And, if people take the time to learn procmail, reporting to spamcop can even be automated. Very cool! -mark On Fri, Oct 12, 2001 at 09:57:33AM -0700, Crispin Cowan wrote: > Alexey Panchenko wrote: > > >Speaking of something not being SPAM just because it says "This is not Spam! > >This e-mail is never sent unsolicited". > > > I have been *assuming* that people are not actually taking the "this is > not spam" line seriously. I certainly hope that is the case. > > >Here below is something I found in > >my mailbox this morning -- would I need to try to convince the esteemed > >CRIME group that it *was* unsolicited? Normally, I would just hit the > >delete button, but due to the contents of this website, I am wondering to > >whom I could/should report Mr. "Daniel Leuenberger" and his web "service". > > > There are two fundamental ways to hunt spammers: > > * Manually: inspect the headers, extract the real IP addresses of > the machines involved, use whois and traceroute to find the ISPs > hosting the offending parties, and have their assets close. > * Automatically: use a service such as spamcop.net > > I spent a lot of time over the last several years using the manual > method. It is viscerally satisfying, but very time consuming. What you > want to do is extract the ISPs that host the spammers, and then forward > the spam to "postmaster", "abuse", and "root" @ that ISP. These are the > things to look for to try to extract the spammer's ISPs. > > * In the full headers, you will find a string of "Received by" > lines, showing the string of SMTP servers that the spam passed > through. In each line there may be a claimed name of the machine, > and then there is always a set of () parentheses that contains the > true sending machine. The () name may be just an IP number, in > which case you have to use network tools like whois and traceroute > to hunt down the hosting ISP. The non-() name is never to be > trusted unless it matches the () name, which you can verify with > nslookup. > * In the body, you will often find URLs. Sometimes the URLs are easy > to figure out, e.g. http://tripod.com/~stupid_spammers_web_page > [say]. In other cases, it's harder, e.g. http://stupidspammer.com > but then whois and traceroute are effective. Sometimes the URL has > been heavily obscured, such as using a numeric IP address, e.g. > http://1.2.3.4 or worse a numeric IP encoded in decimal > http://298374928759828 . In these cases, traceroute is your > friend, as it will parse variously encoded IP numbers (just as > your web client will parse them) giving you a real IP address to > examine. Then go back to whois. In some cases, you will get a > REALLY creatively encoded URL that contains a bunch of different > names interspaced with @ signs. Only the name following the last @ > matters, e.g. http://hey_lookie@private will resolve to google.com > * Spam may be encoded in HTML, and often the images in the HTML are > not included in the mail, but are just links that point to some > web site. Apply all of the above to locating the ISP hosting the > images and have them disabled. > * Spam may use HTML to encode a submission form, which invariably > ends in a mailto: URL. Inspect the e-mail addresses used and > complain to the hosting ISP. > > The above takes 10-15 minutes per spam, and requires network access in > most cases. Eventually I got tired of it. Now I use spamcop.net: you can > report a spam by just forwarding it to spamcop@private, and they > reply with an e-mail containing an URL that takes you to a web page for > reporting the spam, with all those headers parsed for you. I bout 25 MB > worth of spam processing in mid-september, and their usage estimate > claims that I'm using about $2.50 worth of services per year at my > current burn rate. Recommended. > > Crispin > > -- > Crispin Cowan, Ph.D. > Chief Scientist, WireX Communications, Inc. http://wirex.com > Security Hardened Linux Distribution: http://immunix.org > Available for purchase: http://wirex.com/Products/Immunix/purchase.html > > >
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:27:20 PDT