Helpful Spammers

The “FreeBSD Greek Documentation Project” uses a mailing list for commit notifications and general patch discussion. I am the moderator of the “freebsd-doc-el” and I noticed that we get a lot of unsolicited email advertising the seminar organized by “Image A Seminars“.

The posts include the typical opt-out notice that spammers like adding to their messages, but I suspect it is mostly useful as a trap for harvesting real addresses, since we never actually opted in for this particular series of spam messages.

The full text of the spam messages that they usually send looks like this:

Typical spam message from "Image A Seminars"

What is admirably helpful about these spammers is that they always send their spam email through the same DSL link, using a static IP address! I have been gathering some of the spam messages from this specific Greek spammer for a while now. They all originate from static062038157163.dsl.hol.gr. Their message headers consistently point at this host again and again:

Received: from image-a.gr (static062038157163.dsl.hol.gr [62.38.157.163])
        by akuma.hellug.gr (8.14.3/8.14.3/Debian-4) with ESMTP id
        mA8I5fTj001044 for <unix-admin-gr-owner@lists.hellug.gr>;
        Sat, 8 Nov 2008 20:05:49 +0200
Received: (qmail 8886 invoked by uid 508); 8 Nov 2008 19:37:37 +0200
Received: from unknown (HELO image-a) (info@image-a.gr@192.168.0.8)
        by image-a.gr with SMTP; 8 Nov 2008 19:37:37 +0200

Received: from image-a.gr (static062038157163.dsl.hol.gr [62.38.157.163])
        by akuma.hellug.gr (8.14.3/8.14.3/Debian-5) with ESMTP id
        mAEN0Mkj008157 for <freebsd-doc-el-owner@lists.hellug.gr>;
        Sat, 15 Nov 2008 01:00:31 +0200
Received: (qmail 2502 invoked by uid 508); 15 Nov 2008 01:35:27 +0200
Received: from unknown (HELO image-a) (info@image-a.gr@192.168.0.8)
        by image-a.gr with SMTP; 15 Nov 2008 01:35:27 +0200

So I just went ahead and installed an entry to the /etc/mail/access file of the two mail servers used by HELLUG:

# Image A Seminars, has been spamming anyone and everything under the
# sun with their `seminar announcements'.  The funny part is that they
# do this from a static DSL line, using the same IP all the time!
# -- keramida, 2008-11-13 05:30 EET
static062038157163.dsl.hol.gr   550 We do not accept mail from spammers

This is, of course, just a temporary measure, and it blocks far too much (i.e. it also blocks anyone from image-a.gr from subscribing to or posting to the public mailing lists of HELLUG. I doubt they are very interested in this sort of thing though.

Hellas Online will also be notified for their spamming activities, in a few hours. They may be able to pull more effective strings, and save a much greater part of the Greek Internet from image-a.gr spam.

About these ads
This entry was posted in Computers, Email, Spam and tagged , , , . Bookmark the permalink.

7 Responses to Helpful Spammers

  1. adamo says:

    I would go with a:

    static062038157163.dsl.hol.gr DISCARD

    BOFH out.

  2. keramida says:

    Haha, good point!

    I actually want them to know they are being blocked though :-)

  3. trv says:

    I’ve seen them coming from static062038157164.dsl.hol.gr too!

  4. cirrus says:

    It seems that they changed their ISP to otenet, and are now using the 83.235.20.11 static IP.

  5. keramida says:

    Ah, many thanks cirrus! I’ll keep a watch for spam from that address, and notify my trusted friends, the postmasters of OTEnet if anything odd appears :-)

  6. betabug says:

    I’ve seen them come from 2 or 3 static IPs. They (which seems to be mainly a guy called “Akis Angelakis”) are sending their crap to every mail address they found on the site of HelMUG, including such wise choices as mailing list administration addresses… well, they *were* sending, as all their IPs are blocked now and in addition al mail originating from that domain is blocked. I found it quite interesting that as soon as I had blocked one address, the spam came running back through another. This is not someone who is naïve and doesn’t know at all what they’re doing.

    In the last 6-12 months I’ve seen a rise of a certain class of greek spam: Companies that spam with their full address included, telephones, postal address, everything. They don’t spamvertise the usual pills, scams etc., but more or less normal business stuff (still unwanted of course). Sometimes including bogus disclaimers “as long as there is an address in there, it’s not considered spam according to EU law”, often with some “remove” link. A lot of them either do know that they can’t pull that off legitimately or are using professional spammers services, as the spam messages are routed through botnets or obvious spam relays.

  7. Fergal says:

    static062038240049.dsl.hol.gr is sending out thousands of spam emails but they are claiming to come from my address. Hence I am getting thousands of autoresponders (no address found, out of office autoreplies etc).

    I have emailed postmaster@hol.gr and abuse@hol.gr in the hopes they can stop this. There is not a lot I can do about this though is there?

Comments are closed.