new members of staff in the zoo

The zoo has seen an influx in credible pretend new staff members according to our email server logs – all blocked for reasons of being spotted beforehand by reputation or some other fault and rejected.

I will not bore you with he technical details since most of you all use google for email so not really worth blogging upon.

Welcome new staff members i suppose but since they have also to deal with spf dkim and dmarc along with dinssec life is quite hard but it appears that those countermeasures work.

It will be interesting to see if they are directed at us or get a wider use where with one of the above things will also inform us of there activity.

animals, including a chicken to sex

Perhaps i will suggest to the zoo should get these spammers and put them to good use like in feeding the lions after all one can argue that as keen prospective employees there certainly good for something.

Be a shame to waste ‘talent’ like that and fresh meat is always welcome.

Is spamcop tracked by spammers via reporting addresses?

lets poison the gin

lets poison the gin

The zoo reports spam to spamcop not much since a lot is prefiltered and automatically deleted.  However i do wonder if spamcop is tracked by spammers. I say this as i have new spam definitions and when i report the small number of spam to the addresses on spamcop.

I do think much of spamcop is genuine and spamcop is worth supporting be it with our submissions or other ways  but maybe reporting spam to spammers is still not a good idea.

Its not a horrid problem for us but some abuse spamcop.  I guess they want reports if they do spam us again and i am happy to oblige.- after all the more the merrier.

Dmarc bad internet service providers

Done this before – here are reports i have received here in the zoo about our dmarc settings and bad hosts. – I do not count attempts to use monkey@zoo but the number of times an ip address is recorded in a dmarc report

Data might be better viewed as source but those ip addresses are in here.

Lets start with the brief report.

Country Percent Country Isp count Isp Percentage Isp
Argentina 0.27% AR 100.00% 1 0.27% CABLEVISION.COM.AR
Australia 0.27% AU 100.00% 1 0.27% telstra.com
CN 7.33% 25 6.68% chinaunicom.cn
CN 7.33% 25 6.68% chinaunicom.cn
CN 3.52% 12 3.21% chinaunicom.cn
CN 18.77% 64 17.11% chinamobile.com
CN 1.76% 6 1.60% chinaunicom.cn
CN 11.44% 39 10.43% chinaunicom.cn
CN 4.99% 17 4.55% wasu.com.cn
CN 4.69% 16 4.28% wasu.com.cn
CN 41.35% 141 37.70% Huashu media&Network Limited
China 91.18% CN
DE 25.00% 1 0.27% Hosteurope GmbH
DE 25.00% 1 0.27% Hetzner Online AG
DE 25.00% 1 0.27% evanzo e-commerce Gmbh
Germany 1.07% DE 25.00% 1 0.27% Hetzner Online GmbH
GB 0.27% GB 100.00% 1 0.27% Yahoo Europe Operations Department
Hungary 0.53% HU 100.00% 2 0.53% NLG-System Bt
Ireland 0.27% IE 100.00% 1 0.27% c2.amazonaws.com/
IN 33.33% 1 0.27% Net4India Ltd
India 0.80% IN 33.33% 1 0.27% Bharti Telenet Ltd. Tamilnadu
IR 25.00% 1 0.27% Dadeh Gostar Asr Novin P.J.S. Co.
IR 25.00% 1 0.27% Esfahan Telecommunication Company (P.J.S.)
Iran 1.07% IR 50.00% 2 0.53% fanava.net
Itally 0.53% IT 50.00% 1 0.27% Aruba S.p.A. – Shared Hosting
Japan 0.27% JP 100.00% 1 0.27% Playing Network,INC
Mexico 0.80% MX 33.33% 1 0.27% KIONETWORKS.COM
Romania 0.27% RO 100.00% 1 0.27% Universitatea de Medicina si Farmacie “Carol Davila”
Russia 0.27% RU 100.00% 1 0.27% CJSC Server WebDC colocation
Thailand 0.27% TH 100.00% 1 0.27% csloxinfo.net
US 33.33% 2 0.53% hostmaster@rackspace.com
US 16.67% 1 0.27% DCS Pacific Star, LLC
US 16.67% 1 0.27% Openwave Messaging Inc
US 16.67% 1 0.27% Datagram, Inc
America 1.60% US 16.67% 1 0.27% Codero
Vietnam 0.27% VN 100.00% 1 0.27% FPT Telecom Company
Count 374 100.00%

bomb russia

Conclusions are easy to make,should you be a corporate Hlllary Clinton voter its not Russia or North Korea. We all know democrats are a bit shit at running email servers and your desire to site such things in toilets.

