Friday, December 31, 2010

Teresa, please donate some $ to the poor instead of spamming.

From
+65 90031028

Content
Witness Ultimate Luxury Living in City! FH near T.Pagar. Seaview fm
$7xxk! Within 5Min MRT /IRs / Future Waterfront City! Register nw. Teresa Htns. UN to Unsub

Sent
31/Dec/2010 11:17

Tuesday, December 28, 2010

Leo, this is your LAST warning before we file an official complain.

From
+65 92478880

Content
ADV Best Condo Worth waiting for! Launchg SOON at Tanjong Pagar D2.Freehold Fr $7xxK Good Capital Gain! Call D'veloper SalesTeam Leo92478880 Reply UN to Unsub

Sent
28/Dec/2010 17:25

Wednesday, December 22, 2010

ERA is the winner of SMS Spam Award 2010

From
+65 82881878

Content
Prive@Punggol (EC)
ERA - Developer"s Sales Team!
Live Life by the Waterway!
* Full Condo facilities
* N-S Orientation
* 4 blocks of 17 storey + basement carpark
* 680 units
* T.O.P June 2014
** 7 mins WALK to MRT stn!
** Deferred payment
** 5%(booking), 15%(9 wks/CPF), 65% balance till TOP)
** No resale levy!
** $30K CPF grant for 1st timer
** Free Gift Quality interior (HansGrohe/Teka)

High priority for 1st timer!
Call now/SMS@83235543 Henry Na ERA

Sent
22/Dec/2010 18:31

Friday, December 17, 2010

We think $2.50 is more affordable.

From
+65 91071237

Content
Aircon Servicing Xmas Promotion ! Only $25 per fan coil. Min 3 Fan Coils for promo price. NO transport Charge. Call or SMS D.K. at 90235026 for an appointment.

Sent
17/Dec/2010 19:52



Image courtesy of Split System Air Conditioner

Thursday, December 16, 2010

Do you do tuition for cats?

From
+65 97633372

Content
<Adv> We provide affordable, reliable & quality home tutors for yr child. Fees as low as $15/hr. All our home tutors goes thru our unique training & uses computerised assessment tools to help yr child. We are the only center that provide this support. Visit www.edsolution.com.sg or call 61003372. Unsub: UN

Sent
16/Dec/2010 10:12


Image courtesy of DailyTimes

Sunday, December 12, 2010

We will buy if you can get us the unit for $5K. Not $5xxK.

From
+65 92478880

Content
ADV Launching SOON at S'goon. Freehold Fr $5xxK Near NEX S'goon MRT. Residen n Comercial High Capital yield! Call D'veloper SalesTeam Leo 92478880 Reply UN to Unsub

Sent
12/Dec/2010 17:45

Friday, December 3, 2010

We are not VIP. Go find someone else.

From
+65 98898585

Content
VIP Preview Soon! Space@Kovan F'hld 1/1+1/2/2+1/3/3+G/PH. 140 Resi + 56 shops. Walk 2 MRT/Malls/Mrkt. Fr $5xxk! Developer's Sales 98898585 To unsub reply "Un".

Sent
03/Dec/2010 14:45

Wednesday, November 10, 2010

You idiot, just wire the $ into our account!!!

From
+62 85255391762

Content
Congratulation SimCard Anda memenangi hdh $20.000 dr.PT. COCA COLA. Sila dial nomber: +6287841455526
Trmh kasih

Penghantar:
Coca Cola

Sent
06/Nov/2010 11:01

Friday, November 5, 2010

Evelyn, this is not the way to do survey!

From
+65 96498560

Content
Hi, I m doing my MBA paper on Asian parents concern for own child"s education. Pls indicate nationality and % of mthly income u spent on kids" education. Sincere tks. Evelyn

(Last) Sent
05/Nov/2010 18:28


Note:
We try not to post your spammy sms up since you are a student, but you have spammed us 3 times in a row, which leaves us no choice but to post it up.

