Mailing List CGatePro@mail.stalker.com Message #106006
From: Lewis G Rosenthal <lgrosenthal@2rosenthals.com>
Subject: Re: Spam from one 'organization'.
Date: Fri, 04 Mar 2016 13:10:53 -0500
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Hi, Jeff...

On 03/04/16 09:41 am, Jeff Wark wrote:
I have been getting a much higher than normal amount of spam in my Junk mailbox the past week (it is correctly getting tagged by PolluStop), but the volume was curious.

Looking at the headers of the messages, these seem to be the blocks the messages are coming from (smaller blocks than this, but associated with these ARIN assignments):

66.199.224.0/19
72.9.96.0/20
104.243.64.0/20;
216.169.96.0/19


<snip>


Is anyone else seeing a big jump in spam from these blocks?

$ grep -E '(216\.169\.((9[6-9])|(1[01][0-9])))|(66\.199\.(2(([2][4-9])|([34][0-9])|[5][0-6])))|(72\.9\.((9[6-9])|(10[0-9])|(11[01])))|(104\.243\.((6[4-9])|(7[0-9])))'2016-03-04*



Sorry, no. I checked the firewall logs (I use Astaro - now Sophos UTM), and could not find a trace of those subnets hitting my primary or secondary MX. Looks like you just got lucky. :-)

Maybe someone on your end raised the ire of one of these miscreants (responded to an incoming questionable message, acknowledging a live mailbox) and that's what kicked off your fun.

Good luck.

--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC                www.2rosenthals.com
visit my IT blog                www.2rosenthals.net/wordpress
IRS Circular 230 Disclosure applies   see www.2rosenthals.com
-------------------------------------------------------------

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster