Category: antibodyMX

Communicado update: A change of tactic

The work to make Communicado’s life as difficult as possible continues and it does seem like we’re having some success.

When I started this project, Communicado registered all their domains through DAILY mostly using faked registrant data and hiding behind the privileges granted to individual private registrants.  I established a dialog with Nominet about this and it seems Nominet did take action to the point of suspending some of these domains.   Communicado then suddenly switched to using ENOM for registering their domains, I don’t know and have no way of knowing if they were booted off by DAILY or just decided to switch.  Either way, it made no difference, I could easily find the domains they were registering via Nominet’s PRSS tool.

As of Monday 16th, they have changed tactics again.  They have apparently abandoned the .co.uk namespace (I’m sure they’ll be missed) and have gone back to using a variety of .com, .net and .org domains.  Some seen in use today are:

actionallegiance.com
andronol.com
baotao.org
bigrockconsultants.com
coolpress.net
europacastno.com
greenroses.org
hourlycreative.com
pidchas.com

They’re easy enough to spot in the logs, but I don’t currently have a good way of searching the whois for these TLDs. Suggestions for such a tool (non-free is fine) are welcome.

Maintaining this list and the RBL service is taking time and money.  I will absolutely never be charging anyone for the list and the RBL will be free and open access for as long as it is sustainable to do so.  In addition to the ways you can help mentioned in previous posts, a more direct way you can help is to donate a little money, preferably in the form of Bitcoin to 1F9Y1Gd3Pmmchxa7uGFd3zBQY9zVuX78Jd.

More news when I have it, you can follow @Excommunicado for more frequent updates.

An update on Communicado

It has been a busy few weeks since I first blogged about Communicado, here are some of the highlights of what has been going on.

  • Communicado are still registering somewhere between 40 and 60 new domains a week.  The blacklist is being regularly updated and currently has 5364 domains listed.
  • Communicado appear to have switched registrars from DAILY to ENOM as of yesterday.  Makes no difference to picking up their domains.
  • Nominet has been investigating and tell me that some of Communicado’s domains have been suspended and they are in the process of suspending more.
  • Please follow @Excommunicado for news and announcements on Twitter.  Low volume, only on topic.
  • The existing text file download will continue to be updated but, by popular demand, I have set up a DNS RBL containing their domains.  As of the time of writing it is open access, that may change if it becomes too busy.  Using it is easy:
martin@olga:~$ host malimanosa.co.uk.excommunicado.co.uk
malimanosa.co.uk.excommunicado.co.uk has address 127.0.0.2
martin@olga:~$ host flobbletob.co.uk.excommunicado.co.uk 
Host flobbletob.excommunicado.co.uk not found: 3(NXDOMAIN)

If anyone wants to provide working configuration examples for SpamAssassin (or other similar tools), I will cheerfully link to them or post them here.

More news when I have it, have a Communicado-free afternoon!

Unwanted email from Communicado Ltd

As my regular readers will know, I run an antispam and antivirus email filtering service called antibodyMX.  About two weeks ago, I started seeing some deeply weird junk traffic coming through.  A lot of it.  It was odder because it was going to an awful lot of different domains we filter.   Statistically we filter a very very tiny set of domains and to see junk mail arriving for many of them all at the same time was very strange indeed.

The domain names the mails were being sent from were also strange.  They were all .co.uk domains and all not-quite-words.   Here are a few:

bagumbayansa.co.uk
balabagansa.co.uk
balambanred.co.uk
balangasere.co.uk
balangigada.co.uk
balangkayansa.co.uk

All the domains are registered to an individual called Chris Hepworth, a company called Communicado, or “World trading Partners BVI 1611097”, or “Phil Neck”, or some combination thereof.  I called them up and asked them what was going on.  I was asked to send an email explaining the problem, I did, no reply.

More mail from yet more domains kept arriving, the domain count got up to over 300.

Using the resources of a somewhat underground entity known to some as The Fish Tank, I spoke to someone who suggested I sign up to Nominet’s PRSS tool which would let me search for domains more easily.  I did so and started domain hunting.

I fed the list of domains I had through a trigram analyser and used the results of that to tease more domains out of the search tool; “qua” was especially useful, finding more than 80 domains.

More mail from yet more domains kept arriving, the domain count got up to over 800.

Searching the web and talking to people, I found that an awful lot of people I knew were getting unwanted email from these people.  I also found one lady who is taking them to court.  I tried calling them again, my voicemail has not been returned.

Today I have spoken to the Information Commissioner’s Office who say they are very interested in the data I have collected.  It will be interesting to see what, if anything, they choose to pursue here.  On the face of it, Communicado do appear to be breaching the DPA.

I have been told there is no immediate reason why I cannot publish the list of domains I have collected, you can find it here and it currently contains 1255 3971 4500 4539 5145 5249 domains.  An example use might be an ACL on your mail server.  If you run exim, you would add an ACL along the lines of:

deny message = http://blog.hinterlands.org/2013/10/unwanted-email-from-communicado-ltd/
sender_domains = ${if exists{/etc/exim4/hepworth.txt}{/etc/exim4/hepworth.txt}}

The file will be updated as and when I have time.  If you want to capture it via a cronjob, you’re welcome to  but please:

  • DO email me to tell me you’re doing so, and from which host(s). You have permission when you click send.
  • DO tell relevant colleagues and friends about it.
  • DO consider donating a little money to charity.  Because of my nephew, I suggest here.
  • DON’T cron it for an obvious time like “12am and 12pm”. Spread the load, please.

You do, of course, use this list entirely at your own risk.

How to get less junk email

I am fairly frequently asked for tips on getting less junk email.  There’s quite a few things you can do that will cut the amount of junk you get, or at  least let you get an idea of where it came from.

 

  • Don’t have a catchall account, only ever accept mail for real mailboxes.
  • Use as few generic or role addresses as you can.  sales@, info@, help@ etc will all draw in unwanted junk.
  • Delete or disable legacy mailboxes, don’t alias them to another user’s mailbox.
  • Use different email aliases for different sites.  So I might have  martin-slashdot@ for Slashdot,  martin-elreg@ for The Register, martin-dominos@ for Dominos etc etc.   If mails arrives to these addresses, and it’s not from that specific organisation, then something has leaked when it shouldn’t have.
  • Once you’ve finished with a particular site, remove the alias.
  • Don’t be afraid to pick up the phone.  If you get email you didn’t want from a company, call them to get yourself removed. Where you’ve had no contact with a company before, tell them politely that they are breaking the law by sending you unsolicited email.
  • Understand the difference between spam and UCE.  With spam it is rarely worth your time tracking down the sender, UCE may well be.
  • Don’t click on unsubscribe links in spam messages.  Do click on unsubscribe links in UCE messages.  With the latter, if the unsubscribe isn’t instant (“It may take up to 10 days….”) then blacklist the sender.

 

And, of course, if junk mail really is a big problem for you, consider using a commercial anti-spam and anti-virus filtering service to get rid of it.  Obviously I would recommend antibodyMX, but there are plenty of other providers out there.