Help - Search - Members - Calendar
Full Version: -+ JOHN@ +- the big spammer!
The Planet Forums > Control Panels > cPanel/WHM
aussie
Jan 3 2004, 09:06 PM
Over the past few weeks we have been the target of John the spammer. Even though his JUNK never seems to be even making it into the server i do give this worm A for effort.

Almost on the hour we see JOHN the spammer attempting to send large amounts of spam to multiple email addresses that i guess he has conceived in his head that should appear on our servers. Funny thing is, its happening exactly on the hour sent to 3 of our boxes at once. Every single ip his using is different, 99% of which is blacklisted by spamcop and those that arent are rejected :FAIL: no such user here.

Anyone seen this worm name JOHN on their servers?

2004-01-03 18:47:04 H=(arias.net) [24.9.124.247] F= rejected RCPT : rejected because 24.9.124.247 is in a black list at bl.spamcop.net
2004-01-03 18:47:04 H=(arias.net) [24.9.124.247] F= rejected RCPT : rejected because 24.9.124.247 is in a black list at bl.spamcop.net
2004-01-03 18:47:04 H=(arias.net) [24.9.124.247] F= rejected RCPT : rejected because 24.9.124.247 is in a black list at bl.spamcop.net
2004-01-03 18:47:04 H=(arias.net) [24.9.124.247] F= rejected RCPT : rejected because 24.9.124.247 is in a black list at bl.spamcop.net
2004-01-03 18:47:04 H=(arias.net) [24.9.124.247] F= rejected RCPT : rejected because 24.9.124.247 is in a black list at bl.spamcop.net

2004-01-03 18:47:04 H=(arias.net) [24.9.124.247] F= rejected RCPT : rejected because 24.9.124.247 is in a black list at bl.spamcop.net
2004-01-03 18:47:04 H=(arias.net) [24.9.124.247] F= rejected RCPT : rejected because 24.9.124.247 is in a black list at bl.spamcop.net
2004-01-03 18:47:04 H=(arias.net) [24.9.124.247] F= rejected RCPT : rejected because 24.9.124.247 is in a black list at bl.spamcop.net
2004-01-03 18:47:04 H=(arias.net) [24.9.124.247] F= rejected RCPT : rejected because 24.9.124.247 is in a black list at bl.spamcop.net
2004-01-03 18:47:04 H=(arias.net) [24.9.124.247] F= rejected RCPT : rejected because 24.9.124.247 is in a black list at bl.spamcop.net
2004-01-03 18:47:04 H=(arias.net) [24.9.124.247] F= rejected RCPT : rejected because 24.9.124.247 is in a black list at bl.spamcop.net
2004-01-03 18:47:04 H=(arias.net) [24.9.124.247] F= rejected RCPT : rejected because 24.9.124.247 is in a black list at bl.spamcop.net
2004-01-03 18:47:04 H=(arias.net) [24.9.124.247] F= rejected RCPT : rejected because 24.9.124.247 is in a black list at bl.spamcop.net
2004-01-03 18:47:04 H=(arias.net) [24.9.124.247] F= rejected RCPT : rejected because 24.9.124.247 is in a black list at bl.spamcop.net
2004-01-03 18:47:04 H=(arias.net) [24.9.124.247] F= rejected RCPT : rejected because 24.9.124.247 is in a black list at bl.spamcop.net
2004-01-03 18:47:04 H=(arias.net) [24.9.124.247] F= rejected RCPT : rejected because 24.9.124.247 is in a black list at bl.spamcop.net
2004-01-03 18:47:04 H=(arias.net) [24.9.124.247] F= rejected RCPT : rejected because 24.9.124.247 is in a black list at bl.spamcop.net
2004-01-03 18:47:04 H=(arias.net) [24.9.124.247] F= rejected RCPT : rejected because 24.9.124.247 is in a black list at bl.spamcop.net
2004-01-03 18:47:04 H=(arias.net) [24.9.124.247] F= rejected RCPT : rejected because 24.9.124.247 is in a black list at bl.spamcop.net

