[SC-Help] Re: They're varying their shields, captain!

Sun Jun 5 16:33:56 EDT 2005

On Friday 03 June 2005 18:20, you wrote:
> On Friday 03 June 2005 16:33, Ellen wrote:
> > > "Lane" <lane at joeandlane.com> wrote in message
> > > news:mailman.23.1117832246.169.spamcop-help at news.spamcop.net...
> > >
> > > Today I got one from ip:  205.211.197.142 claiming to be from
> > > http://www.parefi.net/book.php
> > >
> > > I check senderbase at
> >
> > > 
http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=205.211.1
> > >97 .142
> > >
> > > and I see that this IP volume/magnitude has changed from 1102%/1.7 in
> > > the last thirty days to -100%/0.0 in the last day.
> > >
> > > So is such a dramatic volume change used in the cipher to calcumalate
> > > when an ip is a spammer?
> >
> > I just changed the report routing on that block to
> > inetcontact at amnetus.com let's see if that makes a difference. I suspect
> > they just have a buncch of compromised machines down there in Hondurus.
> >
> > The volume change in SenderBase can mean that someone noticed the machine
> > was compromised and took it offline or that the worm/trojan got orders to
> > go quiet for a while or lost contact with the mothership ...
> >
> > And yes the IP is listed.
> >
> > Ellen
>
> Thanks, Ellen
>
> lane ~"He's not really dead, Jim!"

He may not be dead, But apparently he's a zombie!

I've gotten two more from these *refi.net folks.  The latest is from ip: 
69.61.199.73

Senderbase,
http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=69.61.199.73
says that magnitude is 2.4 in the last day, with a 7088% volume change vs. 
average in the last day.

So I ask again, does volume change figure into the determination of whether or 
not to block an ip?

This appears to be from fuse.net but Spamcop
http://www.spamcop.net/w3m?action=checkblock&ip=69.61.199.73
says he is not listed in bl.spamcop.net

just trying to get my head around how all of this works.

Thanks,

Lane