com, abuse@hanaro.com.
Both are Korean sources.
Without giving up the details of the SpamX parsing algorithm, it will not look at the second address using the format in the two examples. This will be changed as a priority 'feature addition'
.
When the fix is in, you should start aggressive reporting of these #$^%&*.
I'll post a message here when the code mods are available.
Thanks again for taking the time to point this out...
Regs,
-Jeff
This is one of the more interesting spam attacks that I've seen. I appreciate your taking the time to share this information.
For some reason, some spammer in Korea has taken it upon themselves to make your life miserable.
Consider the first entry in both of the examples you posted:
1) Received: from 68.216.93.16 [203.252.71.75] by iclub.org
2) Received: from 68.216.93.16 [211.178.20.238] by iclub.org
Notice both of the 'spoofed' addresses (68.216.93.16) are the same. The chances of this being a coincidence are almost non-existent.
The spam source in example 1 is actually Kangwon National University, ychung@kangwon.ac.kr.
The spam source in example 2 is actually hanaro.com, abuse@hanaro.com.
Both are Korean sources.
Without giving up the details of the SpamX parsing algorithm, it will not look at the second address using the format in the two examples. This will be changed as a priority 'feature addition'
.When the fix is in, you should start aggressive reporting of these #$^%&*.
I'll post a message here when the code mods are available.
Thanks again for taking the time to point this out...
Regs,
-Jeff
Thanks, Jeff. I knew that second address was odd. I did a WhoIs on it and checked through APNIC for a couple of them, but the ones I checked were apparently forged, so I didn't get a specific owner.
I'll look forward to your upgrade.
I'll look forward to your upgrade.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.