[SURBL-Discuss] Selectively looking up the IPs to which uri's resolve

[Steven Champeon]

on Tue, Aug 03, 2004 at 03:01:51PM -0400, Rich Graves wrote:
> As postmaster, I see a lot of double-bounces for a user who forwards their
> mail to a server that implements the policy:
> 
>    550 5.7.1 mail containing 8aa.tXokG4N.fagonyenomy.org rejected -
>        sbl; see http://www.spamhaus.org/query/bl?ip=201.3.240.234
> 
> They appear to be using the milter mentioned in 
> http://www.surbl.org/faq.html#numbered
> 
> Sure, fagonyenomy.org is in sc.surbl.org now, but these cretins register
> new domains pointing at the same IPs on a (at least) daily basis, and there
> is a time lag. The site they were spamming about this morning,
> thebest-search.com.sc.surbl.org, exists only on ob.surbl.or, not sc or ws.

These guys (I've been calling them "Sergey Katchenko", but it appears
"Sergey" is a front for yet another spamgang) have been running a joe
job against one of my domains for a couple of months now. Want to
pre-emptively block all their crud? Run this script:

#!/usr/bin/perl

my @bits = ("akiana","bertikas","bortsimis","enofakel","enomy","fagony","fenium","fikals","frakles","inacalo","indakitos","kitaros","manics","mipatarios","neynano","nimphos","ownaros","pazda","pikas","pitovshe","poises","polishe","porchma","potkasi","pritkeras","sayara","simptomps","sofikals","tronits","valdisimus","xesros");
foreach $front (sort @bits) {
 foreach $back (sort @bits) {
   print "$front$back.org\n";
 }
}

Should give you 961 domains, approximately 300 or so of which are
registered at the moment, but all of them have fallen into this pattern
so far. He's registered 100 more since I first started keeping track
last month, and AFAICT they're all on that generated list.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
Buy "Cascading Style Sheets: Separating Content from Presentation, 2/e" today!
http://www.amazon.com/exec/obidos/ASIN/159059231X/heskecominc-20/ref=nosim/