spamassassin hole again?

massive porn spam is making it through spamassassin. new filter oops?

randy, still researching

We are not using spamasassin and only major RBLs in place and seeing the same wave of spam. Seems like a new botnot has just appeared.

-- Babak

Any chance you could provide a *clue* as to what you're seeing, eg
message subject, from, etc???

Andrew Fried
andrew.fried@gmail.com

Any chance you could provide a *clue* as to what you're seeing, eg
message subject, from, etc???

The subjects seem to vary; but appear to involve animals, sex and cute women in various orders (apologies to anyone offended by that).

Content is a one-liner link to porn sites.

I agree with the RIPE DB scrape - the From: line on one of these is

and the CC line contains our notify: E-mail (plus a load more of this junk to noc|peering|named contacts).

These seem to be botted machines sending mails 'legitimately' ie: headers appear to show that the first hop was relayed out through a normal route rather than just port 25 spray. Some are even kindly pre-marked as spam.

We've had >250 turn up since 23:34 UTC yesterday (12 April). Appears to have slowed/stopped around 05:00 UTC today (13 April).

Paul.

Thanks, Paul. The #1 spam I'm seeing right now has the subject line
"Subject: Why Internet was born?"; the domains from the URLs appear to
be listed in Spamhaus DBL. Obviously a different batch.

Andy

Andrew Fried
andrew.fried@gmail.com

Hi,
g
I suspect I've been hit by the same run, looks like the RIPE database has been harvested since I got at least one copy on an e-mail address that I've only used for the RIPE db. I also saw a lot of peering@ and noc@ addresses in from/to/cc fields. So far I've received about a hundred copies. Whoever is responsible for this spamrun is not the brightest light in the world.

Thanks,

Sabri