Sonic.net

FWIW, I'm also getting a ton of new spammy crap lately with subjects including stuff like "A registered-child-offender has moved into your-area" and "Medicare-Open Enrollment Information". In trying to see if there was anything Spam Assassin-able in these, I discovered that they are all coming from addresses where the TLD is ".link". A quick look through my mail shows a grand total of ZERO messages that I have ever received from a .link address that was a legitimate email. I'm gonna' try just blacklisting everything coming in from "*@*.link" and see if that helps. And of course, your mileage may vary.

Guest Guest, I believe you're on to something.

linelle wrote:Guest Guest, I believe you're on to something.

Definitely on to something. Blacklisting *@*.link *@*.me *@*.mobi has slowed my spam flood to a trickle. Nice catch, guest guest.

You're welcome. I noticed today a new rash of goodies coming in from Austria (*@*.co.at). They may be the next to go....

I have 3 spams that made it through today despite being from TLDs I have blacklisted. None of the 3 have X-Spam headers and all 3 were received by m.mx.sonic.net.

On 11/22/14 Saturday AM ~ 4:45 to 4:48 an email spoofing 'sonic webmail team' sent to sonic users and others possibly, displayed a link to click which spoofed 'login to your sonic account' but lead to a .ke address containing a windows java exploit which installed cryptowall, an insidious malware-ransomware that prompts the affected user to pay a hefty sum via the tor browser, or lose access to all files on their hard drive. FYI

Ben wrote:I have 3 spams that made it through today despite being from TLDs I have blacklisted. None of the 3 have X-Spam headers and all 3 were received by m.mx.sonic.net.

I was still getting a few as well, but noted in the full headers that there were (dot) subdomains in all of them, so I added more wildcards, so there are now 4 blacklisted on each offending TLD, eg:

*@*.mobi (the original)
*@*.*.mobi
*.*@*.mobi
*.*@*.*.mobi

...and nothing at all from .mobi, .me, or .link since. Don't know if these additions actually did the trick, or if Sonic themselves fixed something to catch them.

Guest wrote:...and nothing at all from .mobi, .me, or .link since. Don't know if these additions actually did the trick, or if Sonic themselves fixed something to catch them.

I think this is probably what fixed it: https://corp.sonic.net/status/2014/11/2 ... -resolved/

really nasty java exploit

Unread postby Guest Rob » Tue Nov 25, 2014 10:11 am
On 11/22/14 Saturday AM ~ 4:45 to 4:48 an email spoofing 'sonic webmail team' sent to sonic users and others possibly, displayed a link to click which spoofed 'login to your sonic account' but lead to a .ke address containing a windows java exploit which installed cryptowall, an insidious malware-ransomware that prompts the affected user to pay a hefty sum via the tor browser, or lose access to all files on their hard drive. FYI

Good lord, and this is the first I hear about it?
Does this mean Sonic detected it and throttled it after three minutes' total time?

I remember seeing it, recognizing it as fake and deleting the damned thing.

Damn.