Ambrose, stop harassing us. Get a life!

From
+65 81837644

Content
Adv!! Vacanza@East Official Launch!! Free shuttle service to showflat fr Kembangana MRT & Bedok MRT. -Ambrose 93885113 HUTTONS <reply unsub to remove>

Sent
05/Nov/2010 12:53

Monday, November 1, 2010

Fire on Proxy?

No, luckily there's no fire on the proxy server. However, you might have noticed these entries being logged in your web server log file:

188.165.64.234 - - [01/Nov/2010:11:47:49 +0300] GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1 "404" 3653 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"

If you have done your job, as in searching Google for some clues, most likely you will see comments in forums, saying since your server returns 404 file not found (or sometimes 400 as bad request) there's nothing to worry about, but fail to explain what that request is.

Now, that is actually a scanning carried out by some sort of software / (ro)bots that are trying hard to check if your web server is acting as a proxy server. And you might have guessed, PF is just one of the software that anyone could use to scan for "free"/"public" proxy servers.

A pseudo scanning case looks something like:
1) Enters a range of IP address to be scanned, e.g. 10.0.0.1 - 10.255.255.254.
2) Selects a proxy judge.
3) Loops through the IP addresses, checks each of the IP whether it is active, and tests if it is a web server if it's active.
4) Issues a GET command to the web server, requesting for the Url to the selected proxy judge.
5) Interpret the response from the server - if the response is valid, the server will be classified accordingly based to the result from the proxy judge.

You're asking what is a proxy judge? It is some sort of scripts coded to show the level of anonymity of a proxy server, e.g. transparent, highly anonymous, etc. And, http://proxyjudge1.proxyfire.net/fastenv is just one of them. There's no harm visiting this Url from your browser, it would just show what your browser sends to the proxy judge. However, from the scanner point of view, it would actually see what your web server sends over, and uses that information to categorize the anonymity level. Of course, these scanners would discard invalid responses such as 400, 404, 500 and so on. So yes they are right to say you may safely ignore these log entries.

But. If you are using a front-back web server model - one front-facing web server that is acting as a cache/proxy to the back-end web server, then please make sure the front-end server is configured to serve only the domain that it is responsible for and not any others. This also means you need to do something if you are seeing entries with response code 200, such as:

188.165.64.210 - - [02/Nov/2010:14:45:32 +0000] GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1 "200" 421345780 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"

So, this is what Fire on Proxy is all about. Take care of your servers, and don't let them run wildly in the data center.


PS: Some of you might have noticed that the bytes returned for the particular request is huge - 421345780 (read. 401MB). It is actually a junk file that we put on our servers to let the kiddie scanners download whenever they request for "fastenv". Yes, it's a junk file created with dd if=/dev/urandom. Oh, and the file is actually much larger than 401MB. :)

Monday, October 25, 2010

Tristan, call Ambrose please.

From
+65 82228866

Content
<Please Call / SMS Tristan 96992888> Lowest Property Loan Interest Rates in SG. Fix rate at only 0.88% p.a. Limited Period only. T&C apply. So are you paying an interest rate higher than prevailing market rate? Call or SMS me now. I have the best solution for you. <Tristan 96992888> Unsub, sms UN

Sent
25/Oct/2010 13:55

Tuesday, October 19, 2010

What if we are not in town?

From
+65 90921808

Content
BEST Home Loan Package in town!! 1st yr-1.01%, 2nd yr-1.07%. Reply "Y" to this msg or call 90498680. Fr www.sghomeloan.com.sg. To unsubscribe sms "UN"

Sent
19/Oct/2010 11:52

Friday, October 15, 2010

Alan, we will call the police instead.

From
+65 96416456

Content
$450K! Best @ Sims Ave. F'Hold 48 units.Pool/Gym. High rental yield > 5%. Register for VVIP Disc Now. Call Alan 9851 1599. un to unsub.

Sent
15/Oct/2010 14:03

Wednesday, October 13, 2010

Can you help us with our over-weight cat?

From
+65 84684607

Content
Lose 7-10 kgs in 1 month! Guaranteed!  No Hunger! No Pills! No Exercise!
Call ONLYaesthetics today at 63144434. 1st 50 callers get a Inch loss treatment FREE. UN to unsub.

Sent
13/Oct/2010 13:18


Image courtesy of NY DailyNews

Friday, October 1, 2010

Filezilla 3 is NOT secure. Fullstop.

It is known that FileZilla is famous among the community who design and develop websites and applications. And it is also known that FileZilla is used widely as the de-facto FTP client software that transfers files from your PC to the server and vice-versa.

Now, do you know that the password for the sites that you managed in FileZilla, is stored in plain text without any effort of encryption?

It is of course not a sin to store these confidential information in plain text, and the author seems to think that it is YOUR responsibility to keep them safe. It is also mentioned that if your PC is exploited or infected with virus, encryption will not help at all. Well, these points are actually, TRUE. If you have a virus or rootkit living in your PC, they will steal anything and everything whenever and wherever they can, and most of the time you will be at the losing end. As with encrypted password, it will still be decrypted before a connection is established to the FTP server, and that's when and where your password is sniffed.

Having said that, we still think that password should be stored in some encrypted forms. Reason being that apart from virus, spyware and malware, there are other techniques being employed to steal information. For example if someone somehow grabs an encrypted password file by other means (use your imagination), rather than shouting hooray on the spot, they would now need to spend some good time in decrypting them before going for beers.

Maybe, it is time to think whether you should continue using FileZilla, or replace it with something else.

Ambrose, we are not interested in you.

From
+65 81837644

Content

WOW!! New launch in D.14 Kembangan <<Vacanza@East>>. Where 2find FREEHOLD Pty @ Leasehold Px? From %5xxK Only! Hurry, Call Ambrose 93885113 (Huttons)
 
Sent

10/Oct/2010 18:44

Note
This SMS violated the Singapore Spam Control Act 2007.
 

Thursday, September 9, 2010

Why are you killing lobters for fun?

From
+65 90344633

Content
Hari Raya only! Show SMS to get 1for1 Lobster Porridge@$29.90 This signature dish features succulent live lobster meat in superior stock. #08-09 Orchard Central

Sent
09/Sep/2010 21:52 (GMT+8)

Note
This SMS violated the Singapore Spam Control Act 2007.

Monday, September 6, 2010

SMS victims - now it's your chance to fight back!

There are couple of things we usually do for SMS spammers. You may try these out if you are keen, but do note that we take absolutely no responsibility over anything that you are going to do.

First, help them subscribe to lucky draws, events, promotions, and everything that needs a mobile number to work. Usually service provider would require the owner to reply with an SMS as a verification, obviously this will not happen but you get to send them the first "spam" for "free".

Second, if you get hold of two spammers, connect them using free VOIP services (those that let you try out the quality and such), enter spammers' numbers instead of yours and let them talk to each other.

Third, post the numbers and contents that you have recieved so far as comments - we are collecting statistics and we need your help with the supply of fresh spams.

Feel like harassing some strangers? Join us!

From
+65 96806560

Content
Earn 2k-10k monthly. Looking for Full/Partime career minded people to join & be trained as RENTAL CONSULTANT. Interested? Pls sms Name, Age&Nationality.

Sent
06-Sep-2010 09:55

Note
This SMS violated the Singapore Spam Control Act 2007.

Wednesday, September 1, 2010

FREE Knee & Back Pain Forum

Sender
+65 98712244

Content
Hi
FREE Knee & Back Pain Forum on 8 Sep Web, 7-8.30pm,Mount Elizabeth Medical Centre,L2 Docs' Lounge. SMS Name to confirm. Free gift,refreshments & $20 book.

Sent On
30-Aug-2010 17:34

Note
This SMS violated the Singapore Spam Control Act 2007.

Tuesday, August 24, 2010

Something about YSmtp - Update

A while ago we posted an entry regarding YSmtp and apparently quite a few people visited this blog by searching "YSmtp service".

First of all, if you are a spammer, please leave immediately as the methods described here will not help you a single bit. We are sure you have better things to do hence please do not waste your time here. Second, if you are sending bulk emails to YSmtp, please read carefully what they told you (http://help.yahoo.com/l/us/yahoo/mail/postmaster/basics/postmaster-02.html) and contact them via mail-abuse-bulk@cc.yahoo-inc.com for assistance. Third, if you have not applied DKIM and DomainKeys on your clients' domain, go ahead and do them now. Forth, if your mail server is in US, sorry the tips below may not help.

So if you are not a spammer, not sending bulk emails to YSmtp, have applied DKIM and DomainKeys on the hosted domains, there are two workarounds that you may want to explore:

Option 1 - Pass the emails to your ISP
It is known that YSmtp whitelisted some government backed ISPs in various countries, and emails sent from these servers are guaranteed to be delivered. Now, using your ISP as a delivery proxy does come with a price - as most if not all of these SMTP servers require authentication before sending, your identity is revealed to the recipients and the email header will definitely appear funny.

For example, you are authenticated as someone@myoneandonlyisp.com, but the FROM address would be your client's email address (such as sometwo@donothackmyserver.com). Note that this option will fail if the SMTP server verifies the FROM address, i.e. authenticated email must be the same as FROM address.

With this method, the delivery path will look like this:
Client (Sender) -- Your SMTP Server -- ISP SMTP Server -- Recipient

Option 2 - Pass the emails to your VPS in US
We have not tested VPS in other parts of the world, however passing emails to a server located in US does help to improve the delivery rate dramatically. This is especially true for cases which the email is "big" (read the other entry for the definition of "big").

There isn't a need to get expensive VPS just for the purpose of this email proxy. Check the offers posted on LowEndBox and choose one that you are comfortable with. Any VPS with 128MB of RAM is more than sufficient in doing the job efficiently. Do make sure that the IP that the VPS provider allocated is not listed in any of the common blacklists (use RobTex to check).

The delivery path will be something like:
Client (Sender) -- Your SMTP Server -- Your VPS in US -- Recipient

And one last note, while email delivery is one aspect of the entire issue, emails landed in Spam folder is another, which by itself needs a separate post.

Wednesday, August 18, 2010

Hello World!

We have been pretty quiet recently.

In fact, we spent some time over the last two weeks digging into our mail logs, extracting IP addresses, locating their origins, checking and validating their behaviours, and prepare a report for our internal use.

Now we present you one of the pie charts from the report.


Top 15 Helos


Now, the funny part is, other than a few countries that we know we have business with, there are somehow tons of SMTP helos coming from all over the world. If you are looking for numbers, it is actually 21764 unique IP addresses from 168 countries.

Out of all traffics coming into the server, there are some obvious illegitimate sources (58.94%) such as Egypt, Nigeria, Ukraine, Kazakhstan, and etc. Helos originated from these sources are trying extremely hard in spoofing, requesting for relay, or acting funny in some ways (such as guessing password with brute force). It is fun to see all of their miserable attempts failed miserably.

So, what are we going to do with these script kiddies? Well, nothing at all. We do however, encourage that instead of trying hard to fail, they should really be joining some charity associations and spend their time there, which is far more meaningful.


Reference

* Data was collected on two 7-day periods, i.e. 18/Jul - 24/Jul and 01/Aug - 07/Aug.

Friday, July 16, 2010

Incredible !ndia - Part I

Incredible !ndia is always incredible, even their spams are incredible too. If you are the spammer who sent us this spam, please take note that your package is NOT incredible at all, we could get something cheaper with better quality.

