Need automatic spam reporting tool - SCO

This is a discussion on Need automatic spam reporting tool - SCO ; I'm flooded with returned messages from e-mail servers bouncing spam messages where the spammer uses fake "From:" tags with random names on my 24by7webstores.com site: "From: "Mort tikkanen" " In working on this problem, I have developed AWK scripts that ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 21

Thread: Need automatic spam reporting tool

  1. Need automatic spam reporting tool

    I'm flooded with returned messages from e-mail servers
    bouncing spam messages where the spammer uses fake "From:"
    tags with random names on my 24by7webstores.com site:
    "From: "Mort tikkanen" "

    In working on this problem, I have developed AWK scripts
    that collect the bounced messages by originating IP address into
    files:

    24 85.97.42.31.collect
    239 78.174.242.34.collect
    36 212.156.220.69.collect
    19 88.235.103.244.collect
    18 86.134.238.12.collect
    10 86.136.138.121.collect

    Where each *.collect file contains all the spam messages
    originating from the IP part of the file name (24, 239,
    36 messages etc...).

    Up to this point I have been manually looking up the IP
    addresses on www.samspade.org and manually generating a
    report list:

    24 85.97.42.31.collect 85.97.40.0 - 85.97.55.255 abuse@ttnet.net.tr
    239 78.174.242.34.collect 78.174.0.0 - 78.174.255.255 abuse@ttnet.net.tr
    36 212.156.220.69.collect 212.156.220.0 - 212.156.220.255 abuse@ttnet.net.tr
    19 88.235.103.244.collect 88.235.0.0 - 88.235.127.255 abuse@ttnet.net.tr

    zip spam_abuse_ttnet.zip 85.97.42.31.collect 88.235.103.244.collect 212.156.220.
    69.collect 78.174.242.34.collect

    18 86.134.238.12.collect 86.128.0.0 - 86.135.255.255 abuse@btbroadband.com
    10 86.136.138.121.collect 86.136.0.0 - 86.141.255.255 abuse@btbroadband.com

    zip spam_abuse_btbroadband.zip 86.152.52.171.collect 86.133.98.183.collect 86.1
    34.236.155.collect 86.134.238.12.collect 86.136.138.121.collect 86.141.218.48
    ..collect

    Running the zip command line to zip the target collect files into a submission
    archives:

    -rw-r--r-- 1 smf group 14716 Mar 4 23:46 spam_abuse_arcor-ip.zip
    -rw-r--r-- 1 smf group 39321 Mar 4 23:46 spam_abuse_btbroadband.zip

    -rw-r--r-- 1 smf group 961695 Mar 4 23:46 spam_abuse_charter.zip
    -rw-r--r-- 1 smf group 52350 Mar 4 23:46 spam_abuse_merit.zip
    -rw-r--r-- 1 smf group 11390 Mar 4 23:46 spam_abuse_nextra.zip
    -rw-r--r-- 1 smf group 45832 Mar 4 23:46 spam_abuse_postini.zip
    -rw-r--r-- 1 smf group 10961 Mar 4 23:46 spam_abuse_tpnet.pl.zip
    -rw-r--r-- 1 smf group 212194 Mar 4 23:46 spam_abuse_ttnet.zip

    And manually compose an e-mail to the abuse@ address and attaching
    the corresponding zip archive.

    Now I'd like to automate the reverse IP look-up so that I can
    script the whole reporting process.

    Unfortunately, whois on SCO does not provide the necessary information.

    Any suggestions on how to lookup the information I need
    automatically with tools on the SCO 5.0.7 system?

    Or is there an open source tool that can be compiled for SCO
    that will provide the information I need?


    --
    Steve Fabac
    S.M. Fabac & Associates
    816/765-1670

  2. Re: Need automatic spam reporting tool

    On Wed, 5 Mar 2008, Steve M. Fabac, Jr. wrote:
    > I'm flooded with returned messages from e-mail servers
    > bouncing spam messages where the spammer uses fake "From:"
    > tags with random names on my 24by7webstores.com site:
    > "From: "Mort tikkanen" "


    I use spf. It allows domain owners to specify their outgoing email
    servers and thus allow receives to decide how to handle. I discard email
    on SPF Fail. It allows you to do a lot of other things. There are some
    python filters that really assist/automate reputations for email. You
    could search the SPF Discuss list to find them. I use a combination of
    things. But having a SPF record cuts down on bounces.

    SPF FAQ: http://www.openspf.org/FAQ
    Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

    > Unfortunately, whois on SCO does not provide the necessary information.


    You can compile the Open Source version and run it. It works really well.
    I currently do not have an OSR 5.0.7 machine available to do compiles.

    > Any suggestions on how to lookup the information I need
    > automatically with tools on the SCO 5.0.7 system?
    >
    > Or is there an open source tool that can be compiled for SCO
    > that will provide the information I need?


    I really like

    python-pydns
    python-pydspam
    python-pyspf
    python-pygossip
    python-pysrs

    I use the above to automate the whole process. Look at what

    Stuart D. Gathman

    He has really perfected them. He is the developer.


