2007/04/16
11:46:08

Spammers and their netblocks

Over the past week I've noticed several spam runs coming from what appear to be entire /24 netblocks dedicated to spamming. I figured that wouldn't last long or would drop to a few and they'd be on blacklists, but apparently they're not getting cut off/caught fast enough. Fortunately they're all the format randomword1.newdomain.tld with the ip x.y.z.1 (where 1 ranges from 1-255). The following does wonders for filtering them (drop-in for barracudas). Hope someone else finds it useful.

^Received: from (\w+(\d+)\.\w+\.\w+) \(\1 \[\d+\.\d+\.\d+\.\2\]\)

Categories:
spam

Add to del.icio.us Email this entry

By erik on 2007/04/16 at 14:30:18

Bigtime. I've noticed the same thing here.

I've added it to our Quarantine rules. Thanks!

By Jeremy on 2007/04/16 at 15:24:34

It's catching a few false positives at this time. I'm looking at how to best address them, but it looks like [a-z] in place of the first \w may address some of it (I should have done that initially). Unfortunately that "fixes" the pattern, but the ones that it'd exclude are ones that so far have been spam anyways. I've tweaked it to:
^X-Barracuda-Connect: [a-z]+(\d+)\.\w+\.\w+\[\d+\.\d+\.\d+\.\1\]
so far, and will probably do a bit more as I watch it for problems.