Spam hall of shame

I reserve the right to publish any communication between spammers and me in whole or in part.

Spam statistics

Pie charts and tables of rejected mail.
The same, but focused on RCPT Tos which are message-ids.

Blacklist

These hosts and domains are blacklisted by this system.

Spam archive

These files contain the headers of all spam send to this system over the last couple of years (the complete spam archive is available to legitimate spam investigators). Please keep in mind that some of the information, including the sender address, may be forged. If you find that someone has been using your name or email address without your consent, it might be a nice idea to have them prosecuted.

YearSpamsSp/Mn
199825721.4
199915913.3
2000 83 6.9
2001 91 7.6
2002 76 6.3
2003 31 2.6
2004 47 3.9
2005 10 0.8
2006 21 1.8
2007 7 0.6
2008 6 0.5
2009 5 0.5
2010 15 1.2
2011 7 0.6
2012 21 1.8
2013 29 2.4
2014 25 2.1
2015 21 1.9
2016 15 1.9

Web form spam

Test mails from spammers looking for vulnerable web forms.

KPN sux

Yet an other persistent harasser (Dutch).

XS4ALL Phishes

Phishes from creeps how claim to be my ISP. This bothered me for years, but I only recently started tracking this.

More recently: a little Exim filter to block this crap;

xs4all.nl is my ISP. So their hosts are *.xs4all.nl.
Mail sent by XS4ALL to me, will be send to My_Address@xs4all.nl. All other mail send by the XS4ALL mailservers should be send to My_Address@My_Domain.
If mail send to My_Address@xs4all.nl does not originate from an @xs4all.nl email address or not from XS4ALL host, it's a phish.

I use a '.forward' to forward the mail to xs4all@My_Domain. At home, /etc/aliases delivers the mail to My_Address@My_Domain.
By testing the Envelope-to, I can distinguish between forwarded and non forwarded mail.

RCPT ACL


# Check forward at XS4ALL
deny
  message    = This looks like a phish to me.
  hosts      = *.xs4all.nl
  recipients = xs4all@My_Domain
  senders    = ! : ! *@xs4all.nl

This checks the envelope-from. This should either be '<>' or an XS4ALL email address.

DATA ACL


# Check forward at XS4ALL
deny
  message    = This looks like a phish to me.
  hosts      = *.xs4all.nl
  condition  = ${if match\
    {$recipients}\
    {\Nxs4all@My_Domain\N}\
  {yes}{no}}
  set acl_m7 = ${filter{<\n $rh_received:}{match{$item}\
  {\N^from .*\[([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+|::1|[0-9A-Fa-f]{1,4}:.+)\]\N}}}
  condition  = ${if forany\
    {<\n $acl_m7}{!match{$item}\
    {\N(127\.0\.0\.1|194\.109\.|::1|2001:888:.+)\N}}\
  {yes}{no}}

All raw header received lines, starting with 'from ' AND containing an IP address are put in 'acl_m7' ('<\n' means delimiter is newline).
'forany' tests all these remaining lines in acl_m7. If any of these lines does not match an IP address used by my ISP (127.0.0.1, 194.109.*.*, ::1, 2001:888:*), the mail gets rejected.

Rejected addresses

Spammers use worms and viruses to send spam and harass anti spam sites.
Below systems that are possibly infected;

Search