    --
    Boyd Gerber
    ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

  3. Re: Need automatic spam reporting tool

    On Wed, Mar 05, 2008, Steve M. Fabac, Jr. wrote:
    >I'm flooded with returned messages from e-mail servers
    >bouncing spam messages where the spammer uses fake "From:"
    >tags with random names on my 24by7webstores.com site:
    >"From: "Mort tikkanen" "


    You should be able to build the current version of whois on SCO
    systems without much problem.

    On the other hand, dealing with idiots who don't control the
    blowback resulting from forge From and Sender in spam, is
    generally a waste of your time and effort (a good bit of what I
    see here if from Barracuda boxes, and I don't know whether that's
    the default setting on current Barracudas).

    Is it possible that your web site has a vulnerable formail.pl
    script (are there any non-vulnerable ones :-) so the messages are
    actually being sent through the web server?

    ....
    Bill
    --
    INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
    URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
    FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676

    Liberals love to say things like, 'We're just asking everyone to pay
    their fair share.' But government is not about asking. It is about telling.
    The difference is fundamental. It is the difference between making love and
    being raped, between working for a living and being a slave.
    Dr. Thomas Sowell, Forbes, July 1994

  4. Re: Need automatic spam reporting tool

    On Wed, 5 Mar 2008, Boyd Lynn Gerber wrote:
    > On Wed, 5 Mar 2008, Steve M. Fabac, Jr. wrote:
    > > I'm flooded with returned messages from e-mail servers
    > > bouncing spam messages where the spammer uses fake "From:"
    > > tags with random names on my 24by7webstores.com site:
    > > "From: "Mort tikkanen" "

    >
    > I use spf. It allows domain owners to specify their outgoing email
    > servers and thus allow receives to decide how to handle. I discard email
    > on SPF Fail. It allows you to do a lot of other things. There are some
    > python filters that really assist/automate reputations for email. You
    > could search the SPF Discuss list to find them. I use a combination of
    > things. But having a SPF record cuts down on bounces.
    >
    > SPF FAQ: http://www.openspf.org/FAQ
    > Common mistakes: http://www.openspf.org/FAQ/Common_mistakes
    >
    > > Unfortunately, whois on SCO does not provide the necessary information.

    >
    > You can compile the Open Source version and run it. It works really well.
    > I currently do not have an OSR 5.0.7 machine available to do compiles.
    >
    > > Any suggestions on how to lookup the information I need
    > > automatically with tools on the SCO 5.0.7 system?
    > >
    > > Or is there an open source tool that can be compiled for SCO
    > > that will provide the information I need?

    >
    > I really like
    >
    > python-pydns
    > python-pydspam
    > python-pyspf
    > python-pygossip
    > python-pysrs
    >
    > I use the above to automate the whole process. Look at what
    >
    > Stuart D. Gathman
    >
    > He has really perfected them. He is the developer.


    I forgot to mention, I use these with the latest Sendmail or Postfix.
    Also I use python-postfix-policyd-spf with postfix. Other have reported
    using it with Sendmail and milters.

    --
    Boyd Gerber
    ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

  5. Re: Need automatic spam reporting tool

    Boyd Lynn Gerber wrote:
    > On Wed, 5 Mar 2008, Steve M. Fabac, Jr. wrote:
    >> I'm flooded with returned messages from e-mail servers
    >> bouncing spam messages where the spammer uses fake "From:"
    >> tags with random names on my 24by7webstores.com site:
    >> "From: "Mort tikkanen" "

    >
    > I use spf. It allows domain owners to specify their outgoing email
    > servers and thus allow receives to decide how to handle. I discard email
    > on SPF Fail. It allows you to do a lot of other things. There are some
    > python filters that really assist/automate reputations for email. You
    > could search the SPF Discuss list to find them. I use a combination of
    > things. But having a SPF record cuts down on bounces.


    Boyd,

    You miss my point. I don't have a problem with bounced messages coming back.
    None of the original spam messages is coming from my website or from me.
    What angers me is that someone or some group of people have misappropriated
    my domain to facilitate their spamming.

    Because the volume ranges from 1000 to 3000 bounced messages being
    sent back to the bogus From: address, I seek to build a tool to
    automate dropping these messages back on the ISP hosting the open
    relays or spammer's machine to assist them in building a case to
    shut them down.

    The 1000 to 3000 messages is probably a small percentage of the total
    spam these people are generating as only a small percentage of
    receiving systems bounce the messages (10 - 20%?).

    Because I have to manually cut and paste the IP address into
    www.samspade.org, I limit my responses to IP addresses
    with 20 or more messages. Since Samspade.org obviously is
    automated, I should be able to do the same thing to automate
    my submissions to the subject ISP abuse reporting addresses.


    >
    > SPF FAQ: http://www.openspf.org/FAQ
    > Common mistakes: http://www.openspf.org/FAQ/Common_mistakes
    >
    >> Unfortunately, whois on SCO does not provide the necessary information.

    >
    > You can compile the Open Source version and run it. It works really well.
    > I currently do not have an OSR 5.0.7 machine available to do compiles.
    >
    >> Any suggestions on how to lookup the information I need
    >> automatically with tools on the SCO 5.0.7 system?
    >>
    >> Or is there an open source tool that can be compiled for SCO
    >> that will provide the information I need?

    >
    > I really like
    >
    > python-pydns
    > python-pydspam
    > python-pyspf
    > python-pygossip
    > python-pysrs
    >
    > I use the above to automate the whole process. Look at what
    >
    > Stuart D. Gathman
    >
    > He has really perfected them. He is the developer.
    >
    >
    > --
    > Boyd Gerber
    > ZENEZ 1042 East Fort Union #135, Midvale Utah 84047
    >
    >


    --
    Steve Fabac
    S.M. Fabac & Associates
    816/765-1670


  6. Re: Need automatic spam reporting tool

    Bill Campbell wrote:
    > On Wed, Mar 05, 2008, Steve M. Fabac, Jr. wrote:
    >> I'm flooded with returned messages from e-mail servers
    >> bouncing spam messages where the spammer uses fake "From:"
    >> tags with random names on my 24by7webstores.com site:
    >> "From: "Mort tikkanen" "

    >
    > You should be able to build the current version of whois on SCO
    > systems without much problem.


    Is there a command string to whois that will accept an IP address
    and return something that looks like this?:

    (Asked whois.apnic.net:43 about 117.11.60.63)

    inetnum: 117.8.0.0 - 117.15.255.255
    netname: CNCGROUP-TJ
    descr: CNC Group Tianjin province network
    descr: China Network Communications Group Corporation
    descr: No.156 Fu-Xing-Men-Nei Street
    descr: Beijing 100031
    country: CN
    admin-c: CH455-AP
    tech-c: HZ19-AP
    remarks: service provider
    mnt-by: APNIC-HM
    mnt-lower: MAINT-CNCGROUP-TJ
    mnt-routes: MAINT-CNCGROUP-RR
    status: ALLOCATED PORTABLE
    remarks: --------------------------
    remarks: This object can only be updated by APNIC hostmasters.
    remarks: To update this object please contact APNIC
    remarks: hostmasters and include your organisation's account
    remarks: name in the subject line.
    remarks: --------------------------
    changed: hm-changed@apnic.net 20070525
    source: APNIC
    route: 117.8.0.0/13
    descr: CNC Group CHINA169 Tianjin Province Network
    country: CN
    origin: AS4837
    mnt-by: MAINT-CNCGROUP-RR
    changed: abuse@cnc-noc.net 20070525
    source: APNIC
    role: CNCGroup Hostmaster
    e-mail: abuse@cnc-noc.net



    >
    > On the other hand, dealing with idiots who don't control the
    > blowback resulting from forge From and Sender in spam, is
    > generally a waste of your time and effort (a good bit of what I
    > see here if from Barracuda boxes, and I don't know whether that's
    > the default setting on current Barracudas).


    Bill, I welcome the bounced messages. It give me a chance to submit
    them to the ISP's where the open relays or spammer's lurk.

    As I indicated to Boyd, I am angered by someone cloaking their
    spam as from my domain. Unstopped, they will eventually result
    in my domain being added to rbl so I'll have to take action
    to have my site removed from the black list.

    >
    > Is it possible that your web site has a vulnerable formail.pl
    > script (are there any non-vulnerable ones :-) so the messages are
    > actually being sent through the web server?


    No, examination of the bounced messages headers show the
    originating IP addresses of the spam. I collect all messages
    identified by originating IP address and then submit them
    to the ISP for the IP address.

    >
    > ...
    > Bill
    > --
    > INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
    > URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
    > FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
    >
    > Liberals love to say things like, 'We're just asking everyone to pay
    > their fair share.' But government is not about asking. It is about telling.
    > The difference is fundamental. It is the difference between making love and
    > being raped, between working for a living and being a slave.
    > Dr. Thomas Sowell, Forbes, July 1994
    >
    >


    --
    Steve Fabac
    S.M. Fabac & Associates
    816/765-1670

  7. Re: Need automatic spam reporting tool

    On Wed, Mar 05, 2008, Steve M. Fabac, Jr. wrote:
    >Bill Campbell wrote:
    >> On Wed, Mar 05, 2008, Steve M. Fabac, Jr. wrote:
    >>> I'm flooded with returned messages from e-mail servers
    >>> bouncing spam messages where the spammer uses fake "From:"
    >>> tags with random names on my 24by7webstores.com site:
    >>> "From: "Mort tikkanen" "

    >>
    >> You should be able to build the current version of whois on SCO
    >> systems without much problem.

    >
    >Is there a command string to whois that will accept an IP address
    >and return something that looks like this?:
    >
    >(Asked whois.apnic.net:43 about 117.11.60.63)


    I'm running whois 4.7.24 on a Linux box here, and the command is simply
    ``whois ipaddress''

    whois 117.11.60.63
    % [whois.apnic.net node-2]
    % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

    inetnum: 117.8.0.0 - 117.15.255.255
    netname: CNCGROUP-TJ
    descr: CNC Group Tianjin province network
    descr: China Network Communications Group Corporation
    descr: No.156,Fu-Xing-Men-Nei Street,
    descr: Beijing 100031
    country: CN
    admin-c: CH455-AP
    tech-c: HZ19-AP
    remarks: service provider
    mnt-by: APNIC-HM
    mnt-lower: MAINT-CNCGROUP-TJ
    mnt-routes: MAINT-CNCGROUP-RR
    status: ALLOCATED PORTABLE
    remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    remarks: This object can only be updated by APNIC hostmasters.
    remarks: To update this object, please contact APNIC
    remarks: hostmasters and include your organisation's account
    remarks: name in the subject line.
    remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    changed: hm-changed@apnic.net 20070525
    source: APNIC

    route: 117.8.0.0/13
    descr: CNC Group CHINA169 Tianjin Province Network
    country: CN
    origin: AS4837
    mnt-by: MAINT-CNCGROUP-RR
    changed: abuse@cnc-noc.net 20070525
    source: APNIC

    role: CNCGroup Hostmaster
    e-mail: abuse@cnc-noc.net
    address: No.156,Fu-Xing-Men-Nei Street,
    address: Beijing,100031,P.R.China
    nic-hdl: CH455-AP
    phone: +86-10-82993155
    fax-no: +86-10-82993102
    country: CN
    admin-c: CH444-AP
    tech-c: CH444-AP
    changed: abuse@cnc-noc.net 20041119
    mnt-by: MAINT-CNCGROUP
    source: APNIC

    person: huang zheng
    nic-hdl: HZ19-AP
    e-mail: ipaddr@ywb.online.tj.cn
    address: 76 NO, ShiZiLin Street ,HeBei district of Tianjin,China
    phone: +86-22-24459190
    fax-no: +86-22-24454499
    country: CN
    changed: ipaddr@ywb.online.tj.cn 20050721
    mnt-by: MAINT-CNCGROUP-TJ
    source: APNIC

    ....
    Bill
    --
    INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
    URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
    FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676

    I don't care how little your country is, you got a right to run it like
    you want to. When the big nations quit meddling, then the world will have
    peace. -- Will Rogers

  8. Re: Need automatic spam reporting tool

    In article <47CEF8FE.7050100@att.net>,
    Steve M. Fabac, Jr. wrote:
    >Boyd Lynn Gerber wrote:
    >> On Wed, 5 Mar 2008, Steve M. Fabac, Jr. wrote:
    >>> I'm flooded with returned messages from e-mail servers
    >>> bouncing spam messages where the spammer uses fake "From:"
    >>> tags with random names on my 24by7webstores.com site:
    >>> "From: "Mort tikkanen" "

    >>
    >> I use spf. It allows domain owners to specify their outgoing email
    >> servers and thus allow receives to decide how to handle. I discard email
    >> on SPF Fail. It allows you to do a lot of other things. There are some
    >> python filters that really assist/automate reputations for email. You
    >> could search the SPF Discuss list to find them. I use a combination of
    >> things. But having a SPF record cuts down on bounces.

    >
    >Boyd,
    >
    >You miss my point. I don't have a problem with bounced messages coming back.
    >None of the original spam messages is coming from my website or from me.


    Boyd may have confused you by referring to both the application and publishing
    of SPF records. Applying SPF to incoming mail acceptance policy won't help
    with your immediate problem, but publishing SPF records for your domain might,
    by allowing any mail systems that *do* use SPF to know whether incoming mail
    with a return address in your domain actually originated from a host authorized
    to send such mail.

    > As I indicated to Boyd, I am angered by someone cloaking their
    > spam as from my domain. Unstopped, they will eventually result
    > in my domain being added to rbl so I'll have to take action
    > to have my site removed from the black list.


    Mail forged in the manner described above won't result in your domain being
    added to any responsibly maintained blacklist. Any that would make such a
    mistake will be little used for that very reason.

    John
    --
    John DuBois spcecdt@armory.com KC6QKZ/AE http://www.armory.com/~spcecdt/

  9. Re: Need automatic spam reporting tool

    On Wed, 5 Mar 2008, Steve M. Fabac, Jr. wrote:
    > > On the other hand, dealing with idiots who don't control the
    > > blowback resulting from forge From and Sender in spam, is
    > > generally a waste of your time and effort (a good bit of what I
    > > see here if from Barracuda boxes, and I don't know whether that's
    > > the default setting on current Barracudas).

    >
    > Bill, I welcome the bounced messages. It give me a chance to submit
    > them to the ISP's where the open relays or spammer's lurk.
    >
    > As I indicated to Boyd, I am angered by someone cloaking their
    > spam as from my domain. Unstopped, they will eventually result
    > in my domain being added to rbl so I'll have to take action
    > to have my site removed from the black list.


    Foegery and stopping is why SPF exists.

    --
    Boyd Gerber
    ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

  10. Re: Need automatic spam reporting tool

    On Wed, 5 Mar 2008, John DuBois wrote:
    > In article <47CEF8FE.7050100@att.net>,
    > Steve M. Fabac, Jr. wrote:
    > >Boyd Lynn Gerber wrote:
    > >> On Wed, 5 Mar 2008, Steve M. Fabac, Jr. wrote:
    > >>> I'm flooded with returned messages from e-mail servers
    > >>> bouncing spam messages where the spammer uses fake "From:"
    > >>> tags with random names on my 24by7webstores.com site:
    > >>> "From: "Mort tikkanen" "
    > >>
    > >> I use spf. It allows domain owners to specify their outgoing email
    > >> servers and thus allow receives to decide how to handle. I discard
    > >> email on SPF Fail. It allows you to do a lot of other things.
    > >> There are some python filters that really assist/automate reputations
    > >> for email. You could search the SPF Discuss list to find them. I
    > >> use a combination of things. But having a SPF record cuts down on
    > >> bounces.

