<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">Found dnschecker.org As suspected,
most of these stupid spams are coming from Moscow. Today's stupid
pillow spam ad analyzed:</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><font face="monospace">Email Source Ip
Info<br>
Source IP Address 194.87.244.234<br>
Source IP Hostname 194.87.244.234<br>
Country Russia<br>
State Moscow<br>
City Moscow (Vostochnyy administrativnyy okrug)<br>
Zip Code null<br>
Latitude 55.8106<br>
Longitude 37.8166<br>
ISP JSC "RetnNet"<br>
Organization JSC "RetnNet"<br>
Threat Level low<br>
<br>
% This is the RIPE Database query service.<br>
% The objects are in RPSL format.<br>
%<br>
% The RIPE Database is subject to Terms and Conditions.<br>
% See <a class="moz-txt-link-freetext" href="http://www.ripe.net/db/support/db-terms-conditions.pdf">http://www.ripe.net/db/support/db-terms-conditions.pdf</a><br>
<br>
% Note: this output has been filtered.<br>
% To receive output for a database update, use the "-B"
flag.<br>
<br>
% Information related to '194.87.244.0 - 194.87.244.255'<br>
<br>
% Abuse contact for '194.87.244.0 - 194.87.244.255' is
'<a class="moz-txt-link-abbreviated" href="mailto:abuse@mtw.ru">abuse@mtw.ru</a>'<br>
<br>
inetnum: 194.87.244.0 - 194.87.244.255<br>
netname: RUCLOUD<br>
descr: Startup maintainer<br>
country: RU<br>
org: ORG-JME1-RIPE<br>
admin-c: AK14258-RIPE<br>
tech-c: AK14258-RIPE<br>
mnt-routes: MNT-RETN<br>
mnt-domains: MNT-RETN<br>
status: ASSIGNED PA<br>
mnt-by: interlir-mnt<br>
created: 2022-11-15T17:11:09Z<br>
last-modified: 2022-12-20T16:11:23Z<br>
source: RIPE<br>
<br>
organisation: ORG-JME1-RIPE<br>
org-name: JSC Mediasoft ekspert<br>
country: RU<br>
org-type: LIR<br>
address: 2a Schelkovskoe sh.<br>
address: 105122<br>
address: Moscow<br>
address: RUSSIAN FEDERATION<br>
phone: +74957295734<br>
fax-no: +74957295734<br>
admin-c: FVV36-RIPE<br>
admin-c: PSK26-RIPE<br>
admin-c: EE761-RIPE<br>
abuse-c: MN3617-RIPE<br>
mnt-ref: RIPE-NCC-HM-MNT<br>
mnt-ref: MTW-MNT<br>
mnt-ref: AS2118-MNT<br>
mnt-by: RIPE-NCC-HM-MNT<br>
mnt-by: MTW-MNT<br>
created: 2008-02-11T11:21:07Z<br>
last-modified: 2020-12-16T13:05:31Z<br>
source: RIPE # Filtered<br>
<br>
person: Alexey Khoroshilov<br>
address: 117403, Moscow, MKAD, 32nd km, 7A<br>
phone: +7 (495) 134-01-12<br>
nic-hdl: AK14258-RIPE<br>
mnt-by: MT-TECHNOLOGY-NET<br>
created: 2015-06-24T12:10:58Z<br>
last-modified: 2015-06-24T12:10:58Z<br>
source: RIPE # Filtered<br>
<br>
% Information related to '194.87.244.0/24AS9002'<br>
<br>
route: 194.87.244.0/24<br>
origin: AS9002<br>
mnt-by: interlir-mnt<br>
created: 2022-11-15T17:11:52Z<br>
last-modified: 2022-11-15T17:11:52Z<br>
source: RIPE<br>
<br>
% This query was served by the RIPE Database Query Service
version 1.106 (SHETLAND)</font></div>
<div class="moz-cite-prefix"><font face="monospace"><br>
</font></div>
<div class="moz-cite-prefix"><font face="monospace">Tracing the
location (probably not accurate) gives me a location right next
to the "State Kremlin Palace". <br>
</font></div>
<div class="moz-cite-prefix"><font face="monospace">55.75219999999999,37.6155</font></div>
<div class="moz-cite-prefix"><font face="monospace"><br>
</font></div>
<div class="moz-cite-prefix"><font face="monospace">Yeah, that
sounds benign... So is this normal, or should I contact the
FBI?<br>
</font></div>
<div class="moz-cite-prefix"><font face="monospace"><br>
</font></div>
<div class="moz-cite-prefix"><font face="monospace"><br>
</font></div>
<div class="moz-cite-prefix"><font face="monospace"><br>
</font></div>
<div class="moz-cite-prefix"><font face="monospace"><br>
</font></div>
<div class="moz-cite-prefix"><font face="monospace"><br>
</font></div>
<div class="moz-cite-prefix"><font face="monospace"><br>
</font></div>
<div class="moz-cite-prefix"><font face="monospace"><br>
</font></div>
<div class="moz-cite-prefix">On 3/10/23 12:43 PM, Bruce Labitt