Even Russians use toilets.

Before i go Asperger’s on you here is host that amused us.

Here is a net citizen who had dmarc but deleted there dns and thus no dmarc

Host or domain name not found. Name service error
for name=zeta-hub.com type=AAAA: Host found but no data record of requested
type

That detail

Country Isp count Isp Percentage Isp IP
1 AR 1 0.27% CABLEVISION.COM.AR 200.89.142.106
1 AU 1 0.27% telstra.com 120.158.94.239
1 CN 25 6.68% chinaunicom.cn 101.67.136.137
1 CN 101.67.136.143
1 CN 101.67.136.186
1 CN 101.67.136.206
1 CN 101.67.136.252
1 CN 101.67.136.26
1 CN 101.67.136.44
1 CN 101.67.136.60
1 CN 101.67.136.8
1 CN 101.67.137.107
1 CN 101.67.137.130
1 CN 101.67.137.19
1 CN 101.67.137.205
1 CN 101.67.137.246
1 CN 101.67.137.37
1 CN 101.67.137.44
1 CN 101.67.137.8
2 CN 101.67.138.128
1 CN 101.67.138.129
1 CN 101.67.138.144
1 CN 101.67.138.23
1 CN 101.67.138.97
1 CN 101.67.139.106
1 CN 101.67.139.55
1 CN 25 6.68% chinaunicom.cn 101.68.120.140
1 CN 101.68.120.64
1 CN 101.68.120.79
1 CN 101.68.121.195
1 CN 101.68.121.94
1 CN 101.68.122.161
1 CN 101.68.122.71
1 CN 101.68.122.8
1 CN 101.68.36.139
1 CN 101.68.36.207
1 CN 101.68.36.220
1 CN 101.68.36.55
1 CN 101.68.37.11
1 CN 101.68.37.121
1 CN 101.68.37.196
1 CN 101.68.37.21
1 CN 101.68.37.252
1 CN 101.68.37.48
1 CN 101.68.37.54
1 CN 101.68.37.64
1 CN 101.68.38.102
1 CN 101.68.38.139
1 CN 101.68.38.162
1 CN 101.68.38.80
1 CN 101.68.39.91
1 CN 12 3.21% chinaunicom.cn 101.71.192.212
1 CN 101.71.193.38
1 CN 101.71.194.215
1 CN 101.71.194.255
1 CN 101.71.195.41
1 CN 101.71.196.252
1 CN 101.71.216.106
2 CN 101.71.221.22
1 CN 64 17.11% chinamobile.com 112.10.135.137
1 CN 112.10.135.185
1 CN 112.10.194.14
1 CN 112.10.194.178
1 CN 112.10.195.163
2 CN 112.10.195.215
1 CN 112.10.195.34
1 CN 112.10.195.36
1 CN 112.10.195.50
1 CN 112.10.195.69
1 CN 112.10.40.138
1 CN 112.10.40.164
1 CN 112.10.40.194
2 CN 112.10.40.22
1 CN 112.10.40.229
1 CN 112.10.40.233
1 CN 112.10.40.92
1 CN 112.10.41.117
1 CN 112.10.41.130
1 CN 112.10.41.230
1 CN 112.10.41.80
1 CN 112.10.42.238
1 CN 112.10.42.25
1 CN 112.10.42.38
1 CN 112.10.42.96
1 CN 112.10.43.214
1 CN 112.10.46.122
1 CN 112.10.46.149
1 CN 112.10.46.151
1 CN 112.10.46.225
1 CN 112.10.46.91
1 CN 112.10.47.128
1 CN 112.10.47.184
1 CN 112.10.47.199
1 CN 112.10.48.152
1 CN 112.10.48.22
1 CN 112.10.48.225
1 CN 112.10.48.233
2 CN 112.10.49.12
1 CN 112.10.49.137
1 CN 112.10.49.250
1 CN 112.10.49.28
1 CN 112.10.49.31
2 CN 112.10.49.32
1 CN 112.10.52.10
1 CN 112.10.52.106
1 CN 112.10.52.123
1 CN 112.10.52.238
1 CN 112.10.52.241
1 CN 112.10.52.88
2 CN 112.10.53.16
1 CN 112.10.53.201
1 CN 112.10.53.221