2003-12-28 08:45:11 H=(ct1.com) [24.48.137.54] F= rejected RCPT : rejected because 24$
2003-12-28 08:45:14 H=(ct1.com) [24.48.137.54] F= rejected RCPT : rejected because 2$
2003-12-28 08:45:14 H=(ct1.com) [24.48.137.54] F= rejected RCPT : rejected because 2$
2003-12-28 08:45:14 H=(ct1.com) [24.48.137.54] F= rejected RCPT : rejected because 24.48$
2003-12-28 08:45:14 H=(ct1.com) [24.48.137.54] F= rejected RCPT : rejected because 24$
2003-12-28 08:45:14 H=(ct1.com) [24.48.137.54] F= rejected RCPT : rejected because 24.$
2003-12-28 08:45:14 H=(ct1.com) [24.48.137.54] F= rejected RCPT : rejected because 2$
2003-12-28 08:45:14 H=(ct1.com) [24.48.137.54] F= rejected RCPT : rejected because 2$
2003-12-28 08:45:14 H=(ct1.com) [24.48.137.54] F= rejected RCPT <1c12S4860S210287839@maxpoweraero.com>: rejec$
2003-12-28 08:45:14 H=(ct1.com) [24.48.137.54] F= rejected RCPT : rejected because 24$
2003-12-28 08:45:14 H=(ct1.com) [24.48.137.54] F= rejected RCPT : rejected because $
2003-12-28 08:45:14 H=(ct1.com) [24.48.137.54] F= rejected RCPT : rejected because 24.$

2003-12-28 12:50:14 H=(bwl.uni-mannheim.de) [24.14.162.150] F= rejected RCPT :$
2003-12-28 12:50:14 H=(bwl.uni-mannheim.de) [24.14.162.150] F= rejected RCPT :$
2003-12-28 12:50:14 H=(bwl.uni-mannheim.de) [24.14.162.150] F= rejected RCPT : re$
2003-12-28 12:50:14 H=(bwl.uni-mannheim.de) [24.14.162.150] F= rejected RCPT $
2003-12-28 12:50:14 H=(bwl.uni-mannheim.de) [24.14.162.150] F= rejected RCPT $
2003-12-28 12:50:14 H=(bwl.uni-mannheim.de) [24.14.162.150] F= rejected RCPT $
2003-12-28 12:50:14 H=(bwl.uni-mannheim.de) [24.14.162.150] F= rejected RCPT 2003-12-28 12:50:14 H=(bwl.uni-mannheim.de) [24.14.162.150] F= rejected RCPT $
2003-12-28 12:50:14 H=(bwl.uni-mannheim.de) [24.14.162.150] F= rejected RCPT 2003-12-28 12:50:14 H=(bwl.uni-mannheim.de) [24.14.162.150] F= rejected RCPT :$