And if anyone ever trust any company from this incredible country, good luck to you and be prepared to enjoy your marvelous time in shouting, screaming and table banging.

We did report this to GMail, but we doubt they will do anything about it since they are too busy in handling all other stuffs (e.g. http://www.msnbc.msn.com/id/38037689/ns/business-careers).

Header
Return-Path: rasmita.seo@gmail.com
Received: from mail-gy0-f174.google.com (mail-gy0-f174.google.com [209.85.160.174]) by mail.elohkcalb.com with SMTP; Fri, 16 Jul 2010 16:49:45 +0800Received: by gyh4 with SMTP id 4so1410777gyh.33 for multiple; Fri, 16 Jul 2010 01:50:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=+Co92QyGRgThegXgm+rEzEo0r+Vbxfr/9RdB3BUcX1Y=; b=Mz3b5ascRmeaGnxewFgcILwgbkOE06cWXwnRkKL/n0921W/MSYmbDR7W8xVcgbfWUE yOU8e8GMDLUCnM4KaRlmc0TXsvLnwKpf/wYzkxtFuvZ0FCToL7MT+Q3/zwVlI9Tx5vpD u3D2EDAhVkFGi2UMABIRpO90Rqla7eWGPcXfA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=refQ6o/DoJk1tX6l+rwrRYMfH6LtIQ+91fhCjlqrpY1ny32kLk6Yc6sE4hfXKHB5Gw 81y/vtLGhXqO2oLpeLMjTmobKMh8/zcOggnH71NlABfiqkssNk3ual7iANFhrhZ2Tzog +QGvJk/mL1f8iY23S/CMV+Kgnal3M6HBw+l+8=
MIME-Version: 1.0
Received: by 10.100.31.7 with SMTP id e7mr862768ane.213.1279270202552; Fri, 16 Jul 2010 01:50:02 -0700 (PDT)
Received: by 10.101.115.9 with HTTP; Fri, 16 Jul 2010 01:50:02 -0700 (PDT)
Date: Fri, 16 Jul 2010 01:50:02 -0700
Message-ID: AANLkTil_abQQSJeZobOjiO8gaJ2ggwZnLosftk5Imhpi@mail.gmail.com
Subject: Proposal for SEO (Search Engine Optimization) work services in Affordable Rates From India
From: rasmita.seo@gmail.com
To: nobody@elohkcalb.com
Content-Type: multipart/alternative; boundary=0016e647162efeb3e0048b7d4db7X-

Subject
Proposal for SEO (Search Engine Optimization) work services in Affordable Rates From India

Content
Hi,
Greetings of the day,
Are you looking for Affordable (SEO) Search Engine Optimization Services From India For Outsourcing Seo Work?
......

[Skipped as we are not going to advertise for spammer.]

......
--
Thanks
Rasmita (Marketing Executive)
New Delhi-India

Wednesday, July 14, 2010

notice protect-- internet trademark intellectual property safeguard

If you have received something similar to this, we encourge you to ignore such emails if you have no intention in running your business in the stated region. Even if your business plan does cover the listed area, please go ahead and register the domain names on your own.



From: "John" john@ygnetwork.com.cn
Sent: Sunday, April 18, 2010 4:50 PM
To: nobody@elohkcalb.com
Subject: notice protect-- internet trademark intellectual property safeguard

Dear Manager:

We are a Domain Name registration service company, which is a professional Internet Domain Name Registration and dispute resolution organization in China.On April.15th,2010, We received HAITONG Investment company's application that they are registering the name " elohkcalb " as their Internet Keyword and " elohkcalb .cn "?" elohkcalb .com.cn " ?" elohkcalb .asia " ?" elohkcalb .hk "domain names etc..,It is China and ASIA and HongKong domain names.But after auditing we found the brand name been used by your company. As the domain name registrar in China, it is our duty to notice you, so I am sending you this Email to check.According to the principle in China,your company is the owner of the trademark,In our auditing time we can keep the domain names safe for you firstly, but our audit period is limited, if you object the third party application these domain names and need to protect the brand in china and Asia by yourself, please let the responsible officer contact us as soon as possible. Thank you!