    > >
    > >You miss my point. I don't have a problem with bounced messages coming back.
    > >None of the original spam messages is coming from my website or from me.

    >
    > Boyd may have confused you by referring to both the application and
    > publishing of SPF records. Applying SPF to incoming mail acceptance
    > policy won't help with your immediate problem, but publishing SPF
    > records for your domain might, by allowing any mail systems that *do*
    > use SPF to know whether incoming mail with a return address in your
    > domain actually originated from a host authorized to send such mail.


    From the last informal seach there are over 10,000,000 domains with SPF v1
    records. SPF has 2 parts. Domain owner publish of record. Receiver
    acting on SPF record. Spamassassin uses SPF to rate emails.

    > > As I indicated to Boyd, I am angered by someone cloaking their spam as
    > > from my domain. Unstopped, they will eventually result in my domain
    > > being added to rbl so I'll have to take action to have my site removed
    > > from the black list.

    >
    > Mail forged in the manner described above won't result in your domain being
    > added to any responsibly maintained blacklist. Any that would make such a
    > mistake will be little used for that very reason.


    +1

    --
    Boyd Gerber
    ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

  11. Re: Need automatic spam reporting tool


    > Unfortunately, whois on SCO does not provide the necessary information.
    >
    > Any suggestions on how to lookup the information I need
    > automatically with tools on the SCO 5.0.7 system?
    >
    > Or is there an open source tool that can be compiled for SCO
    > that will provide the information I need?


    Here ya go:
    http://www.aljex.com/bkw/sco/#whois

    It's also uploaded here but new uploads take a day to show up
    ftp://pcunix.com/pub/bkw/

    --
    Brian K. White brian@aljex.com http://www.myspace.com/KEYofR
    +++++[>+++[>+++++>+++++++<<-]<-]>>+.>.+++++.+++++++.-.[>+<---]>++.
    filePro BBx Linux SCO FreeBSD #callahans Satriani Filk!


  12. Re: Need automatic spam reporting tool


    ----- Original Message -----
    From: "Brian K. White"
    Newsgroups: comp.unix.sco.misc
    To:
    Sent: Wednesday, March 05, 2008 7:32 PM
    Subject: Re: Need automatic spam reporting tool


    >
    >> Unfortunately, whois on SCO does not provide the necessary information.
    >>
    >> Any suggestions on how to lookup the information I need
    >> automatically with tools on the SCO 5.0.7 system?
    >>
    >> Or is there an open source tool that can be compiled for SCO
    >> that will provide the information I need?

    >
    > Here ya go:
    > http://www.aljex.com/bkw/sco/#whois


    Initially I had 4.7.20 up, just upped to 4.7.24 .

    --
    Brian K. White brian@aljex.com http://www.myspace.com/KEYofR
    +++++[>+++[>+++++>+++++++<<-]<-]>>+.>.+++++.+++++++.-.[>+<---]>++.
    filePro BBx Linux SCO FreeBSD #callahans Satriani Filk!


  13. Re: Need automatic spam reporting tool

    Brian K. White wrote:
    > ----- Original Message -----
    > From: "Brian K. White"
    > Newsgroups: comp.unix.sco.misc
    > To:
    > Sent: Wednesday, March 05, 2008 7:32 PM
    > Subject: Re: Need automatic spam reporting tool
    >
    >
    >>> Unfortunately, whois on SCO does not provide the necessary information.
    >>>
    >>> Any suggestions on how to lookup the information I need
    >>> automatically with tools on the SCO 5.0.7 system?
    >>>
    >>> Or is there an open source tool that can be compiled for SCO
    >>> that will provide the information I need?

    >> Here ya go:
    >> http://www.aljex.com/bkw/sco/#whois

    >
    > Initially I had 4.7.20 up, just upped to 4.7.24 .
    >


    Thanks Brian !!!

    That should save me a lot of work (trying to find it,
    compiling it then getting it to run).

    --
    Steve Fabac
    S.M. Fabac & Associates
    816/765-1670

  14. Re: Need automatic spam reporting tool

    Steve M. Fabac, Jr. wrote:
    > I'm flooded with returned messages from e-mail servers
    > bouncing spam messages where the spammer uses fake "From:"
    > tags with random names on my 24by7webstores.com site:
    > "From: "Mort tikkanen" "
    >


    Note: this is not the "From:" line causing this. It's the "FROM " line, the
    bounce address sent by the SMTP client submitting the message. This can, but
    need not, be the same as the "From:" address. Don't get confused by the
    distinction: tools like SPF help avoid this by filtering on the "FROM " line,
    and establishing whether the connecting host is permitted or expected to send
    email with the hostname published for the "FROM " address.

