[SURBL-Discuss] Joe Wein has a new friend?

Steven Champeon schampeo at hesketh.com
Mon Jul 25 16:34:11 CEST 2005


on Mon, Jul 25, 2005 at 04:18:38PM +0900, Joe Wein wrote:
> 
> 
> > FWIW Joe's getting jobbed:
> 
> Hi Jeff,
> 
> I had three joe jobs against me between December 2003 and February 2004.
> Since then it had been quiet, but I must say I wasn't entirely surprized
> that it continued, especially after a PayPal joe job less than two months
> ago.
> 
> > Return-Path: <bouteille at kinki-kids.com>
> > Received: from dbzmail.com ([61.85.57.209])
> >         by smtp1.supranet.net (8.12.10/8.12.10) with SMTP id
> j6P3ZTlx009677
> >         for <x>; Sun, 24 Jul 2005 22:35:30 -0500 (CDT)
> > Received: from kinki-kids.com (kinki-kids-com-bk.mr.outblaze.com
> [64.62.181.92])
> >         by dbzmail.com (Postfix) with ESMTP id E5A841602F
> >         for <x>; Sun, 24 Jul 2005 00:39:14 -0500
> > From: "Ambulance U. Descant" <bouteille at kinki-kids.com>
> 
> This seems to be a bulkmailer that inserts fake Outblaze references into the
> headers to obscure the broadband hosts that are the real sources (or
> proxies). I've seen other examples with other bogus Outblaze maildomains for
> the fake sender. According to one admin who monitored the Joe job sources
> from their site the hosts are running something called "DMS Revolution proxy
> spam engine".

I've been calling this spamsign "Mobster I. Syphilitic", after one of
the best randomly-generated From: headers. It's rather easy to block;
and of course the mr.outblaze.com is a 100% positive indicator for
spamsign (as a more general rule, the forged Received: header contains
the MX record, not the PTR record, for the domain). I've been told (on
spam-r) that it's a sign of Alexey Panov's DMS, so it seems your sources
and mine are in agreement.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
join us!   http://hesketh.com/about/careers/account_manager.html    join us!
antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/


More information about the Discuss mailing list