Best regards,
John
Oversea marketing manager
Tel:+86(0)21 6296 2950
Fax:+86(0)21 6296 1557
web:www.ygnetwork.cn



Unfortunately we have not received one such email yet, if we are feeling lucky one day, we'd give them the following response:

Dear John,

Firstly, thank you for your unnecessary audit.

We highly appreciate your effort in copying and pasting the email from your template. As your template contained tons of grammer mistakes, we have no choice but to gather all our researchers in helping us to flip some words, twist some characters, and crunch some roaches that accidentally flew into our lab. Trust us, we have put in massive effort in trying to decipher the message that you encoded.

In any case, after 7x7=49 days of non-stop analysis, we are forced to put this to a halt due to insufficient investor fundings. Since your company and you are somehow related to HAITONG Investment company, we would like to seek your help in getting them to fund us, so that we can continue to analyze your email in greater detail. Without such funding we would not survive, and that will definitely cause some of our best researchers to lose their job and worse, the problem may futher deteriorate and turn into a hopeless society since there are now more jobless people on the street.

If you managed to persuade HAITONG Investment company in providing us the funding, please kindly contact us immediately, and we will definitely give you some rewards for your effort. If you've tried but fail to obtain the funding agreement, we'd suggest that you pass the case to your manager or someone who has the ability to do so. We will still reward you, but the incentive would definitely be lesser as compared.

Once the funding agreement is sealed, and now we are all in one big happy family, you may then proceed to help HAITONG Investment company in registering all the domain names that they requested, including but not limited to the followings: elohkcalb.cn, elohkcalb.com.cn, elohkcalb.asia, elhokcalb.hk. You might also want to recommend them to register elohkcalb.net, elohkcalb.org, elohkcalb.biz, elhokcalb.us with the rest of the 300+ ccTLDs for a greater future.

Last but not least, thank you very much for wasting your time reading this email.

Have a great day.

Regards,
eLohkCalb Domain Director.

PasteLeft (P) 2010 eLohkCalb Corporation. No Rights Reserved and Unauthorized Duplication is in no way Prohibited.

Guang Dong Spam Factories

Guang Dong, is indeed (in)famous for their spams. Since we do not support users from this spam-made-famous hotspot on Earth, we happily blocked all the IP addresses that knocked our door and the result has been good. Most of them are dynamic IPs, which shouldn't be saying HELO to our servers in the first place anyway.

Guang Dong - ChinaNet
61.140.0.0 - 61.146.255.255
183.7.0.0 - 183.7.255.255

Guang Dong - Unicom
120.82.0.0 - 120.82.255.255
221.4.0.0 - 221.5.127.255

Guang Dong - Railcom
58.253.19.205

Well, if you choose to do or have done something similar, we welcome you to add your feedback in the comments. :-)

Something about YSmtp

[Note: There's an updated post on this topic]

YSmtp, and I'm sure you know who owns them. Well, they are pretty good in filtering of emails, good in the sense that they always try to park all incoming emails in your bulk folder.

With a legit email and clean server, this is what happen when you try to send an email with attachment larger than 2MB into their network, and we wonder if this is how they can offer unlimited email space since huge (if you consider 10MB as HUGE) emails are guaranteed to be dropped.

And by the way, filing this as an issue to their so-called customer care is as good as sending letter to Atlantis.