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:9fb15517-a95f-dc0f-36f2-03bd8d05952c@myfairpoint.net">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div class="moz-cite-prefix">In email headers, are there any
fields which are not spoof-able? Or is email simply a morass
that is totally unsolvable and broken? Simply impossible to
filter spam? Now I am getting spam that is passing all the
dmarc, spf, and dkim checks. Volume is relatively low at the
moment, 6 in 12 hours, but I am sure the bad guys are working on
increasing the volume.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">In particular, is <br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">X-Origin-Country reliable? Or is
this data field unsuitable for filtering as well?</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Are there any mail client
pre-filtering packages that can be added? Or is this a game
best left to?<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 3/9/23 2:44 PM, Bruce Labitt
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:5c1ade88-55f6-7ca8-5d41-857c14f71d06@myfairpoint.net">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<div class="moz-cite-prefix">Spoke too soon. I am far from
understanding this all, but why would my ISP send me mail that
failed the following tests?</div>
<div class="moz-cite-prefix">dmarc, spf or dkim? The latest
spam I received failed <u>all</u> three tests. <br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">It appears not everyone is
consistent with using this stuff, I found an email from South
West Airlines that apparently doesn't use dmarc, but at least
it passed spf and dkim. What a mess.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I tried to send this email and it
was blocked when I included the dmarc text.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 3/9/23 11:49 AM, Bruce Labitt
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:fc5df7f1-db30-deb2-c9e1-ba9d16587d38@myfairpoint.net">
<pre class="moz-quote-pre" wrap="">Crossing fingers, my spam storm has paused. No spam since 3:27 EST
yesterday.
Cleaned out tons of old spam off my phone, which was tedious. Found
some miss-classified spam that were legitimate emails, like from
attorneys and banks, that I never received. Loads of stock tips, scams,
assorted pharmaceuticals, and of course, invitations to honeypots of the
female persuasion. Some were quite amusing.
Need to get back to the email spam storm on my wife's account now.
Not sure if one her groups she belongs to was compromised and her email
account sold to spammers or not. Seems like it.
My kids, both on different ISP's had no increase in spam in the past
week. I asked them last night, trying to figure out if this was a local
thing, or more wide spread. Guess it was local, or their ISP's were
more on the ball.
On 3/8/23 5:59 PM, Bruce Labitt wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">I think that something has been going on for a bit now.
However, I did go through some ancient spam emails (don't ask me why
they were still around, I plumb forgot they were accumulating) and found
quite a few of them posing as family members and people I knew, but were
not legitimate. Examining the headers showed they were trying to fool
me. All of them wanted me to click on some link - hoping to do some
nefarious thing or another to me. Many were from RU.
Oh, I have been using the filters! I have filtered every domain ending
in xyz, .store and a few others. It's not as easy to filter against
yourself...
Is it better to have these messages go to junk, or direct to trash?
Using Thunderbird if that matters.
On 3/8/23 5:22 PM, Ronald Smith wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Hi all,
There is a coordinated attack happening right now on many forms of communication; email, social media, everything -- someone doesn't want people communicating right now. The increase in spam is just part of it.
