munging email

On 2008-10-24, Bit Twister <BitTwister@mouse-potato.com> wrote:[color=blue]
> On Fri, 24 Oct 2008 15:57:35 +0100, Whiskers wrote:[color=green]
>>
>> It's inconsiderate to use a domain name that belongs to someone else, or
>> might do at some time. However improbable you might think a paricular
>> name is.
>>
>> That parpticular one has in fact been registered:
>>
>> $ whois mouse-potato.com[/color]
>
> Yes, but the mouse-potato.com owner enjoys seeing people using
> mouse-potato.com since that is why he registered it.
>
> Do a ping -c1 mouse-potato.com and check out the ip address.[/color]

With an invalid (improper?) IP number in the DNS set-up, that domain is
unlikely to get very far as the From address in an email. Nor should it,
in my opinion. Using it in usenet is an entirely different matter. If it
makes even one spam-spewing system give itself indigestion, that's fine
by me :))

--
-- ^^^^^^^^^^
-- Whiskers
-- ~~~~~~~~~~

On Fri, 24 Oct 2008 13:39:19 -0400, Whiskers <catwheezel@operamail.com> wrote:
[color=blue]
> Some people like Spam :))[/color]

When it goes directly to a blocklist's spamtrap, sure. See q7 at
[url]http://www.uceprotect.net/en/index.php?m=2&s=0[/url] and
[url]http://www.uceprotect.net/en/index.php?m=3&s=3[/url]
for their listing criteria.

I used to ocassionally redirect it to my ip, just to see what kind of
volume it gets. Uceprotect have given me access to their logs
for mail sent to nomail.afraid.org. Checking yesterday's logs shows
mail sent to it from 351 seperate ip addresses, with 19 of those
being added to the blocklist, as a direct result. (i.e., they weren't
already on the list).

Most of the "to addresses" look like message ids. Some are for an
address I haven't used in three years. There are at least a dozen
people using it, who's addresses have made it to the spammers lists of
sellable email addresses, judging by the volume per address.

Almost all of the from ip addressess look like end user trojaned
systems. The faster they get on the blocklist, the better.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Whiskers wrote:[color=blue]
> On 2008-10-24, Bit Twister <BitTwister@mouse-potato.com> wrote:[color=green]
>> On Fri, 24 Oct 2008 15:57:35 +0100, Whiskers wrote:[color=darkred]
>>> It's inconsiderate to use a domain name that belongs to someone else, or
>>> might do at some time. However improbable you might think a paricular
>>> name is.
>>>
>>> That parpticular one has in fact been registered:
>>>
>>> $ whois mouse-potato.com[/color]
>> Yes, but the mouse-potato.com owner enjoys seeing people using
>> mouse-potato.com since that is why he registered it.
>>
>> Do a ping -c1 mouse-potato.com and check out the ip address.[/color]
>
> With an invalid (improper?) IP number in the DNS set-up, that domain is
> unlikely to get very far as the From address in an email. Nor should it,
> in my opinion. Using it in usenet is an entirely different matter. If it
> makes even one spam-spewing system give itself indigestion, that's fine
> by me :))
>[/color]

Since the IP address has been listed once above, and mentioned here,
should I mention that mouse-potato.com resolves to

127.0.0.1 localhost

An impressive way to address your own machine.

Cheers!

jim b.

--
UNIX is not user unfriendly; it merely
expects users to be computer-friendly.

Whiskers wrote:[color=blue]
> On 2008-10-24, Frank Peelo <f32pnospam@eircom.net> wrote:
>[color=green]
>>Dave Farrance wrote:
>>[color=darkred]
>>>faeychild <phobos@deimos.invalid> wrote:
>>>
>>>
>>>
>>>>I though you may have been onto it then. but it bounces invalid.invalid
>>>
>>>
>>>Did you just put invalid.invalid? It commonly needs to be in the "form"
>>>of a real email address. Try [email]x@x.inva[/email]lid[/color]
>>
>>What about [email]me@mouse-potato.com[/email] ? Is that regarded as a nasty thing to
>>do? mouse-potato.com resolves to 127.0.0.1.
>>
>>Frank[/color]
>
>
> It's inconsiderate to use a domain name that belongs to someone else, or
> might do at some time. However improbable you might think a paricular
> name is.[/color]

Did I say it was improbable? I /did/ say in my previous post
"mouse-potato.com resolves to 127.0.0.1" -- in other words, it is a
valid domain name which someone has set up, to redirect back to the
sender. I have no connection with whoever set it up, but it was
obviously supposed to be a loopback.

