Another day trudging through the spammers.

Our servers were seeing lots of spam from:

Tracing was interesting:
Domain is being redirected to

Domain is being redirected to

Domain is being redirected to

However there were MANY MANY mail servers!

I was not holding out much hope on getting resolution by reporting to NameCheap – they are a very inexpensive domain registrar and by virtue of the price point I made the assumption they may not care about removing bad guys as long as they pay the hosting bills!

And YET a win with reporting spam to a provider!

As of today: and
Lookup failed after 2 name servers timed out or responded non-authoritatively

This site had 20 mail servers blasting spam!


This is to inform you that domain was suspended. It is now pointed to non-resolving nameservers and will be nullrouted once the propagation is over. The domain is locked for modifications in our system.

Thank you for letting us know about the issue.

This is the information I sent with my trouble ticket.

NOTE: I have replaced our servers and identity in the following with the word redacted

Subject: Mass spammers abusing your network

Our network is receiving massive amounts of spam from and containing links to:
Domain is being redirected to
Domain is being redirected to
Domain is being redirected to
links in the spam:
From Sat Aug 4 02:09:32 2012
X-Spam-Relay-Countries: XX
X-Spam-ASN: AS32475
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
X-Spam-COV-Untrusted-Relays: [ ip=
helo=ra28bd7d.rafnadaelclay.IN ident= envfrom= intl=0
id=q7499TCO015485 auth= msa=0 ]
X-Spam-Status: Yes, score=7.9 required=6.0 tests=BAYES_50,DATE_IN_PAST_03_06,
autolearn=no version=3.2.5
X-Spam-Level: SSSSSSS
X-Spam-RBL-Report: [10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10]
[“Sells small blocks to spammers”]
* 2.0 RCVD_IN_COV_SPAMMERS RBL: Spammer blocked by redacted RBL
* [Sells small blocks to spammers]
* 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
* [URIs:]
* -0.3 SPF_PASS SPF: sender matches SPF record
* 0.0 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date
* 0.5 HS_INDEX_PARAM URI: Link contains a common tracker pattern.
* 0.5 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
* 0.5 HTML_MESSAGE BODY: HTML included in message
* 0.5 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
* [score: 0.5000]
* 0.2 MPART_ALT_DIFF BODY: HTML and text parts are different
* 0.5 RAZOR2_CHECK Listed in Razor2 (
* 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
* [URIs:]
X-Spam-COV-Tests: BAYES_50=0.5,DATE_IN_PAST_03_06=0.044,HS_INDEX_PARAM=0.5,
Received: from ra28bd7d.rafnadaelclay.IN ( [] (may be forged))
by (8.13.8/8.13.8) with ESMTP id q7499TCO015485
for ; Sat, 4 Aug 2012 02:09:32 -0700
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=”0f0f65438f5af7c195a12805bcfaf679ec5c4fa3″
Date: Fri, 3 Aug 2012 23:08:20 -0500
From: “Cruise”
Reply-To: “Cruise”
Subject: *****SPAM***** Bon voyage.
Message-ID: <0.0.404518975.nkn181c783flno425.0@rafnadaelclay.IN>
X-Scanned-By: MIMEDefang 2.67 on
X-Spam-Prev-Subject: Bon voyage.
X-UID: 104817
Status: RO
Content-Length: 5322