This server is very friendly to all spiced pork and meat amateurs:
- forged NNTP-Posting-Host
- forged abuse address (see alert at http://usenetnow.com/)
- forged preloaded path
- forged MID domain
My suggestion to all newsmasters is to poison-path
"news-out.readnews.com" or postnews*.readnews.com
Alert posted at http://usenetnow.com/:
-------------------------------------
This is the official homepage for usenetnow.com.
If you are here because of Spam that has headers from so-called
usenetnow.com news servers, you have been taken in by Spammers.
USENETNOW.COM DOES NOT HAVE NEWS SERVERS, INN SERVERS OR ANY VARIATION
THEREOF. THERE ARE NEWS SERVERS OWNED AND OPERATED BY USENETNOW DOT NET.
Header sample:
--------------
Bytes: 4345
Subject: Bodum Coffee Press
From: Alex...@henry.com
Newsgroups: sci.chem.coatings
Date: Thursday, 21 May 09 4:02:55 GMT
Lines: 141
Message-ID: <4a1551ab$0$7082$586e...@usenetnow.com>
NNTP-Posting-Host: c8b50885.usenetnow.com
X-Trace:
DXC=>Sj]gJ;YS63]PWc[l53bf;HfJNUg^G:><T[lX>L[ToH56>OCWb^R_K42<ki0D^8;V38aDXAiI`Jm;_:0;kLh8df:k>h]I9PNg08
X-Complaints-To: ab...@usenetnow.com
Path:
..!transit4.readnews.com!news-out.readnews.com!postnews3.readnews.com!not-for-mail
Message-id samples:
-------------------
<4a155050$0$7067$586e...@usenetnow.com>
<4a155051$0$7104$586e...@usenetnow.com>
<4a155052$0$7080$586e...@usenetnow.com>
<4a155053$0$7084$586e...@usenetnow.com>
<4a155053$0$7092$586e...@usenetnow.com>
<4a155056$0$7066$586e...@usenetnow.com>
<4a155056$0$7067$586e...@usenetnow.com>
<4a155057$0$7080$586e...@usenetnow.com>
<4a15505a$0$7082$586e...@usenetnow.com>
<4a15505e$0$7084$586e...@usenetnow.com>
Okay, got a reply from upstream: the spammer is now blocked, _and_ they
have fixed the bogus x-complaints-to and nntp-posting-host information.
Wait and see..
Do you hear laughter? The laughter of spammers?
# X-Complaints-To: killthe...@usenetmonster.com
Yep, this one was reported too :)
(At least someone is working on the issue at the abuse desk, which is
something many commercial servers just never do)
Yes, we are very sorry about the misconfig for usenetnow.net.
We've blocked about 50k posts today but a few thousand still got out.
We're actively working to find and delete the accounts the spammer is using
and improve the backend blocking/rate-limiting/filtering systems.
They pre-created some usenetmonster.com accounts beforehand so
just blocking posts from new accounts isn't working. And there are
a ton of domains so keywords don't help.
Avi Freedman
readnews.com