So if some spammer starts sending to that address, I would expect the
spammer to spam only itself.

And the question was whether that would be regarded as a nasty thing to
do; the consensus seems to be: not suitable for email, but good in
newsgroups.

Frank

On 2008-10-28, Frank Peelo <f32pnospam@eircom.net> wrote:[color=blue]
> Whiskers wrote:[color=green]
>> On 2008-10-24, Frank Peelo <f32pnospam@eircom.net> wrote:
>>[color=darkred]
>>>Dave Farrance wrote:
>>>
>>>>faeychild <phobos@deimos.invalid> wrote:
>>>>
>>>>
>>>>
>>>>>I though you may have been onto it then. but it bounces invalid.invalid
>>>>
>>>>
>>>>Did you just put invalid.invalid? It commonly needs to be in the "form"
>>>>of a real email address. Try [email]x@x.inva[/email]lid
>>>
>>>What about [email]me@mouse-potato.com[/email] ? Is that regarded as a nasty thing to
>>>do? mouse-potato.com resolves to 127.0.0.1.
>>>
>>>Frank[/color]
>>
>>
>> It's inconsiderate to use a domain name that belongs to someone else, or
>> might do at some time. However improbable you might think a paricular
>> name is.[/color]
>
> Did I say it was improbable? I /did/ say in my previous post
> "mouse-potato.com resolves to 127.0.0.1" -- in other words, it is a
> valid domain name which someone has set up, to redirect back to the
> sender. I have no connection with whoever set it up, but it was
> obviously supposed to be a loopback.[/color]

Or a mistake. I've seen that mistake before, with other domain names
which are not intended to be tricks or jokes. But even if the current
'owner' of that domain has done that on purpose, subsequent owners of it
might have other ideas - so my statement still stands.
[color=blue]
> So if some spammer starts sending to that address, I would expect the
> spammer to spam only itself.
>
> And the question was whether that would be regarded as a nasty thing to
> do; the consensus seems to be: not suitable for email, but good in
> newsgroups.
>
> Frank[/color]

Not possible for sending email, but tolerated in usenet (although not by
all services providing posting access).

--
-- ^^^^^^^^^^
-- Whiskers
-- ~~~~~~~~~~

On Tue, 28 Oct 2008 06:39:09 -0400, Frank Peelo <f32pnospam@eircom.net> wrote:
[color=blue]
> "mouse-potato.com resolves to 127.0.0.1" -- in other words, it is a
> valid domain name which someone has set up, to redirect back to the
> sender. I have no connection with whoever set it up, but it was
> obviously supposed to be a loopback.[/color]

When the swen email worm was active, I looked at the various hostnames in
use, that resolved to a 127/8 address, but as I couldn't contact any of the
owners, I set up my own.

In my opinion, the hostname should not be used without the permission of
the owner, even if it seems obvious, that it's intended to be used that way.

I registered nomail.afraid.org, and have given blanket permission to use
it for usenet from addresses.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

David W. Hodgins wrote:
[color=blue]
> In my opinion, the hostname should not be used without the permission of
> the owner, even if it seems obvious, that it's intended to be used that
> way.[/color]

Except for the arguments about not mungeing the From at all, munged From
are best to use a completely invalid domainname, such as .invalid -- not
something else and not something 'cute-sy'. A significant percentage of
the time that people try to do something cute, the result is some
unnecessary burden on some system or another.
[color=blue]
> I registered nomail.afraid.org, and have given blanket permission to use
> it for usenet from addresses.[/color]

I think that is a bad suggestion, because it puts 'pressure' on resources
which the usage of .invalid would not.

If [email]user@nomail.afraid.org[/email] is used and harvested by 'bots', then the
spammer-dictionary process will marry numerous usernames extracted from
other harvestings to marry to the nomail.afraid.org domainname and
generate millions of spams to those addresses.

Those millions of spams will 'impact' the nameservice for afraid.org
(lookups to get the MX) and subsequently impact the MX for
nomail.afraid.org which is nirvana.admins.ws.

Those nameserver impacts and MX impacts and processes are completely
unnecessary because the spam generated to the usernames + .invalid would
not impact any afraid nameservers nor the nirvana MX.