  15. Re: Need automatic spam reporting tool

    On Sat, 8 Mar 2008, Nico Kadel-Garcia wrote:
    > Steve M. Fabac, Jr. wrote:
    > > I'm flooded with returned messages from e-mail servers
    > > bouncing spam messages where the spammer uses fake "From:"
    > > tags with random names on my 24by7webstores.com site:
    > > "From: "Mort tikkanen" "

    >
    > Note: this is not the "From:" line causing this. It's the "FROM " line,
    > the bounce address sent by the SMTP client submitting the message. This
    > can, but need not, be the same as the "From:" address. Don't get
    > confused by the distinction: tools like SPF help avoid this by filtering
    > on the "FROM " line, and establishing whether the connecting host is
    > permitted or expected to send email with the hostname published for the
    > "FROM " address.


    You need to be a bit clearer. SPF works on the RFC 821/2821 Mail From.
    The From above looks like it is about the RFC 822/2822 From. Sender ID
    and DKIM both attempt to protect the RFC 822/2822 From. DKIM also uses a
    method to validate the Data of the SMPT data. Forwarding requires a new
    Validate stamp as well.


    --
    Boyd Gerber
    ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

  16. Re: Need automatic spam reporting tool

    Nico Kadel-Garcia wrote:
    > Steve M. Fabac, Jr. wrote:
    >> I'm flooded with returned messages from e-mail servers
    >> bouncing spam messages where the spammer uses fake "From:"
    >> tags with random names on my 24by7webstores.com site:
    >> "From: "Mort tikkanen" "
    >>

    >
    > Note: this is not the "From:" line causing this. It's the "FROM " line,
    > the bounce address sent by the SMTP client submitting the message. This
    > can, but need not, be the same as the "From:" address. Don't get
    > confused by the distinction: tools like SPF help avoid this by filtering
    > on the "FROM " line, and establishing whether the connecting host is
    > permitted or expected to send email with the hostname published for the
    > "FROM " address.
    >
    >


    The "From: " tag was an expedient in my post. It is possibly not
    responsible for the bounced message getting bounced to postmaster
    at 24by7webstores.com

    More likely the: "Return-Path: "
    in the sample message below (one of the 3169 bounced messages
    collected in /tmp/218.236.142.180.collect) is bouncing the message
    to me.

    3169 218.236.142.180.collect abuse@hanaro.com
    336 61.88.180.137.collect 61.88.0.0 - 61.88.255.255 abuse@optus.net.au
    11 64.18.6.14.collect 64.18.0.0 - 64.18.15.255 noc@postinicorp.com

    One message from 218.236.142.180.collect:

    * From smf Thu Mar 6 00:30:01 2008
    * X-Originating-IP: [207.115.20.67]
    * X-Originating-IP: [216.57.213.233]
    * Delivered-To: 24by7webstores.com-postmaster@24by7webstores.com
    * Message-ID: <20080306053001.1687.qmail@innuitymail.com>
    * Delivered-To: uozniihs1975@24by7webstores.com
    * Date: 5 Mar 2008 21:30:07 -0800
    * From: MAILER-DAEMON@roswell.stimulusdesign.com
    * To: uozniihs1975@24by7webstores.com
    * Subject: failure notice
    * Status: O

    Hi. This is the qmail-send program at roswell.stimulusdesign.com.
    I'm afraid I wasn't able to deliver your message to the following addresses.
    This is a permanent error; I've given up. Sorry it didn't work out.

    :
    This address no longer accepts mail.

    --- Below this line is a copy of the message.

    * Return-Path:
    * Received: (qmail 98968 invoked from network); 5 Mar 2008 21:30:07 -0800
    > Received: from unknown (HELO ?218.236.142.180?) (218.236.142.180)

    by pacificballooncharters.com with SMTP; 5 Mar 2008 21:30:06 -0800
    * Message-ID: <000f01c87f4b$1f360d90$b48eecda@leeig>
    * From: "Jasan dunaway"
    * To: petgord34truew@pacificballooncharters.com
    * Subject: Upsize today
    * Date: Thu, 6 Mar 2008 14:30:00 +0900
    * MIME-Version: 1.0
    * Content-Type: multipart/alternative;
    boundary="--------=_NextPart_000_000B_01C87F96.8F1B4490"
    * X-Priority: 3
    * X-MSMail-Priority: Normal
    * X-Mailer: Microsoft Outlook Express 6.00.2900.3138
    * X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

    * ----------=_NextPart_000_000B_01C87F96.8F1B4490
    * Content-Type: text/plain;
    charset="iso-8859-1"
    * Content-Transfer-Encoding: quoted-printable

    Discover the secret to pleasuring your partner and giving her multiple =
    orgasms every single time
    * ----------=_NextPart_000_000B_01C87F96.8F1B4490
    * Content-Type: text/html;
    charset="iso-8859-1"
    * Content-Transfer-Encoding: quoted-printable

    *
    *
    * * charset=3Diso-8859-1">
    *
    *
    *
    *
    * Discover the secret to pleasuring =
    * your partner=20
    * and giving her multiple orgasms every single time

    * ----------=_NextPart_000_000B_01C87F96.8F1B4490--

    --
    Steve Fabac
    S.M. Fabac & Associates
    816/765-1670

  17. Re: Need automatic spam reporting tool

    On Sat, Mar 08, 2008, Steve M. Fabac, Jr. wrote:
    >Nico Kadel-Garcia wrote:
    >> Steve M. Fabac, Jr. wrote:
    >>> I'm flooded with returned messages from e-mail servers
    >>> bouncing spam messages where the spammer uses fake "From:"
    >>> tags with random names on my 24by7webstores.com site:
    >>> "From: "Mort tikkanen" "
    >>>