[53018] Connecting to 206.190.54.127
[53018] Connection to 206.190.54.127 from 205.209.161.186:64570 succeeded
[53018] RSP: 220 mta1048.mail.re4.yahoo.com ESMTP YSmtp service ready
[53018] CMD: EHLO mail.elohkcalb.com
[53018] RSP: 250-mta1048.mail.re4.yahoo.com
[53018] RSP: 250-8BITMIME
[53018] RSP: 250-SIZE 41943040
[53018] RSP: 250 PIPELINING
[53018] CMD: MAIL FROM:nobody@elohkcalb.com SIZE=9797062
[53018] RSP: 250 sender nobody@elohkcalb.com ok
[53018] CMD: RCPT TO:somebody@yahoo.com
[53018] RSP: 250 recipient somebody@yahoo.com ok
[53018] CMD: DATA
[53018] RSP: 354 go ahead
[53018] The smtp session has timed out.

Sometimes you would get this too:

[53018] Connecting to 67.195.168.230
[53018] Connection to 67.195.168.230 from 205.209.161.186:64585 succeeded
[53018] RSP: 421 4.7.0 [GL01] Message from (205.209.161.186) temporarily deferred - 4.16.50. Please refer to http://postmaster.yahoo.com/errors/postmaster-21.html
[53018] CMD: QUIT


Disclaimer
1) The actual IP in log was not 205.209.161.186. We are using this IP to showcase the examples but feel free to do whatever you want with it. It is one of the IP that we blogged about in the bulletproof datacenter entry.
2) Email addresses in the examples are faked for safety reason. Again, you are free to do whatever you want to these addresses.
3) Whatever you do to the IP and email addresses listed in this blog entry has nothing to do with us.

Saturday, July 3, 2010

HitCartel/JZL plans to concur the world!

HitCartel (or JZL), if you prefer us to call you that way, please read up on SMTP protocol. HTTP commands will not (and will never) be understood by an SMTP server, unless you plan to concur the world by converting all other protocols into a HTTP-only realm.

First attempt - check if the cow is awake?
[69.61.33.154][269048] rsp: 220 mail.elohkcalb.com
[69.61.33.154][269048] connected at 7/3/2010 9:16:57 AM
[69.61.33.154][269048] rsp: 421 Command timeout, closing transmission channel
[69.61.33.154][269048] disconnected at 7/3/2010 9:18:59 AM

Second attempt (2 hours later) - talking to a cow with sheep language
[69.61.33.154][9698403] rsp: 220 mail.elohkcalb.com
[69.61.33.154][9698403] connected at 7/3/2010 11:03:06 AM
[69.61.33.154][9698403] cmd: GET http://www.hitcartel.com/proxy_testing/proxy_test.php?ip=69.61.33.154&type=noip HTTP/1.1
[69.61.33.154][9698403] rsp: 500 command unrecognized
[69.61.33.154][9698403] cmd: User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
[69.61.33.154][9698403] rsp: 500 command unrecognized
[69.61.33.154][9698403] cmd: Host: http://www.hitcartel.com/
[69.61.33.154][9698403] rsp: 500 command unrecognized
[69.61.33.154][9698403] cmd: Accept: */*
[69.61.33.154][9698403] rsp: 500 command unrecognized
[69.61.33.154][9698403] cmd: Proxy-Connection: Keep-Alive
[69.61.33.154][9698403] rsp: 500 command unrecognized
[69.61.33.154][9698403] cmd:
[69.61.33.154][9698403] rsp: 500 command unrecognized
[69.61.33.154][9698403] disconnected at 7/3/2010 11:03:22 AM

Well, you have just made the day for us. :-)

Friday, June 25, 2010

Spams in Robot Flavour

We blocked these senders with a fantastic 550. The source IP addresses are dynamically allocated hence we think they are coming from exploited computers - located mainly in China, Korea and Taiwan.

