The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Troublesome spammer changing ip's etc

Discussion in 'E-mail Discussions' started by keat63, Jul 2, 2015.

  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I have a troublesome spammer hitting a single email account on one user domain.
    The format is always the same, consisting of an HTML email, but i can't seem to fathom how to create an account level filter that will work.
    The domain name changes quite frequently to things like "fiftysevensomethings.com" and next week "fourtyeightsomethings.com"
    Sometimes as many as 30 emails per day pass through to this one user account

    So at the moment, i've blocked the entire IP range in CSF.
    However, they appear to have at least two or three other Ip ranges.
    Also when doing an IP lookup, maybe their email server is using a proxy or some sort of bypass, as it seems to belong to scaleabledns.com, which for some reason, i assume to be legitimate ??

    Maybe someone could correct me here ?
    Rather than blocking entire ranges of IP's in CSF, could anyone suggest a way of blocking these pests without blocking a large number of IP's

    Code:
    2015-07-02 05:57:58 SMTP connection from [198.98.96.43]:60906 (TCP/IP connection count = 2)
    2015-07-02 05:57:59 H=fiftysixtwoobtainablewinners.com [198.98.96.43]:60906 Warning: Sender rate 1.0 / 1h
    2015-07-02 05:58:02 1ZAWZU-00030s-MC H=fiftysixtwoobtainablewinners.com [198.98.96.43]:60906 Warning: Message has been scanned: no virus or other harmful content was found
    2015-07-02 05:58:04 1ZAWZU-00030s-MC H=fiftysixtwoobtainablewinners.com [198.98.96.43]:60906 Warning: "SpamAssassin as user detected message as NOT spam (2.8)"
    2015-07-02 05:58:04 1ZAWZU-00030s-MC <= news933248738@fiftysixtwoobtainablewinners.com H=fiftysixtwoobtainablewinners.com [198.98.96.43]:60906 P=esmtp S=9872 id=6482a4d5e905a5a5c411e830374dd191@fiftysixtwoobtainablewinners.com T="(jamie) Are those you love protected?" for jamie@user.co.uk
    2015-07-02 05:58:05 H=fiftysixtwoobtainablewinners.com [198.98.96.43]:60906 Warning: Sender rate 2.0 / 1h
    2015-07-02 05:58:12 1ZAWZZ-00030s-FJ H=fiftysixtwoobtainablewinners.com [198.98.96.43]:60906 Warning: Message has been scanned: no virus or other harmful content was found
    2015-07-02 05:58:14 1ZAWZZ-00030s-FJ H=fiftysixtwoobtainablewinners.com [198.98.96.43]:60906 Warning: "SpamAssassin as user detected message as NOT spam (3.1)"
    2015-07-02 05:58:14 1ZAWZZ-00030s-FJ <= news933248738@fiftysixtwoobtainablewinners.com H=fiftysixtwoobtainablewinners.com [198.98.96.43]:60906 P=esmtp S=13930 id=71dabb28907e4969e2c45c9c7b8d4f03@fiftysixtwoobtainablewinners.com T="(jamie) Latest Remortgage Rates - Get a Quote - Our form will search the brokers." for jamie@user.co.uk
    2015-07-02 05:58:14 SMTP connection from fiftysixtwoobtainablewinners.com [198.98.96.43]:60906 closed by QUIT
     
    #1 keat63, Jul 2, 2015
    Last edited: Jul 2, 2015
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I employed grey listing at the weekend, but alas they are still coming.
    If i open the HTML email, it's always from the same people, as there's an unsubscribe button and an address somewhere in California, but they don't honour the unsubscribe.
    I've blocked about 6 ip ranges in CSF and another one this morning, which seems to be doing the trick, as i've had only one since friday..
    A user filter or account filter would probably be better though.

    edit.
    A little google research regarding the above mentioned ISP.
    Other people seem to be having similar issues, and the spammers/scammers being allowed to change IP's at will.
    https://groups.google.com/forum/#!topic/news.admin.net-abuse.email/FwMaz6UWQsY
     
    #3 keat63, Jul 8, 2015
    Last edited: Jul 8, 2015
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I performed a whois on that ISP and the postal address, is the same one which is embedded inside the html email.
    Not sure why filering can't detect this though.
     
    #4 keat63, Jul 8, 2015
    Last edited: Jul 8, 2015
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Have you considered filtering the message by content instead of by the "FROM" address?

    Thank you.
     
  6. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Filtering by content was the first thing i tried, and I based the filter on the postal address which is consistent in every email.
    However, filtering, for some reason couldn't see it.
    In the end, I added about 20 IP's to CSF on a "#do not delete"
    In the last 5 weeks or so, i've seen only two emails, which i've blocked now these IP's also.

    This has fixed the problem in the short term, i guess until they start spamming form other IP's
     
Loading...

Share This Page