Emails that I've sent to gmail have been bounced, maybe because gmail has tightened their filters, maybe it's a false flag. I'm not sure and I'm not going waste my time tracking it down right now. If someone wants to reach me, they can just call me on the phone.
To the guy who said you should block all the IP's in the header -- that's ABSOLUTELY WRONG! Whoever has launched this attack wants folks to do that -- they want folks to block stuff to further limit communication. Don't do that!
You can only trust the top "Received" notice in your email header. SMTP servers are supposed to tack on their info to the top of the message and send it along to the next server, but spammers or provocateurs will often falsify the tracking info below the most recent "Received" line, so you should just ignore that.
Just put up with the spam for now; don't over-react. Your email providers will know how to handle this if they have enough experience. Use the filters in your client if you need to.
Have fun...
Ronald Smith
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:r270@mrt4.com" moz-do-not-send="true">r270@mrt4.com</a>
603-360-1000
- - - -
On Wed, 8 Mar 2023 13:31:56 -0500
Bruce Labitt <a class="moz-txt-link-rfc2396E" href="mailto:bruce.labitt@myfairpoint.net" moz-do-not-send="true"><bruce.labitt@myfairpoint.net></a> wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Seems to be an uptick in spam received lately. Doesn't seem that my ISP
is on top of it. In the past 48 hours have received at least three
dozen spams from similar parties. Many seem to be coming from *.store
domains. I haven't knowingly ever visited one of these domains.
I don't think I want to run my own email server - mostly because 1) I
really don't know how to set one up, and 2) it sounds like a bit of work
to maintain. Of course, I could be wrong, which is why I am asking.
I did a whois, and due to privacy cr*p, there's no longer a way to get
to the registrants. I can see why this might be, but it does make it
harder to report people. I did report a couple of domains as spammers
to godaddy, since I *think* they were the registrar. This really
doesn't seem kosher to me, since godaddy gets revenue from the
spammers. I also reported a domain or two to my ISP. Things have
slightly slowed down, but I am not holding my breath.
In my wife's case, one or more of her acquaintances (with Windows
computers?) have had their accounts compromised or information stolen,
and she has been super subscribed to what seems like dozens and dozens
of spamming lists. Her spam folder on her phone receives may hundreds
of emails a day - it's really out of control. How can we get out of
this mess?
Anyways, are there any practical ways to get a better handle on this?
Looking for some ideas. Thanks for any and all suggestions. I hope
this would be a topic of interest to others on this list. If for no
other reason to share what worked and what didn't.
_______________________________________________
gnhlug-discuss mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:gnhlug-discuss@mail.gnhlug.org" moz-do-not-send="true">gnhlug-discuss@mail.gnhlug.org</a>
<a class="moz-txt-link-freetext" href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/" moz-do-not-send="true">http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/</a>
</pre>
</blockquote>
</blockquote>
<pre class="moz-quote-pre" wrap="">_______________________________________________
gnhlug-discuss mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:gnhlug-discuss@mail.gnhlug.org" moz-do-not-send="true">gnhlug-discuss@mail.gnhlug.org</a>
<a class="moz-txt-link-freetext" href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/" moz-do-not-send="true">http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/</a>
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">_______________________________________________
gnhlug-discuss mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:gnhlug-discuss@mail.gnhlug.org" moz-do-not-send="true">gnhlug-discuss@mail.gnhlug.org</a>
<a class="moz-txt-link-freetext" href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/" moz-do-not-send="true">http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/</a>
</pre>
</blockquote>
<p><br>
</p>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
gnhlug-discuss mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:gnhlug-discuss@mail.gnhlug.org" moz-do-not-send="true">gnhlug-discuss@mail.gnhlug.org</a>
<a class="moz-txt-link-freetext" href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/" moz-do-not-send="true">http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/</a>
</pre>
</blockquote>
<p><br>
</p>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
gnhlug-discuss mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnhlug-discuss@mail.gnhlug.org">gnhlug-discuss@mail.gnhlug.org</a>
<a class="moz-txt-link-freetext" href="http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/">http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/</a>
</pre>
</blockquote>
<p><br>
</p>
</body>
</html>