    >>
    >> Note: this is not the "From:" line causing this. It's the "FROM " line,
    >> the bounce address sent by the SMTP client submitting the message. This
    >> can, but need not, be the same as the "From:" address. Don't get
    >> confused by the distinction: tools like SPF help avoid this by filtering
    >> on the "FROM " line, and establishing whether the connecting host is
    >> permitted or expected to send email with the hostname published for the
    >> "FROM " address.
    >>
    >>

    >
    >The "From: " tag was an expedient in my post. It is possibly not
    >responsible for the bounced message getting bounced to postmaster
    >at 24by7webstores.com
    >
    >More likely the: "Return-Path: "
    >in the sample message below (one of the 3169 bounced messages
    >collected in /tmp/218.236.142.180.collect) is bouncing the message
    >to me.


    Looking at the headers below, the mail came into the recipient's
    system from IP address 218.236.142.180, which (a) has no relation
    to your networks, (b) has no reverse DNS, and is on at least four
    DNSRBLs including dul.dnsbl.sorbs.net, korea.services.net,
    ubl.unsubscore.com, and blackholes.five-ten-sg.com.

    218.236.142.180 is a dynamic assigned IP in hananet.net, an ISP
    not noted for their anti-spam competence.

    The fact that the recipient actually allowed mail from this IP into
    their system is a pretty good indication that they don't know
    what they're doing so sending them notices would be a total waste
    of time.

    ....
    >* Return-Path:
    >* Received: (qmail 98968 invoked from network); 5 Mar 2008 21:30:07 -0800
    >> Received: from unknown (HELO ?218.236.142.180?) (218.236.142.180)

    > by pacificballooncharters.com with SMTP; 5 Mar 2008 21:30:06 -0800


    This is the Received: header showing the incoming IP address.

    ....
    Bill
    --
    INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
    URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
    FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676

    What's this script do?
    unzip ; touch ; finger ; mount ; gasp ; yes ; umount ; sleep
    Hint for the answer: not everything is computer-oriented. Sometimes you're
    in a sleeping bag, camping out.
    (Contributed by Frans van der Zande.)

  18. Re: Need automatic spam reporting tool

    Bill Campbell wrote:
    > On Sat, Mar 08, 2008, Steve M. Fabac, Jr. wrote:
    >> Nico Kadel-Garcia wrote:
    >>> Steve M. Fabac, Jr. wrote:
    >>>> I'm flooded with returned messages from e-mail servers
    >>>> bouncing spam messages where the spammer uses fake "From:"
    >>>> tags with random names on my 24by7webstores.com site:
    >>>> "From: "Mort tikkanen" "
    >>>>
    >>> Note: this is not the "From:" line causing this. It's the "FROM " line,
    >>> the bounce address sent by the SMTP client submitting the message. This
    >>> can, but need not, be the same as the "From:" address. Don't get
    >>> confused by the distinction: tools like SPF help avoid this by filtering
    >>> on the "FROM " line, and establishing whether the connecting host is
    >>> permitted or expected to send email with the hostname published for the
    >>> "FROM " address.
    >>>
    >>>

    >> The "From: " tag was an expedient in my post. It is possibly not
    >> responsible for the bounced message getting bounced to postmaster
    >> at 24by7webstores.com
    >>
    >> More likely the: "Return-Path: "
    >> in the sample message below (one of the 3169 bounced messages
    >> collected in /tmp/218.236.142.180.collect) is bouncing the message
    >> to me.

    >
    > Looking at the headers below, the mail came into the recipient's
    > system from IP address 218.236.142.180, which (a) has no relation
    > to your networks, (b) has no reverse DNS, and is on at least four
    > DNSRBLs including dul.dnsbl.sorbs.net, korea.services.net,
    > ubl.unsubscore.com, and blackholes.five-ten-sg.com.


    Good, that agrees with my bounced mail processing scrips that collected
    this message in file 218.236.142.180.collect. Your analysis verifies
    that what I thought I was doing (identifying the originating IP
    address, collecting all messages originating from that IP address
    into a file named with the IP_address.collect tag) appears to be
    working.

    >
    > 218.236.142.180 is a dynamic assigned IP in hananet.net, an ISP
    > not noted for their anti-spam competence.


    Also good. My count of bounced messages (people rejecting these
    messages) and the scripts to perform the whois lookup also appear
    to be working having identified the abuse@hanaro.com address in
    message we are discussing:

    3169 218.236.142.180.collect abuse@hanaro.com

    3169 bounced messages received today from people rejecting
    messages from 218.236.142.180.