1 CN 112.10.53.44
1 CN 112.10.53.8
1 CN 112.10.82.143
1 CN 112.10.82.148
1 CN 112.10.82.163
1 CN 112.10.83.164
1 CN 6 1.60% chinaunicom.cn 123.157.202.147
1 CN 123.157.202.20
1 CN 123.157.203.33
1 CN 123.158.32.233
1 CN 123.158.33.25
1 CN 39 10.43% chinaunicom.cn 124.90.102.115
1 CN 124.90.102.137
1 CN 124.90.102.142
1 CN 124.90.102.55
1 CN 124.90.103.37
1 CN 124.90.103.52
1 CN 124.90.193.88
1 CN 124.90.200.103
1 CN 124.90.200.124
1 CN 124.90.200.149
1 CN 124.90.200.16
1 CN 124.90.200.185
1 CN 124.90.200.203
1 CN 124.90.200.206
1 CN 124.90.200.218
1 CN 124.90.200.22
1 CN 124.90.200.221
1 CN 124.90.200.225
1 CN 124.90.200.50
1 CN 124.90.200.55
1 CN 124.90.200.58
1 CN 124.90.201.11
1 CN 124.90.201.14
1 CN 124.90.201.162
1 CN 124.90.201.193
1 CN 124.90.201.246
1 CN 124.90.201.51
1 CN 124.90.202.124
1 CN 124.90.202.128
1 CN 124.90.202.30
1 CN 124.90.202.57
1 CN 124.90.203.121
1 CN 124.90.203.83
1 CN 124.90.68.2
1 CN 124.90.69.68
1 CN 124.90.70.134
1 CN 124.90.70.44
1 CN 124.90.71.175
1 CN 124.90.71.221
1 CN 17 4.55% wasu.com.cn 218.109.228.219
1 CN 218.109.230.0
1 CN 218.109.231.184
1 CN 218.109.242.105
1 CN 218.109.242.124
1 CN 218.109.242.142
1 CN 218.109.242.15
1 CN 218.109.242.16
1 CN 218.109.242.188
2 CN 218.109.242.54
1 CN 218.109.242.57
1 CN 218.109.243.121
1 CN 218.109.243.219
1 CN 218.109.243.34
1 CN 218.109.243.62
1 CN 218.109.98.0
1 CN 16 4.28% wasu.com.cn 219.82.112.122
2 CN 219.82.134.148
1 CN 219.82.134.153
1 CN 219.82.134.241
1 CN 219.82.134.253
1 CN 219.82.135.115
1 CN 219.82.135.121
1 CN 219.82.135.4
1 CN 219.82.135.60
1 CN 219.82.135.88
1 CN 219.82.34.127
1 CN 219.82.34.21
1 CN 219.82.34.234
1 CN 219.82.58.61
1 CN 219.82.58.67
1 CN 141 37.70% Huashu media&Network Limited 58.100.0.10
1 CN 58.100.0.121
1 CN 58.100.0.13
1 CN 58.100.0.163
1 CN 58.100.0.17
1 CN 58.100.0.173
1 CN 58.100.0.175
1 CN 58.100.0.191
1 CN 58.100.0.219
1 CN 58.100.0.221
1 CN 58.100.0.225
1 CN 58.100.0.234
1 CN 58.100.0.243
1 CN 58.100.0.244
1 CN 58.100.0.255
1 CN 58.100.0.64
1 CN 58.100.0.67
1 CN 58.100.0.9
1 CN 58.100.1.115
1 CN 58.100.1.135
1 CN 58.100.1.14
1 CN 58.100.1.144
1 CN 58.100.1.148
1 CN 58.100.1.167
1 CN 58.100.1.17
1 CN 58.100.1.171
1 CN 58.100.1.2
1 CN 58.100.1.213
1 CN 58.100.1.235
2 CN 58.100.1.240
1 CN 58.100.1.243
1 CN 58.100.1.247
1 CN 58.100.1.250
1 CN 58.100.1.253
1 CN 58.100.1.28
1 CN 58.100.1.57
1 CN 58.100.2.0
1 CN 58.100.201.165
1 CN 58.100.201.171
1 CN 58.100.201.174
1 CN 58.100.201.189
2 CN 58.100.201.191
1 CN 58.100.201.207
1 CN 58.100.201.209
1 CN 58.100.201.215
1 CN 58.100.201.222
1 CN 58.100.201.228
2 CN 58.100.201.3
1 CN 58.100.201.34
1 CN 58.100.201.38
1 CN 58.100.201.42
