# SB-ROGUE.RC # # These are extremely prolific spammers, many of them also using illegal # methods to send spam, such as abuse of open proxies. If you clean their # stuff out first, the SpamBouncer doesn't waste CPU cycles. # Blood, Alex (Alexander Mosh/AlekseyB/Alex Polyakov/ # Jungle Ventures, Inc./Pilot Holding LLC/ # SafeDNS.BIZ/YourDomainsHere) # # Last reported spam: 4/15/06 # Data files last updated: 4/15/06 # # Other Relevant Info: # # ROKSO: http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Alex%20Blood%20/%20Alexander%20Mosh%20/%20AlekseyB%20/%20Alex%20Polyakov # # Status: Active Spammer # TESTNAME='Alex Blood' TESTDOMAINS=${SBDIR}/black/alexblood-domains.txt TESTCIDR=${SBDIR}/black/alexblood-ips.cidr TESTPATTERNS=${SBDIR}/black/alexblood-patterns.rc TESTSCORE=${SPAMLEVEL} TESTLAST=20060415 TESTUPDATED=20060415 TESTTYPE=ALL INCLUDERC=${SBDIR}/functions/identify-spammer.rc # Haberstroh, Brian (Atriks/Goldberg Kohn/Green Horse Corp./Max Media, Inc./ # SayKoh LLC/lots else) # # Last reported spam: 4/15/06 # Data files last updated: 4/15/06 # # Other Relevant Info: # # ROKSO: http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Brian%20Haberstroh%20/%20Atriks # # 12/11/03: # Advertises a bulk email service that uses deliberate filter # evasion techniques to "improve deliverability." In addition, # there are numerous reports of spam from their netblocks, # including spam by longtime spammers BlueRockDove. PLONK. # # 12/21/03: # An absolute *flood* of spam from a bunch of domains belonging # to "Green Horse Corporation", "Sendmails Corporation", etc. # All are Atriks. Virtual phasers on kill.... # # 1/10/04: # Quieted down for a few days, now spewing again, this time # as "dealzz.net". # # 1/13/04: # And as "NetMoneyWizard". # # 1/31/04: # Moving to the Rogue's list -- they've now qualified for # ROKSO as well. :/ # # 3/15/04: # Meditay apparently exists independently of Atriks, surprise. # So I've moved the Meditay IPs and domains to their own recipe/ # list. Atriks itself is getting more aggressive as time goes # on; I'm getting more spam to each spammed address, and more # addresses are being spammed. # # 5/31/04: # # After a hiatus of several weeks, Atriks has reappeared as # Max Media, Inc., located not in New Hampshire, but the Los # Angeles area, and hosted by Split Infinity, a customer of # Verio. I am not sure whether Atriks bought an existing company # named Max Media, partnered with that company and provided it # with the Atriks software and servers, or invented it out of # whole cloth. The second or third alternatives appear somewhat # more likely than the first. # # 6/11/05: # Over the past year, has teamed up with a number of other # spammers, some ROKSO-listed. Has continued to register # copious new domains, obtain many new IP blocks to evade # filtering. Very much still in the game, still active. :/ # # 7/21/05: # Continuing to see floods of spam from this idiot, and he # adds at least a couple dozen new domains to his list per # week. No sign whatsoever that he's trying to send only # to those who requested his email. :/ # # Status: Active Spammer # TESTNAME='Brian Haberstroh' TESTPATH=${SBDIR}/black/ TESTDOMAINS=${SBDIR}/black/atriks-domains.txt TESTCIDR=${SBDIR}/black/atriks-ips.cidr TESTPATTERNS=${SBDIR}/black/atriks-patterns.rc TESTSCORE=${SPAMLEVEL} TESTLAST=20060415 TESTUPDATED=20060415 TESTTYPE=ALL INCLUDERC=${SBDIR}/functions/identify-spammer.rc # Kramer, Brian # # Last reported spam: 4/15/06 # Data files last updated: 4/15/06 # # Other Relevant Info: # # ROKSO: http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Brian%20Kramer%20/%20Expedite%20Media%20Group # # 7/18/2003: # Aggressive spammers of non-profit organizations, appear to be # offering underpowered computers at a premium to these often # unsophisticated organizations. I call that stealing candy from # children myself.... :( # # 10/07/2003: # Very persistent. # # 12/05/2003: # Changed name to Avtech Direct, but same people. # # 12/19/2003: # Changed name again, this time to AAA Discount Computers :/ # # 3/13/2004: # Consolidated with record for Brian Kramer, who was behind this cr*p all # along, apparently. # # 6/11/2005: # Leased or bought a bunch of netblocks from Eddy Marin, so I'm # slowly figuring out which of them is actually behind a lot of # spam coming from those (former)? Marin netblocks. # # Status: Active Spammer # TESTNAME='Brian Kramer' TESTDOMAINS=${SBDIR}/black/kramer-domains.txt TESTCIDR=${SBDIR}/black/kramer-ips.cidr TESTPATTERNS=${SBDIR}/black/kramer-patterns.rc TESTSCORE=${SPAMLEVEL} TESTLAST=20060415 TESTUPDATED=20060415 TESTTYPE=ALL INCLUDERC=${SBDIR}/functions/identify-spammer.rc # Kuvayev, Leo (BadCow) # # Last reported spam: 4/15/2006 # Data files last updated: 4/15/2006 # # Other Relevant Info: # # ROKSO: http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Leo%20Kuvayev%20/%20BadCow # # 6/11/2005: # One of the most prolific spammers right now. :/ # # Status: Active Spammer # TESTNAME='Leo Kuvayev' TESTDOMAINS=${SBDIR}/black/kuvayev-domains.txt TESTCIDR=${SBDIR}/black/kuvayev-ips.cidr TESTPATTERNS=${SBDIR}/black/kuvayev-patterns.rc TESTSCORE=${SPAMLEVEL} TESTLAST=20060415 TESTUPDATED=20060415 TESTTYPE=BODY INCLUDERC=${SBDIR}/functions/identify-spammer.rc # Lindsay, Michael (IMedia Networks) # # Last reported spam: 4/15/06 # Data files last updated: 4/15/06 # # Other Relevant Info: # # ROKSO: http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Michael%20Lindsay%20/%20iMedia%20Networks # # Status: Active Spammer # TESTNAME='Michael Lindsay' TESTDOMAINS=${SBDIR}/black/lindsay-domains.txt TESTCIDR=${SBDIR}/black/lindsay-ips.cidr TESTPATTERNS=${SBDIR}/black/lindsay-patterns.rc TESTSCORE=${SPAMLEVEL} TESTLAST=20060415 TESTUPDATED=20060415 TESTTYPE=ALL INCLUDERC=${SBDIR}/functions/identify-spammer.rc # Moneta (moneta.co.kr/citi-loan.com) # # Last reported spam: 4/15/06 # Data files last updated: 4/15/06 # # Other Relevant Info: # # 10/19/2004: # Long-time Korean mortgage/loan spammers. # # Status: Active Spammer # TESTNAME='Moneta' TESTDOMAINS=${SBDIR}/black/moneta-domains.txt TESTCIDR=${SBDIR}/black/moneta-ips.cidr TESTPATTERNS=${SBDIR}/black/moneta-patterns.rc TESTSCORE=${SPAMLEVEL} TESTLAST=20060415 TESTUPDATED=20060415 TESTTYPE=BODY INCLUDERC=${SBDIR}/functions/identify-spammer.rc # Panov, Alexey # # Last reported spam: 4/09/06 # Data files last updated: 4/09/06 # # Other Relevant Info: # # ROKSO: http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Alexey%20Panov%20-%20ckync.com # # Status: Active Spammer # TESTNAME='Alexey Panov' TESTDOMAINS=${SBDIR}/black/panov-domains.txt TESTCIDR=${SBDIR}/black/panov-ips.cidr TESTPATTERNS=${SBDIR}/black/panov-patterns.rc TESTSCORE=${SPAMLEVEL} TESTLAST=20060415 TESTUPDATED=20060415 TESTTYPE=BODY INCLUDERC=${SBDIR}/functions/identify-spammer.rc # Ralsky, Alan # # Last reported spam: 11/07/05 # Data files last updated: 4/15/06 # # Other Relevant Info: # # ROKSO http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Alan%20Ralsky # # Since Ralsky uses proxies, relays, forged headers, and every other # spammer obfuscation trick in the book, this will catch only spam # that comes directly from IPs known to belong to him or containing # URIs that resolve to IPs belonging to him, or domains belonging to # him. But that should be some of it anyway. # # 1/14/04: # Possibly implicated in huge spam run with forged Habeas SWE # headers. The spams advertise domains that are hosted within # netblocks assigned to Ralsky, according to SpamHaus.org. # At least as likely, a former associate with a copy of # Ralsky's mailing list is attempting to stab him in the back. # Keep tuned.... # # 1/15/04: # Using new filters to test for Ralsky in body text as well as # headers. # # 1/25/04: # Habeas forgeries stopped cold, and abruptly, three days ago. # No further news about who the perp might have been. # # 6/11/05: # Still at it. Using a lot of redirectors, Base64-encoded email, # etc. to evade filtering using SURBL and other URI filters these # days. # # 10/16/05: # The Detroit News and AP report that the FBI and others executed # a warrant against Ralsky a few weeks ago and seized all the # computer equipment they could. Ralsky told reporters that this # action had shut him down for now. However, I'm still seeing # spam from Ralsky netspace. There's some reason to think that # Leo Kuvayev might be using it, with or without Ralsky's # permission/approval. # # Status: Active Spammer # TESTNAME='Alan Ralsky' TESTDOMAINS=${SBDIR}/black/ralsky-domains.txt TESTCIDR=${SBDIR}/black/ralsky-ips.cidr TESTPATTERNS=${SBDIR}/black/ralsky-patterns.rc TESTSCORE=${SPAMLEVEL} TESTLAST=20051107 TESTUPDATED=20060415 TESTTYPE=ALL INCLUDERC=${SBDIR}/functions/identify-spammer.rc # Yambo Financials # # Last reported spam: 4/15/06 # Data files last updated: 4/15/06 # # Other Relevant Info: # # ROKSO: http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Yambo%20Financials # # Possible morph or affiliate of Pavko/Artofit spammers. # # Status: Active Spammer # TESTNAME='Yambo Financials' TESTDOMAINS=${SBDIR}/black/yambo-domains.txt TESTCIDR=${SBDIR}/black/yambo-ips.cidr TESTPATTERNS=${SBDIR}/black/yambo-patterns.rc TESTSCORE=${SPAMLEVEL} TESTLAST=20060415 TESTUPDATED=20060415 TESTTYPE=ALL INCLUDERC=${SBDIR}/functions/identify-spammer.rc