Another thing is wrong with the suggestion; and that is that nothing
should be considered to be permanent. In the past various people have
allowed or recommended their registered domain to be used for mungeing
From and then later have subsequently abandoned the domain. This caused
the domainname to carry a subsequently unnecessary burden which was caused
by the type of original recommendation which you are making now.

It is better to use an invalid such as .invalid, not something else and
not something which has more effects, presently or potentially in the
future.


--
Mike Easter

On Tue, 28 Oct 2008 13:13:29 -0400, Mike Easter <MikeE@ster.invalid> wrote:
[color=blue]
> Those millions of spams will 'impact' the nameservice for afraid.org
> (lookups to get the MX) and subsequently impact the MX for
> nomail.afraid.org which is nirvana.admins.ws.[/color]

All of the email sent to [email]anyaddress@nomail.afraid.org[/email] goes to a spamtrap,
for a public blocklist (uceprotect).

It's usually under a thousand email messages per day, so the volume isn't
anything out of the ordinary, for the name servers.

The only time I've seen the number of messages get large (over a thousand
per hour), was when a spammer was using it for a return address, and most
of the messages were backscatter. That seemed to stop once I added spf
records, although it's more likely, the spammer just switched to a different
from address.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

David W. Hodgins wrote:[color=blue]
> Mike Easter[/color]
[color=blue][color=green]
>> Those millions of spams will 'impact' the nameservice for afraid.org
>> (lookups to get the MX) and subsequently impact the MX for
>> nomail.afraid.org which is nirvana.admins.ws.[/color]
>
> All of the email sent to [email]anyaddress@nomail.afraid.org[/email] goes to a
> spamtrap, for a public blocklist (uceprotect).[/color]

I'm in favor of blocklists including those which are based on spamtraps,
but...

.... the optimal spamtrap address should be an address which should never
'expect' to be in receipt of legitimate mail, especially those spamtraps
which require some 'action' to remove and most especially those spamtraps
which are not a secret.

Spamtraps which are known and which are known to influence blocklists
which are popular and therefor powerful are subject to misuse by
miscreants. This has happened to spamcop spamtrap addresses.

In the case of a usenet From address, that is actually an address which
original intention and purpose was to be a 'legitimate' email address
which could be emailed by someone who encountered a message in a newsgroup
and who wanted to correspond with the poster by email instead of by
posting into the group.

When someone sees an .invalid address, they know that the address isn't
one for correspondence, or if they don't know they soon discover by the
failure of the invalid address to send. When someone sees a legitimate
valid address being used in a manner which is structured to be sent and
accept legitimate mail, it is reasonable for them to assume that is a real
address.

A spamtrap is not supposed to be toggled by receiving 'legitimate' mail.
A spamtrap is only supposed to be toggled by receiving mail which would
never be mailed to a legitimate address.
[color=blue]
> It's usually under a thousand email messages per day, so the volume
> isn't anything out of the ordinary, for the name servers.[/color]

There isn't anything in the logical structure of your invitation for
people to use it in usenet From which would keep it from being millions.
While we are talking about nameservers, before the nameservers for afraid
are reached, the root servers are queried as well. While it is true that
the root and even the afraid nameservers can handle 'gazillions' of
requests, one point I'm making is that it isn't the same as invalid.

And now I'm making an additional point -- that such exposure isn't a
proper spamtrap because it can be reasonably assumed to get some
legitimate mail.
[color=blue]
> The only time I've seen the number of messages get large (over a
> thousand per hour), was when a spammer was using it for a return
> address, and most of the messages were backscatter.[/color]

That is one of the ways that a miscreant can use the known spamtrap
address to abuse something else. That move causes the mailserver to get
itself uceprotect blocklisted. I'm also against misconfigured mailservers
which do abusive misdirected backscatter, but I don't like the idea of a
known spamtrap being abused to get something else blocklisted.
[color=blue]
> That seemed to
> stop once I added spf records, although it's more likely, the spammer
> just switched to a different from address.[/color]

I think that it is a 'problem' for the creation and utilization of
'perfect' or pristine spamtrap addresses. I don't think that inviting
people to use a domainname in usenet From addresses is a proper solution
to the problem.