1 CN 58.100.201.55
2 CN 58.100.201.72
1 CN 58.100.201.94
1 CN 58.100.2.104
1 CN 58.100.2.134
1 CN 58.100.2.153
1 CN 58.100.2.167
1 CN 58.100.2.187
1 CN 58.100.2.192
1 CN 58.100.2.216
1 CN 58.100.2.225
1 CN 58.100.2.229
1 CN 58.100.2.242
1 CN 58.100.24.175
1 CN 58.100.24.210
1 CN 58.100.24.26
1 CN 58.100.2.48
1 CN 58.100.24.83
1 CN 58.100.2.60
1 CN 58.100.2.63
2 CN 58.100.2.66
1 CN 58.100.3.120
1 CN 58.100.3.146
1 CN 58.100.3.165
1 CN 58.100.3.17
2 CN 58.100.3.242
1 CN 58.100.3.246
1 CN 58.100.3.34
2 CN 58.100.3.54
1 CN 58.100.3.66
1 CN 58.100.3.73
1 CN 58.100.3.8
1 CN 58.100.3.82
1 CN 58.100.3.98
1 CN 58.100.4.117
1 CN 58.100.4.126
1 CN 58.100.4.178
2 CN 58.100.4.228
1 CN 58.100.4.23
1 CN 58.100.4.246
1 CN 58.100.4.248
1 CN 58.100.4.255
1 CN 58.100.4.31
1 CN 58.100.4.46
1 CN 58.100.4.53
1 CN 58.100.4.8
1 CN 58.100.4.84
1 CN 58.100.5.151
1 CN 58.100.5.210
1 CN 58.100.5.245
1 CN 58.100.5.255
1 CN 58.100.6.137
1 CN 58.100.6.172
3 CN 58.100.6.190
1 CN 58.100.6.249
1 CN 58.100.6.37
1 CN 58.100.6.6
1 CN 58.100.6.69
1 CN 58.100.7.104
1 CN 58.100.7.128
1 CN 58.100.7.140
1 CN 58.100.7.160
2 CN 58.100.7.170
1 CN 58.100.7.185
1 CN 58.100.7.2
1 CN 58.100.7.209
1 CN 58.100.7.225
1 CN 58.100.7.27
1 CN 58.100.7.76
1 CN 58.100.7.98
1 CN 58.101.149.129
1 CN 58.101.149.167
1 CN 58.101.149.202
1 CN 58.101.149.204
1 CN 58.101.149.205
1 CN 58.101.149.211
1 CN 58.101.149.214
1 CN 58.101.149.249
1 CN 58.101.215.182
1 DE 1 0.27% Hosteurope GmbH 176.28.13.193
1 DE 1 0.27% Hetzner Online AG 78.47.178.82
1 DE 1 0.27% evanzo e-commerce Gmbh 87.238.194.222
1 DE 1 0.27% Hetzner Online GmbH 88.198.194.44
1 GB 1 0.27% Yahoo Europe Operations Department 212.82.97.150
2 HU 2 0.53% NLG-System Bt 79.172.209.109
1 IE 1 0.27% c2.amazonaws.com/ 54.247.116.167
1 IN 1 0.27% Net4India Ltd 118.67.248.215
2 IN 1 0.27% Bharti Telenet Ltd. Tamilnadu 122.178.19.82
1 IR 1 0.27% Dadeh Gostar Asr Novin P.J.S. Co. 46.224.2.215
1 IR 1 0.27% Esfahan Telecommunication Company (P.J.S.) 5.219.159.153
2 IR 2 0.53% fanava.net 95.38.191.187
2 IT 1 0.27% Aruba S.p.A. – Shared Hosting 89.46.104.195
1 JP 1 0.27% Playing Network,INC 202.212.133.77
3 MX 1 0.27% KIONETWORKS.COM 201.175.13.88
1 RO 1 0.27% Universitatea de Medicina si Farmacie “Carol Davila” 46.243.119.41
1 RU 1 0.27% CJSC Server WebDC colocation 185.63.190.163
1 TH 1 0.27% csloxinfo.net 27.254.96.73
2 US 2 0.53% hostmaster@rackspace.com 173.203.2.22
1 US 1 0.27% DCS Pacific Star, LLC 204.13.65.168
1 US 1 0.27% Openwave Messaging Inc 65.20.0.12
1 US 1 0.27% Datagram, Inc 69.60.8.154
1 US 1 0.27% Codero 69.64.71.253
1 VN 1 0.27% FPT Telecom Company 58.186.11.102
374 374 100.00%

