on Tue, Aug 03, 2004 at 03:01:51PM -0400, Rich Graves wrote:
As postmaster, I see a lot of double-bounces for a user who forwards their mail to a server that implements the policy:
550 5.7.1 mail containing 8aa.tXokG4N.fagonyenomy.org rejected - sbl; see http://www.spamhaus.org/query/bl?ip=201.3.240.234
They appear to be using the milter mentioned in http://www.surbl.org/faq.html#numbered
Sure, fagonyenomy.org is in sc.surbl.org now, but these cretins register new domains pointing at the same IPs on a (at least) daily basis, and there is a time lag. The site they were spamming about this morning, thebest-search.com.sc.surbl.org, exists only on ob.surbl.or, not sc or ws.
These guys (I've been calling them "Sergey Katchenko", but it appears "Sergey" is a front for yet another spamgang) have been running a joe job against one of my domains for a couple of months now. Want to pre-emptively block all their crud? Run this script:
#!/usr/bin/perl
my @bits = ("akiana","bertikas","bortsimis","enofakel","enomy","fagony","fenium","fikals","frakles","inacalo","indakitos","kitaros","manics","mipatarios","neynano","nimphos","ownaros","pazda","pikas","pitovshe","poises","polishe","porchma","potkasi","pritkeras","sayara","simptomps","sofikals","tronits","valdisimus","xesros"); foreach $front (sort @bits) { foreach $back (sort @bits) { print "$front$back.org\n"; } }
Should give you 961 domains, approximately 300 or so of which are registered at the moment, but all of them have fallen into this pattern so far. He's registered 100 more since I first started keeping track last month, and AFAICT they're all on that generated list.