--
Mike Easter

On Wed, 29 Oct 2008 18:13:30 -0400, Mike Easter <MikeE@ster.invalid> wrote:
[color=blue]
> In the case of a usenet From address, that is actually an address which
> original intention and purpose was to be a 'legitimate' email address
> which could be emailed by someone who encountered a message in a newsgroup
> and who wanted to correspond with the poster by email instead of by
> posting into the group.[/color]

I reveiwed the listing policies, and discussed it with one of the operators
of uceprotect, before adding the mx record. The listing policy is at
[url]http://www.uceprotect.net/en/index.php?m=3&s=3[/url]
[color=blue]
> And now I'm making an additional point -- that such exposure isn't a
> proper spamtrap because it can be reasonably assumed to get some
> legitimate mail.[/color]

If the sender is using an ip address that doesn't have reverse dns, or
has reverse dns that's obviously dynamic, it's assumed to be a trojaned
computer, and listed after one spamtrap hit. If the reverse dns looks ok,
then they have to hit 50 different spamtraps to get listed.
[color=blue]
> I think that it is a 'problem' for the creation and utilization of
> 'perfect' or pristine spamtrap addresses. I don't think that inviting
> people to use a domainname in usenet From addresses is a proper solution
> to the problem.[/color]

The main purpose of using nomail.afraid.org, is to avoid posting with a real
email address, yet meet some news servers requirements to use an address that
resolves to a real hostname. Most will now allow .invalid, but when I setup
nomail.afraid.org, that was not the case. A side benefit is providing additional
data to the blocklist, which will be removed, if I find it is causing problems.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

On 2008-10-29, David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:[color=blue]
> On Tue, 28 Oct 2008 13:13:29 -0400, Mike Easter <MikeE@ster.invalid> wrote:
>[color=green]
>> Those millions of spams will 'impact' the nameservice for afraid.org
>> (lookups to get the MX) and subsequently impact the MX for
>> nomail.afraid.org which is nirvana.admins.ws.[/color]
>
> All of the email sent to [email]anyaddress@nomail.afraid.org[/email] goes to a spamtrap,
> for a public blocklist (uceprotect).[/color]

[...]

Are you saying that any email sent to that domain gets the originating IP
number added to a blocklist? Or have you got some system for
distinguishing innocent legitimate messages from whatever it is your
blocklist considers to be "spam"?

You seem to be getting close to, if not crossing, the line that separates
legitimacy from abuse.

--
-- ^^^^^^^^^^
-- Whiskers
-- ~~~~~~~~~~

On 2008-10-29, David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:[color=blue]
> On Wed, 29 Oct 2008 18:13:30 -0400, Mike Easter <MikeE@ster.invalid> wrote:[/color]

[...]
[color=blue]
> The main purpose of using nomail.afraid.org, is to avoid posting with a
> real email address, yet meet some news servers requirements to use an
> address that resolves to a real hostname. Most will now allow .invalid,
> but when I setup nomail.afraid.org, that was not the case. A side
> benefit is providing additional data to the blocklist, which will be
> removed, if I find it is causing problems.
>
> Regards, Dave Hodgins[/color]

Any post to usenet is an invitation for a response - either in the
newsgroup(s) posted to or by private email. Unless the From address you
use is clearly impossible to send emails to, it is an invitation for
people to send emails to it. That isn't a spam trap, it's an
indiscriminate and misleading trick if you assume that all emails sent to
that address are illegitimate - or arguably, even if you merely never look
at the messages arriving there.

I've found that combining a From address (which does get a significant
amount of spam, but which I do look at most days to pick out any non-spam
messages) and a Reply-To address (which doesn't seem to get picked up by
the bots searching basic usenet headers for addresses, but which most
newsreader programs will at least prompt a user to send email to instead
of the From address) works pretty well for me. Neither of those addresses
is used for 'personal' or 'business' purposes.

--
-- ^^^^^^^^^^
-- Whiskers
-- ~~~~~~~~~~

Whiskers wrote:[color=blue]
> Any post to usenet is an invitation for a response - either in the
> newsgroup(s) posted to or by private email. Unless the From address you
> use is clearly impossible to send emails to, it is an invitation for
> people to send emails to it.[/color]

Does anybody think the method I'm using for newsgroups is a bad idea?
The "From:" header is (obviously, I think) invalid. However, when I
think anyone might want to email me, I have a valid address in my sig,
using a fiendishly clever encoding scheme. :-) That's the address I use
for newsgroups and mailing lists that I want to be on, and I do check it
(and reply) often.