Exciting stuff no

Governments and dmarc feedback loops [nsandi.com]

hello hello hello hello

If you have never heard of nsandi they are a government saving bank – interest is low and a lottery like prize is offered – kind of like an old  war bond, mostly an interest free loan for the government.

Somebody here in the zoo registered with a zoo address and as we have dmarc (my blog) along with nsandi a curous feedback loop has started – it begins when they send an email, dmarc sends one back, and then the pfishing address sends another automated reply to our dmarc user meaning another dmarc message from us rinse and repeat.

Imagine your not just us but google getting lots of these autoreplies i bet they must consider this autoreply bot a sign of retardation at nsandi

I guess one day it will stop when i do a kernel upgrade and ‘forget’ to keep the dmarc import file, or block the reporting to them or something else.

Ignoring the domain: nsinvest.core.int seems to stop the feedback loop which does make dmarc useless for them but hey some retarded public schooled civil servant should not auto reply dmarc messages.

Oh well. Idle bots like to keep busy.  Nice to know they got the message!

 

Missing Zimbabwe

Zimbabwean dominatrix s&m with south african model

A while ago i wrote about them (my blog) and all of a sudden the crap traffic i still monitor stopped from this bastion of one party rule.  Since.zw is the bottom of the list of country codes its hard to not miss.

It seems a repressive place, mind you when mrs president (version two dictator for life) can beat up a ‘pretty’ south african model the normal rules do not apply.

Mind you it is one way to spot a dictatorship can they send email or even ‘try’ too.

I don’t particularly want crap traffic but it is one way to detect dictators for life and Bob Parsons likes it (my blog) then that too speaks volumes.

dmarc retard for September is latinnewsmail.us

It is a bit early since it is still september but this is clearly an exceptional case which deserves this special award.

the domain  latinnewsmail . us apparently sent something to the zoo (could have been spam) , its mail handler did not like the standard opendmarc attachment rejected as

eforward3.registrar-servers.com[162.255.118.61] said: 550 We do not accept
.zip attachments here. (in reply to end of DATA command)

So if your thinking of using registrar-servers.com clearly your an retard as to the domain well they also deserve to be associated with retards since they setup the email aggregate@latinnewsmail.us to be sent to that address.  The good news is that latinnewsmail . us wont be getting any more dmarc email from the zoo despite them requesting it.

I pass on just to show that the clueless seem to have found dmarc and what could possibly go wrong.

I like spotting idiots wth dmarc

the email firstname.lastname.191 problem

lets poison the gin

The monkey house got a leaflet and the email address had a numeric number on the end it looked amateurish but it is a big problem for many email providers.

Although i do understand since email is beyond most hosting firms and isp’s these days that the user.192 syndrome is to be expected.

Try using an android phone without a gmail thing and this problem will soon crop when you ‘request’ one.

.win tld

scumbag spammer Robert Soloway

Bananas was reading the mail logs one morning when a .win domain caught our attention for being deened spam. I was sure it was but knowing where it was i unzipped and read it in console.

.win is for

There is a vast array of global online gaming opportunities to suit all tastes. The new .WIN generic Top Level Domain (TLD) contains online gaming resources

no i did not know that either.

But the email was for spamming life insurance and more html than text.

The moral was .win tld is very deserving of its spam rating.

 

secondhand busses – too much email fun

metz bus

You may remember the zoo’s secondhand bus email address (my blog) which is advertised if you scalp something but does not work although it looks genuine.

Well it is still active as 185.46.165.59 which is in Metz, France (at time of writing)  had a serous go at trying to send the zoo something about second hand buses.  If you bought that list of spammer leads then you made me laugh and fulfilled my desire to see what a public transport bus in Metz looks like.  Pink!

The whois is a bit sparse but e-cgpn.com seem to be an isp.  I am amused and pleased to see idiots exist.

Do you like to see what a bus looks like worldwide – you know what you have to do and your regional bus brand might be featured.

 

Yara rules

trippy cow

Having upgraded to stretch (my blog) i discovered that i could now use yara rules since yara is now packaged.

The zoo’s config was lacking directories and the this-andthat or that_something meant i had to create some new directories but it appears after a day or so i will have extra strings to inspect in inbound messages.

Yara rules are distributed but not widely advertised so i might be missing some important files but it is nice to have the extra functionality for the future..