Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Current readnews.com spam flood (forging "usenetnow.com" domain): RFD for passive UDP

6 views
Skip to first unread message

Xavier Roche

unread,
May 21, 2009, 9:19:38 AM5/21/09
to
The "readnews.com" server is now apparently used by spammers to flood
usenet groups with random junk.

This server is very friendly to all spiced pork and meat amateurs:
- forged NNTP-Posting-Host
- forged abuse address (see alert at http://usenetnow.com/)
- forged preloaded path
- forged MID domain

My suggestion to all newsmasters is to poison-path
"news-out.readnews.com" or postnews*.readnews.com


Alert posted at http://usenetnow.com/:
-------------------------------------

This is the official homepage for usenetnow.com.

If you are here because of Spam that has headers from so-called
usenetnow.com news servers, you have been taken in by Spammers.

USENETNOW.COM DOES NOT HAVE NEWS SERVERS, INN SERVERS OR ANY VARIATION
THEREOF. THERE ARE NEWS SERVERS OWNED AND OPERATED BY USENETNOW DOT NET.


Header sample:
--------------
Bytes: 4345
Subject: Bodum Coffee Press
From: Alex...@henry.com
Newsgroups: sci.chem.coatings
Date: Thursday, 21 May 09 4:02:55 GMT
Lines: 141
Message-ID: <4a1551ab$0$7082$586e...@usenetnow.com>
NNTP-Posting-Host: c8b50885.usenetnow.com
X-Trace:
DXC=>Sj]gJ;YS63]PWc[l53bf;HfJNUg^G:><T[lX>L[ToH56>OCWb^R_K42<ki0D^8;V38aDXAiI`Jm;_:0;kLh8df:k>h]I9PNg08
X-Complaints-To: ab...@usenetnow.com
Path:
..!transit4.readnews.com!news-out.readnews.com!postnews3.readnews.com!not-for-mail


Message-id samples:
-------------------
<4a155050$0$7067$586e...@usenetnow.com>
<4a155051$0$7104$586e...@usenetnow.com>
<4a155052$0$7080$586e...@usenetnow.com>
<4a155053$0$7084$586e...@usenetnow.com>
<4a155053$0$7092$586e...@usenetnow.com>
<4a155056$0$7066$586e...@usenetnow.com>
<4a155056$0$7067$586e...@usenetnow.com>
<4a155057$0$7080$586e...@usenetnow.com>
<4a15505a$0$7082$586e...@usenetnow.com>
<4a15505e$0$7084$586e...@usenetnow.com>

Xavier Roche

unread,
May 21, 2009, 11:58:16 AM5/21/09
to
Xavier Roche a ï¿œcrit :

> The "readnews.com" server is now apparently used by spammers to flood
> usenet groups with random junk.

Okay, got a reply from upstream: the spammer is now blocked, _and_ they
have fixed the bogus x-complaints-to and nntp-posting-host information.

Wait and see..

Kelb tal-Fenek

unread,
May 21, 2009, 2:23:32 PM5/21/09
to
Xavier Roche wrote:
> Xavier Roche a écrit :

Do you hear laughter? The laughter of spammers?

# X-Complaints-To: killthe...@usenetmonster.com

Xavier Roche

unread,
May 21, 2009, 2:35:33 PM5/21/09
to
Kelb tal-Fenek a écrit :
> # X-Complaints-To: killthe...@usenetmonster.com

Yep, this one was reported too :)

(At least someone is working on the issue at the abuse desk, which is
something many commercial servers just never do)

Avi Freedman

unread,
May 22, 2009, 1:05:49 PM5/22/09
to
Xavier Roche <xro...@free.fr.nospam.invalid> wrote:
> Xavier Roche a ?crit :

Yes, we are very sorry about the misconfig for usenetnow.net.

We've blocked about 50k posts today but a few thousand still got out.

We're actively working to find and delete the accounts the spammer is using
and improve the backend blocking/rate-limiting/filtering systems.

They pre-created some usenetmonster.com accounts beforehand so
just blocking posts from new accounts isn't working. And there are
a ton of domains so keywords don't help.

Avi Freedman
readnews.com

0 new messages