btinternet.com flood

Xavier Roche

unread,

Aug 29, 2009, 3:04:51 AM8/29/09

to

Hi folks,

A new flood from btinternet.com (well, actually this is from giganews -
BT is not competent enough to have its own news servers ?) is hitting
almost every single group with multipart messages.

Message headers sample:
-----------------------

Path:
..!border1.nntp.dca.giganews.com!Bl.tags.giganews.com!border2.nntp.dca.giganews.com!nntp.giganews.com!backlog2.nntp.dca.giganews.com!nntp.bt.com!news.bt.com.POSTED!not-for-mail
NNTP-Posting-Date: Sat, 29 Aug 2009 00:10:01 -0500
From: "Robert Bates" <speed...@live.co.uk>
Subject: XXX IS A CHILD ABUSERNBP Unregistered.
Newsgroups: rec.toys.lego
Content-Type: multipart/alternative;
boundary="=_NextPart_2rfkindysadvnqw3nerasdf";
MIME-Version: 1.0
Date: Sat, 29 Aug 2009 06:10:04 +0100
X-Priority: 3
X-Library: Indy 8.0.25
Message-ID: <jbadnWDFdK60JQXX...@bt.com>
Lines: 27
X-Usenet-Provider: http://www.giganews.com
X-AuthenticatedUsername: NoAuthUser
X-Trace:
sv3-gPxpm2q0Adtkx5rfsdIU9R5TfrNW9ZCmFdkCjXc0szN0ol668O71Zar7W3FS6NB9VN6wXOjsOqs3IYM!0SEOGUvi35/Iujv2UvRvLTC
tWvMAr1lBj/GLBybFx97OIEUIyjyFBuQRcQ2icBffXvAbC5wy81U=
X-Complaints-To: ab...@btinternet.com
X-DMCA-Complaints-To: ab...@btinternet.com
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
X-Postfilter: 1.3.39
X-Original-Bytes: 7526

Message-Id samples:
-------------------

David H. Lipman

unread,

Aug 29, 2009, 7:09:57 AM8/29/09

to

From: "Xavier Roche" <xro...@free.fr.NOSPAM.invalid>

| Hi folks,

| A new flood from btinternet.com (well, actually this is from giganews -
| BT is not competent enough to have its own news servers ?) is hitting
| almost every single group with multipart messages.

Note in the header...

X-Library: Indy 8.0.25

Indy v8.x, v9.x and v10.x is the preferred spammer tool as it recursively post through
every group in every hierarchy, post randomly in every group in every hierarchy or
selectively post where desired.

All news admins are encouraged to filter posts that have "X-Library: Indy xxxxxx" in the
header.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Steve Crook

unread,

Aug 29, 2009, 1:03:17 PM8/29/09

to

On Sat, 29 Aug 2009 07:09:57 -0400, David H. Lipman wrote in
Message-Id: <h7b2a...@news6.newsguy.com>:

> Note in the header...

> X-Library: Indy 8.0.25

> Indy v8.x, v9.x and v10.x is the preferred spammer tool as it
> recursively post through every group in every hierarchy, post randomly
> in every group in every hierarchy or selectively post where desired.

> All news admins are encouraged to filter posts that have "X-Library:
> Indy xxxxxx" in the header.

That's interesting. Sounds like a new scoring rule for Cleanfeed. :)

Thanks

Adam H. Kerman

unread,

Aug 29, 2009, 2:57:12 PM8/29/09

to

Steve Crook <st...@mixmin.net> wrote:

>On Sat, 29 Aug 2009 07:09:57 -0400, David H. Lipman wrote:

>>Note in the header...

>>X-Library: Indy 8.0.25

>>Indy v8.x, v9.x and v10.x is the preferred spammer tool as it
>>recursively post through every group in every hierarchy, post randomly
>>in every group in every hierarchy or selectively post where desired.

>>All news admins are encouraged to filter posts that have "X-Library:
>>Indy xxxxxx" in the header.

>That's interesting. Sounds like a new scoring rule for Cleanfeed. :)

Is it? A spamming tool that creates messages that are easily killed?
Could someone verify this independently?

Steve Crook

unread,

Aug 29, 2009, 4:21:02 PM8/29/09

to

On Sat, 29 Aug 2009 18:57:12 +0000 (UTC), Adam H. Kerman wrote in
Message-Id: <h7btm8$vi6$1...@news.albasani.net>:

> Is it? A spamming tool that creates messages that are easily killed?
> Could someone verify this independently?

It does sound incongruous. I'll log messages with that header and see
what turns up.

David H. Lipman

unread,

Aug 29, 2009, 4:54:34 PM8/29/09

to

From: "Steve Crook" <st...@mixmin.net>

Here is a different spam sample using Indy v9.x

Path: news.spamcop.net!not-for-mail
From: "apartamento jardim camburi" <apart...@jardim-camburi-vitoria.com>
Newsgroups: spamcop.mail
Subject: Ligue agora mesmo 0xx27 3084-5709 vendo apartamento em jardim
camburi , oportunidade de negocio apto 2461327710
Date: Wed, 10 Jun 2009 19:40:48 -0300
Organization: apartamentos jardim camburi
Lines: 20
Sender: apartamento jardim camburi <apart...@jardim-camburi-vitoria.com>
Message-ID: <h0pcrr$mng$6...@news.spamcop.net>
Reply-To: aparta...@casas.jardimcamburi-3qtos.com.br
NNTP-Posting-Host: 189.115.213.239
X-Trace: news.spamcop.net 1244673724 23280 189.115.213.239 (10 Jun 2009 22:42:04 GMT)
X-Complaints-To: ne...@news.spamcop.net
NNTP-Posting-Date: Wed, 10 Jun 2009 22:42:04 +0000 (UTC)
X-Priority: 3
X-Library: Indy 9.00.10
Xref: news.spamcop.net spamcop.mail:22562

Seth

unread,

Aug 30, 2009, 2:51:44 AM8/30/09

to

In article <h7btm8$vi6$1...@news.albasani.net>,

Why not? Lots of spam engines have well-known spoor.

Seth

Adam H. Kerman

unread,

Aug 30, 2009, 6:06:56 PM8/30/09

to

Seth <se...@panix.com> wrote:
>Adam H. Kerman <a...@chinet.com> wrote:
>>Steve Crook <st...@mixmin.net> wrote:
>>>On Sat, 29 Aug 2009 07:09:57 -0400, David H. Lipman wrote:

>>>>All news admins are encouraged to filter posts that have "X-Library:
>>>>Indy xxxxxx" in the header.

>>>That's interesting. Sounds like a new scoring rule for Cleanfeed. :)

>>Is it? A spamming tool that creates messages that are easily killed?

>Why not? Lots of spam engines have well-known spoor.

I should have thought the point was self evident.