Adam
--
Email: adam seven zero seven AT verizon DOT net

On Sun, 02 Nov 2008 21:19:43 -0500, Adam <look@bottom.of.message> wrote:
[color=blue]
> Does anybody think the method I'm using for newsgroups is a bad idea?[/color]

It violates [url]http://www.rfc-editor.org/rfc/rfc2606.txt[/url] and message may
some day become a vaild top level domain.

The hostname used in the address should either be a valid hostname that
you have permission to use, or be one test, example, invalid, or
localhost.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Adam wrote:
[color=blue]
> Whiskers wrote:[color=green]
>> Any post to usenet is an invitation for a response - either in the
>> newsgroup(s) posted to or by private email. Unless the From address you
>> use is clearly impossible to send emails to, it is an invitation for
>> people to send emails to it.[/color]
>
> Does anybody think the method I'm using for newsgroups is a bad idea?
> The "From:" header is (obviously, I think) invalid. However, when I
> think anyone might want to email me, I have a valid address in my sig,
> using a fiendishly clever encoding scheme. :-) That's the address I use
> for newsgroups and mailing lists that I want to be on, and I do check it
> (and reply) often.
>
> Adam[/color]

You really need the .invalid top-level domain. The best explanation I've
seen is here: [url]http://www.2kevin.net/munging.html[/url]

>> Does anybody think the method I'm using for newsgroups is a bad idea?[color=blue]
>
> You really need the .invalid top-level domain. The best explanation I've
> seen is here: [url]http://www.2kevin.net/munging.html[/url][/color]

Thanks, David and Cliff! I've changed it. (Even if it will mess up
Google Groups' cumulative count of my posts. :-) )

Now if only I could be sure that my sig wasn't too hard for anyone to
decode... I'm sure that some user will find a way to screw it up...

Adam
--
Email: adam seven zero seven AT verizon DOT net

On Sun, 02 Nov 2008, in the Usenet newsgroup alt.os.linux.mandriva, in article
<op.uj0uj5zka3w0dxdave@hodgins.homeip.net>, David W. Hodgins wrote:
[color=blue]
>Adam <look@bottom.of.message> wrote:[/color]
[color=blue][color=green]
>> Does anybody think the method I'm using for newsgroups is a bad idea?[/color][/color]
[color=blue]
>It violates [url]http://www.rfc-editor.org/rfc/rfc2606.txt[/url][/color]

2606 Reserved Top Level DNS Names. D. Eastlake 3rd, A. Panitz. June
1999. (Format: TXT=8008 bytes) (Also BCP0032) (Status: BEST
CURRENT PRACTICE)

Status of this Memo

This document specifies an Internet Best Current Practices for the
Internet Community, and requests discussion and suggestions for
improvements. Distribution of this memo is unlimited.

But RFC2606 is only a recommendation, not a requirement. There is a
standards track _DRAFT_ RFC in the works (and has been for several
years) that if it ever gets adopted will replace RFC1036

1036 Standard for interchange of USENET messages. M.R. Horton, R.
Adams. December 1987. (Format: TXT=46891 bytes) (Obsoletes
RFC0850) (Status: UNKNOWN)

and the latest version I'm aware of is "Netnews Architecture and
Protocols" ([url]ftp://ftp.isi.edu//in-notes/internet-drafts/[/url]
draft-ietf-usefor-usepro-12.txt) which in the next-to-last paragraph of
section 3.4 reads:

Contrary to [RFC2822], which implies that the mailbox or mailboxes in
the From header field should be that of the poster or posters, a
poster who does not, for whatever reason, wish to use his own mailbox
MAY use any mailbox ending in the top level domain ".invalid"
[RFC2606].

But note that this is a _draft_ RFC - and has no standing other than to
indicate which way things _might_ be headed. I think this is a bit
better than the old 'Address Munging FAQ' that used to be posted
regularly ([url]http://www.faqs.org/faqs/net-abuse-faq/munging-address/[/url])
[color=blue]
>and message may some day become a vaild top level domain.[/color]

Possible - but that's a bit of a stretch. Back in June, ICANN voted to
allow 'vanity' top level domains beginning next spring, but I don't
expect to see to much out of that. After all, EVERYONE knows that
all hosts on the Internet begin with "www" and end with ".com". ;-)

Old guy