Kudos to NameCheap

Eliminated Spam Sources

Another day trudging through the spammers.

Our servers were seeing lots of spam from:
rafnadaelclay.IN

Tracing was interesting:
Domain www.rafnadaelclay.in is being redirected to free.park-your-domain.com

Domain free.park-your-domain.com is being redirected to parkingpage.namecheap.com.

Domain www.namecheap.com is being redirected to 209.213.101.148

However there were MANY MANY mail servers!

I was not holding out much hope on getting resolution by reporting to NameCheap – they are a very inexpensive domain registrar and by virtue of the price point I made the assumption they may not care about removing bad guys as long as they pay the hosting bills!

And YET a win with reporting spam to a provider!

As of today:
a:rafnadaelclay.in and mx:rafnadaelclay.in
Lookup failed after 2 name servers timed out or responded non-authoritatively

This site had 20 mail servers blasting spam!

Hello,

This is to inform you that rafnadaelclay.in domain was suspended. It is now pointed to non-resolving nameservers and will be nullrouted once the propagation is over. The domain is locked for modifications in our system.

Thank you for letting us know about the issue.

This is the information I sent with my trouble ticket.

NOTE: I have replaced our servers and identity in the following with the word redacted

Subject: Mass spammers abusing your network

Our network is receiving massive amounts of spam from and containing links to:
rafnadaelclay.IN
Domain www.rafnadaelclay.in is being redirected to free.park-your-domain.com
Domain free.park-your-domain.com is being redirected to parkingpage.namecheap.com.
Domain www.namecheap.com is being redirected to 209.213.101.148
links in the spam:
http://rafnadaelclay.in
/836/?kh344h181c783fh57d58ahFY7NbsQgDISfJtcVG7olHHtoXwOhkPRHhsBis5Cn70SyRrb1eTw;zHnSH9P8hfL1fnv6PfngN1rJj9tvwnpWZnmbLbomnbvESo65Tebz8S6Oc3LCWiLv0kqpqSmQieiIqnfH;YyvfBApepZ81s5hSDxypgos4vbgdZPERhK8XIwFdmF;6SHOuuHM5cYDbzP3tl23ADYtxKorgQgbrIEh1bgjEe9QijyDO8MGRlxfdx1OHsAW6db4tvx9uwMdAlmDl9oDtLBdg79GKVTyPw__
headers:
From bounce-836-404518975-redacted=redacted.com@rafnadaelclay.IN Sat Aug 4 02:09:32 2012
Return-Path:
X-Spam-Relay-Countries: XX
X-Spam-ASN: AS32475 108.178.0.0/19
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on redacted.redacted.net
X-Spam-COV-Untrusted-Relays: [ ip=108.178.12.28 rdns=server1.ishoppingclub.com
helo=ra28bd7d.rafnadaelclay.IN by=redacted.redacted.net ident= envfrom= intl=0
id=q7499TCO015485 auth= msa=0 ]
X-Spam-Status: Yes, score=7.9 required=6.0 tests=BAYES_50,DATE_IN_PAST_03_06,
HS_INDEX_PARAM,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,RAZOR2_CHECK,
RCVD_IN_COV_SPAMMERS,SPF_PASS,URIBL_BLACK,URIBL_JP_SURBL shortcircuit=no
autolearn=no version=3.2.5
X-Spam-Level: SSSSSSS
X-Spam-COV-SubTests: __CT,__CTYPE_HAS_BOUNDARY,__CTYPE_MULTIPART_ALT,
__DOS_DIRECT_TO_MX,__DOS_HAS_ANY_URI,__DOS_RCVD_SAT,__DOS_SINGLE_EXT_RELAY,
__HAS_ANY_URI,__HAS_MSGID,__HAS_RCVD,__HAS_SUBJECT,__HTML_LINK_IMAGE,
__LAST_UNTRUSTED_RELAY_NO_AUTH,__MIME_HTML,__MIME_VERSION,__MISSING_REF,
__MSGID_OK_HOST,__NONEMPTY_BODY,__REPTO_OVERQUOTE,__REPTO_QUOTE,__SANE_MSGID,
__TAG_EXISTS_BODY,__TAG_EXISTS_HEAD,__TAG_EXISTS_HTML,__TOCC_EXISTS,
__TVD_BODY,__TVD_MIME_ATT_TP
X-Spam-RBL-Report: [10 ra75264c.rafnadaelclay.in., 10 ra863216.rafnadaelclay.in., 10 ra905cd0.rafnadaelclay.in., 10 ra2450e.rafnadaelclay.in., 10 ra3ee82.rafnadaelclay.in., 10 ra485c7.rafnadaelclay.in., 10 ra019d95.rafnadaelclay.in., 10 ra03a1e4.rafnadaelclay.in., 10 ra105679.rafnadaelclay.in., 10 ra109779.rafnadaelclay.in., 10
ra11a209.rafnadaelclay.in., 10 ra120e03.rafnadaelclay.in., 10 ra15a9a4.rafnadaelclay.in., 10 ra19c602.rafnadaelclay.in., 10 ra240b91.rafnadaelclay.in., 10 ra28bd7d.rafnadaelclay.in., 10 ra3033e0.rafnadaelclay.in., 10 ra507461.rafnadaelclay.in., 10 ra6660a0.rafnadaelclay.in.]
[“Sells small blocks to spammers”]
[108.178.12.28]
X-Spam-Report:
* 2.0 RCVD_IN_COV_SPAMMERS RBL: Spammer blocked by redacted RBL
* [Sells small blocks to spammers]
* 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
* [URIs: rafnadaelclay.in]
* -0.3 SPF_PASS SPF: sender matches SPF record
* 0.0 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date
* 0.5 HS_INDEX_PARAM URI: Link contains a common tracker pattern.
* 0.5 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
* 0.5 HTML_MESSAGE BODY: HTML included in message
* 0.5 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
* [score: 0.5000]
* 0.2 MPART_ALT_DIFF BODY: HTML and text parts are different
* 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
* 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
* [URIs: rafnadaelclay.in]
X-Spam-COV-Tests: BAYES_50=0.5,DATE_IN_PAST_03_06=0.044,HS_INDEX_PARAM=0.5,
HTML_MESSAGE=0.5,MIME_HTML_MOSTLY=0.5,MPART_ALT_DIFF=0.2,RAZOR2_CHECK=0.5,
RCVD_IN_COV_SPAMMERS=2,SPF_PASS=-0.3,URIBL_BLACK=1.955,URIBL_JP_SURBL=1.501
Received: from ra28bd7d.rafnadaelclay.IN (server1.ishoppingclub.com [108.178.12.28] (may be forged))
by d100.companyv.net (8.13.8/8.13.8) with ESMTP id q7499TCO015485
for ; Sat, 4 Aug 2012 02:09:32 -0700
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=”0f0f65438f5af7c195a12805bcfaf679ec5c4fa3″
Date: Fri, 3 Aug 2012 23:08:20 -0500
From: “Cruise”
Reply-To: “Cruise”
Subject: *****SPAM***** Bon voyage.
To:
Message-ID: <0.0.404518975.nkn181c783flno425.0@rafnadaelclay.IN>
X-Scanned-By: MIMEDefang 2.67 on 207.151.82.60
X-Spam-Prev-Subject: Bon voyage.
X-UID: 104817
Status: RO
Content-Length: 5322