Senders
* aaaaa@yahoo.com.tw
* z2007tw@yahoo.com.tw

Sample SMTP requests
[220.149.240.9][32496380] rsp: 220 mail.elohkcalb.com
[220.149.240.9][32496380] connected at 6/24/2010 6:31:44 PM
[220.149.240.9][32496380] cmd: EHLO aaaaaa.com
[220.149.240.9][32496380] rsp: 250-mail.elohkcalb.com Hello [220.149.240.9] 250-SIZE 31457280 250-AUTH LOGIN CRAM-MD5 250 OK
[220.149.240.9][32496380] cmd: MAIL FROM:aaaaa@yahoo.com.tw SIZE=2679 [220.149.240.9][32496380] rsp: 550 Sender is not allowed.
[220.149.240.9][32496380] disconnected at 6/24/2010 6:31:45 PM

[114.45.53.25][47409299] rsp: 220 mail.elohkcalb.com
[114.45.53.25][47409299] connected at 6/25/2010 8:34:45 AM
[114.45.53.25][47409299] cmd: HELO 114.45.53.25
[114.45.53.25][47409299] rsp: 250 mail.elohkcalb.com Hello [114.45.53.25]
[114.45.53.25][47409299] cmd: MAIL FROM: z2007tw@yahoo.com.tw
[114.45.53.25][47409299] rsp: 550 Sender is not allowed.
[114.45.53.25][47409299] disconnected at 6/25/2010 8:34:45 AM

Thursday, June 24, 2010

Bulletproof Data Center

To all network, firewall & server administrators,

You might want to block the entire class C from 205.209.161.0 to 205.209.161.255. MSG is famous for supporting scam and spam related abusers and we constantly getting unauthorized SMTP requests from these IPs.

Sample SMTP request
[205.209.161.186][2955580] rsp: 220 mail.elohkcalb.com
[205.209.161.186][2955580] connected at 6/14/2010 7:01:35 PM
[205.209.161.186][2955580] cmd: HELO 205.209.161.186
[205.209.161.186][2955580] rsp: 250 mail.elohkcalb.com Hello [205.209.161.186][205.209.161.186][2955580] cmd: MAIL FROM: 88@163.com
[205.209.161.186][2955580] rsp: 250 OK 88@163.com Sender ok
[205.209.161.186][2955580] cmd: RCPT TO: victim@yahoo.com.tw
[205.209.161.186][2955580] rsp: 550 victim@yahoo.com.tw No such user here[205.209.161.186][2955580] disconnected at 6/14/2010 7:01:41 PM

References
http://www.robtex.com/cnet/205.209.161.html
http://www.google.com.sg/search?hl=en&source=hp&q=managed+solutions+group+spam&aq=f&aqi=&aql=&oq=&gs_rfai

Send us $5K and we will buy the phone.

From
+65 90169696

Content
<ADV> Purchase any LG Cookie phone frm now till 25 Jul @ any mobile store & get to win LED TV & notebook weekly. Fwd to share with friends. Reply UNSUB to unsub

Sent
24-Jun-2010 16:12

Saturday, June 19, 2010

Can we cook the voucher with curry?

From
LOfficiel

Content
SPEND, VOTE for your Fav Fashion Showcase & WIN $2k Palais gift vouchers. Feast your eyes on L'Officiel showcases, now till 30 June- Only at Palais Renaissance!

Sent
19-Jun-2010 12:32

Note
This SMS violated the Singapore Spam Control Act 2007.

Thursday, June 17, 2010

FREE Designer 2GB Leather Flashdrive

From
SubtleSense

Content
FREE Designer 2GB Leather Flashdrive for 1st 88 to redeem a FACE SPA/BODY SPA (UP$188) @ $18 this Great S'pore Sale! Call 62206656 by 30 Jun. T&Cs.

Sent
17-Jun-2010 16:47

Note
This SMS violated the Singapore Spam Control Act 2007.

For Sale: Newton Suites

From
+6581886427

Content
<ADV>For Sale: Newton Suites. Award Winning Condo. 3 Bed 1238sqf. Ask $1850psf. Gd Corp Tenancy @$6.9k. Call Jayrome 91912368. Reply UN to unsub. http://www.spd.sg/

Sent
17-Jun-2010 15:52