    Org Name : Hanaro Telecom Inc.
    Service Name : HANANET
    Org Address : Yeoeuido-dong Yeongdeungpo-gu SEOUL
    Org Detail Address: 17-7 Asia One Bldg.
    [ ISP IPv4 Admin Contact Information ]
    Name : IP manager
    Phone : 82-2-106-2
    E-Mail : ip-adm@hanaro.com
    [ ISP IPv4 Tech Contact Information ]
    Name : IP manager
    Phone : 82-2-106-2
    E-mail : ip-adm@hanaro.com
    [ ISP Network Abuse Contact Information ]
    Name : manager
    Phone : 82-2-106-2
    > E-mail : abuse@hanaro.com





    >
    > The fact that the recipient actually allowed mail from this IP into
    > their system is a pretty good indication that they don't know
    > what they're doing so sending them notices would be a total waste
    > of time.


    You missread my post. I'm not sending the response to the recipient
    that bounced the spam, I'm sending the report to abuse@hanaro.com
    even though they likely will not take action to resolve the problem.
    Once the script is working, I can dump a 1.3M zip file attachment
    of the day's bounced messages to their e-mail every day as long
    as I keep getting the bounced messages.

    >
    > ...
    >> * Return-Path:
    >> * Received: (qmail 98968 invoked from network); 5 Mar 2008 21:30:07 -0800
    >>> Received: from unknown (HELO ?218.236.142.180?) (218.236.142.180)

    >> by pacificballooncharters.com with SMTP; 5 Mar 2008 21:30:06 -0800

    >
    > This is the Received: header showing the incoming IP address.
    >
    > ...
    > Bill
    > --
    > INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
    > URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
    > FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
    >
    > What's this script do?
    > unzip ; touch ; finger ; mount ; gasp ; yes ; umount ; sleep
    > Hint for the answer: not everything is computer-oriented. Sometimes you're
    > in a sleeping bag, camping out.
    > (Contributed by Frans van der Zande.)
    >
    >


    --
    Steve Fabac
    S.M. Fabac & Associates
    816/765-1670

  19. Re: Need automatic spam reporting tool

    I'm not sure if the original question was answered but I've been using
    SpamCop for several years for reporting individual messages. I still use
    it for for the handful of messages that have made it past DNS blacklists,
    SpamAssassin, and bayesian filtering tools on my server.

    -Gary

  20. Re: Need automatic spam reporting tool

    Gary wrote:
    > I'm not sure if the original question was answered but I've been using
    > SpamCop for several years for reporting individual messages. I still use
    > it for for the handful of messages that have made it past DNS blacklists,
    > SpamAssassin, and bayesian filtering tools on my server.
    >
    > -Gary
    >
    >


    Thanks Gary. I looked at www.spamcop.net after reading
    your message and it looks interesting.

    However, this part of the FAQ is a stopper:

    "You may attach multiple spams to a single submission.
    You should not exceed 20 spams attached to a submission.
    The maximum size for the overall submission must not exceed 50 KB."

    This is an example of the results I get with scripts that I have
    written. The numbers to the left of the IP address is a count of
    individual messages received from the IP part of the IP.collect
    file:

    >
    > # 286 200.143.92.247.collect 200.143.64/18 mail-abuse@cert.br
    > # 1 200.169.19.67.collect 200.169.16/20 mail-abuse@cert.br
    > # 2 200.205.41.250.collect 200.205/16 mail-abuse@cert.br
    > # 99 201.8.41.93.collect 201.8/16 mail-abuse@cert.br
    >
    > Attached is a zip archive of messages originating on your
    > network.
    >
    > zip spam_abuse_to_mail-abuse@cert.br.zip 200.143.92.247.collect 200.169.19.67.c
    > ollect 200.205.41.250.collect 201.8.41.93.collect


    And

    >
    > # 111 77.125.27.195.collect 77.124.0.0 - 77.127.255.255 abuse@smile.net.il
    > # 1277 77.127.162.78.collect 77.124.0.0 - 77.127.255.255 abuse@smile.net.il
    >
    > Attached is a zip archive of messages originating on your
    > network.
    >
    > zip spam_abuse_to_abuse@smile.net.il.zip 77.125.27.195.collect 77.127.162.78.co
    > llect


    The above are examples of processing one day's worth of the
    e-mail I receive forwarded from the postmaster@24by7webstores
    account that are diverted prior to Spamassassin process my
    incoming e-mail. They are collected in ~HOME/mailfolders/returned_mail
    and then processed to segregate original spam mail directed
    to any_user@24by7webstores.com and bounced e-mails to
    postmaster@24by7webstores.com or the faked user@24by7webstores.com.

    I don't care about the original spam directed to xxxx@24by7webstores.com,
    those I just delete. I concentrate on reporting the bounced
    messages due to the spamer appropriating From addresses with
    the 24by7webstores.com domain.

    It is my hope that my reports with the volume of messages originating
    from a single IP will move the ISP to take appropriate action
    quicker then they might in the case of receiving reports from several
    individuals reporting original spam and having to accumulate sufficient
    evidence to take action.

    I have taken steps to add an SPF record to the DNS for 24by7webstores
    as suggested by Boyd, but since I don't control DNS I have submitted
    the request but it has not been implemented as of today.

    But SpamCop looks interesting for reporting the messages that get
    past Spamassassin that are original spam to my e-mail. Presently
    I'm just deleting those after running sa-learn on them.


    --
    Steve Fabac
    S.M. Fabac & Associates
    816/765-1670

+ Reply to Thread
Page 1 of 2 1 2 LastLast