2004-01-03 19:18:10 H=(abstainers.com) [24.64.184.103] F= rejected RCPT : rejected because 24.64.184.103 is in a black list at bl.spamcop.net
2004-01-03 19:18:11 H=(abstainers.com) [24.64.184.103] F= rejected RCPT : rejected because 24.64.184.103 is in a black list at bl.spamcop.net
2004-01-03 19:18:11 H=(abstainers.com) [24.64.184.103] F= rejected RCPT : rejected because 24.64.184.103 is in a black list at bl.spamcop.net
2004-01-03 19:18:11 H=(abstainers.com) [24.64.184.103] F= rejected RCPT : rejected because 24.64.184.103 is in a black list at bl.spamcop.net
2004-01-03 19:18:11 H=(abstainers.com) [24.64.184.103] F= rejected RCPT : rejected because 24.64.184.103 is in a black list at bl.spamcop.net
2004-01-03 19:18:11 H=(abstainers.com) [24.64.184.103] F= rejected RCPT : rejected because 24.64.184.103 is in a black list at bl.spamcop.net
2004-01-03 19:18:11 H=(abstainers.com) [24.64.184.103] F= rejected RCPT : rejected because 24.64.184.103 is in a black list at bl.spamcop.net
2004-01-03 19:18:11 H=(abstainers.com) [24.64.184.103] F= rejected RCPT : rejected because 24.64.184.103 is in a black list at bl.spamcop.net
2004-01-03 19:18:11 H=(abstainers.com) [24.64.184.103] F= rejected RCPT : rejected because 24.64.184.103 is in a black list at bl.spamcop.net
2004-01-03 19:18:11 H=(abstainers.com) [24.64.184.103] F= rejected RCPT : rejected because 24.64.184.103 is in a black list at bl.spamcop.net
2004-01-03 19:18:11 H=(abstainers.com) [24.64.184.103] F= rejected RCPT : rejected because 24.64.184.103 is in a black list at bl.spamcop.net
2004-01-03 19:18:11 H=(abstainers.com) [24.64.184.103] F= rejected RCPT : rejected because 24.64.184.103 is in a black list at bl.spamcop.net
2004-01-03 19:18:11 H=(abstainers.com) [24.64.184.103] F= rejected RCPT : rejected because 24.64.184.103 is in a black list at bl.spamcop.net
2004-01-03 19:18:11 H=(abstainers.com) [24.64.184.103] F= rejected RCPT : rejected because 24.64.184.103 is in a black list at bl.spamcop.net


Love to block this idiot but which ip do you use?


etc etc rolleyes.gif

I LOVE SPAMCOP!!!!!!!!
eth00
Jan 4 2004, 02:23 AM
Just block the entire 24, maybe even 69 block while your at it. Its not like there are THAT many users on the internet from those ip ranges icon_wink.gif lol
aussie
Jan 4 2004, 10:20 AM
Cant, what i listed is only from 24 the rest are from completely different ip ranges, 66, 172, 68, 205 etc.
eth00
Jan 4 2004, 10:29 AM
24 is probably the biggest cable ip block from the us, block that and you would have everybody on your tail. 69 is probably the second largest source for cable ips.

For that matter he is probably using rooted/hacked boxes as relays for his mailing efforts. Times like these is when I wish isp would actually enforce the policy of new servers and perhaps block some ports...like mail.
phenx
Jan 4 2004, 12:05 PM
QUOTE
Originally posted by eth00
24 is probably the biggest cable ip block from the us, block that and you would have everybody on your tail. 69 is probably the second largest source for cable ips.

For that matter he is probably using rooted/hacked boxes as relays for his mailing efforts. Times like these is when I wish isp would actually enforce the policy of new servers and perhaps block some ports...like mail.


of just block known exploit ports.
aussie
Jan 16 2004, 02:01 AM
My origional msg is a case of a classic dictionary attack that 3 of my servers are currently experiencing.

I have put an end to that. I will be releasing my new Exim rules that looks for a dictionary attack and drops the connection immediately there by restricting the spammer from trying again for up to 180s or for how many seconds i want to. Be watching for my new rules. I have spent weeks testing it. Its lovely! icon_biggrin.gif
aussie
Jan 19 2004, 01:48 AM
I found this interesting article on the net about john@ dictonary attacking others.

http://news.spamcop.net/pipermail/spamcop-...ber/065858.html

Exactly what WAS happening here. No more though. I took care of this jackass. I have implamented Dictionary attack code in my exim.conf that takes care of this.

I will be releasing an update to my rules very shortly. I know this is a widespead issue. Lets deal with it!
Jeewhizz
Jan 19 2004, 07:37 PM
can't wait to see it and implement it icon_biggrin.gif
serverdummy
Jan 19 2004, 10:34 PM
Can't wait! Aussie, you are the man!
aussie
Feb 7 2004, 08:28 PM
QUOTE
Originally posted by serverdummy
Can't wait!  Aussie, you are the man!


Find it here, http://forum.ev1servers.net/showthread.php...&threadid=41172
Exero
Feb 7 2004, 09:04 PM
try to block the ip range
24.64.184.*
24.64.* < dunno about that :S
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.