On Wed, 5 Mar 2008, Steve M. Fabac, Jr. wrote:
> I'm flooded with returned messages from e-mail servers
> bouncing spam messages where the spammer uses fake "From:"
> tags with random names on my 24by7webstores.com site:
> "From: "Mort tikkanen" "

I use spf. It allows domain owners to specify their outgoing email
servers and thus allow receives to decide how to handle. I discard email
on SPF Fail. It allows you to do a lot of other things. There are some
python filters that really assist/automate reputations for email. You
could search the SPF Discuss list to find them. I use a combination of
things. But having a SPF record cuts down on bounces.

SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

> Unfortunately, whois on SCO does not provide the necessary information.

You can compile the Open Source version and run it. It works really well.
I currently do not have an OSR 5.0.7 machine available to do compiles.

> Any suggestions on how to lookup the information I need
> automatically with tools on the SCO 5.0.7 system?
>
> Or is there an open source tool that can be compiled for SCO
> that will provide the information I need?

I really like

python-pydns
python-pydspam
python-pyspf
python-pygossip
python-pysrs

I use the above to automate the whole process. Look at what

Stuart D. Gathman

He has really perfected them. He is the developer.


--
Boyd Gerber
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

On Wed, Mar 05, 2008, Steve M. Fabac, Jr. wrote:
>I'm flooded with returned messages from e-mail servers
>bouncing spam messages where the spammer uses fake "From:"
>tags with random names on my 24by7webstores.com site:
>"From: "Mort tikkanen" "

You should be able to build the current version of whois on SCO
systems without much problem.

On the other hand, dealing with idiots who don't control the
blowback resulting from forge From and Sender in spam, is
generally a waste of your time and effort (a good bit of what I
see here if from Barracuda boxes, and I don't know whether that's
the default setting on current Barracudas).

Is it possible that your web site has a vulnerable formail.pl
script (are there any non-vulnerable ones :-) so the messages are
actually being sent through the web server?

....
Bill
--
INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676

Liberals love to say things like, 'We're just asking everyone to pay
their fair share.' But government is not about asking. It is about telling.
The difference is fundamental. It is the difference between making love and
being raped, between working for a living and being a slave.
Dr. Thomas Sowell, Forbes, July 1994

On Wed, 5 Mar 2008, Boyd Lynn Gerber wrote:
> On Wed, 5 Mar 2008, Steve M. Fabac, Jr. wrote:
> > I'm flooded with returned messages from e-mail servers
> > bouncing spam messages where the spammer uses fake "From:"
> > tags with random names on my 24by7webstores.com site:
> > "From: "Mort tikkanen" "
>
> I use spf. It allows domain owners to specify their outgoing email
> servers and thus allow receives to decide how to handle. I discard email
> on SPF Fail. It allows you to do a lot of other things. There are some
> python filters that really assist/automate reputations for email. You
> could search the SPF Discuss list to find them. I use a combination of
> things. But having a SPF record cuts down on bounces.
>
> SPF FAQ: http://www.openspf.org/FAQ
> Common mistakes: http://www.openspf.org/FAQ/Common_mistakes
>
> > Unfortunately, whois on SCO does not provide the necessary information.
>
> You can compile the Open Source version and run it. It works really well.
> I currently do not have an OSR 5.0.7 machine available to do compiles.
>
> > Any suggestions on how to lookup the information I need
> > automatically with tools on the SCO 5.0.7 system?
> >
> > Or is there an open source tool that can be compiled for SCO
> > that will provide the information I need?
>
> I really like
>
> python-pydns
> python-pydspam
> python-pyspf
> python-pygossip
> python-pysrs
>
> I use the above to automate the whole process. Look at what
>
> Stuart D. Gathman
>
> He has really perfected them. He is the developer.

I forgot to mention, I use these with the latest Sendmail or Postfix.
Also I use python-postfix-policyd-spf with postfix. Other have reported
using it with Sendmail and milters.

--
Boyd Gerber
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

Boyd Lynn Gerber wrote:
> On Wed, 5 Mar 2008, Steve M. Fabac, Jr. wrote:
>> I'm flooded with returned messages from e-mail servers
>> bouncing spam messages where the spammer uses fake "From:"
>> tags with random names on my 24by7webstores.com site:
>> "From: "Mort tikkanen" "
>
> I use spf. It allows domain owners to specify their outgoing email
> servers and thus allow receives to decide how to handle. I discard email
> on SPF Fail. It allows you to do a lot of other things. There are some
> python filters that really assist/automate reputations for email. You
> could search the SPF Discuss list to find them. I use a combination of
> things. But having a SPF record cuts down on bounces.

Boyd,

You miss my point. I don't have a problem with bounced messages coming back.
None of the original spam messages is coming from my website or from me.
What angers me is that someone or some group of people have misappropriated
my domain to facilitate their spamming.

Because the volume ranges from 1000 to 3000 bounced messages being
sent back to the bogus From: address, I seek to build a tool to
automate dropping these messages back on the ISP hosting the open
relays or spammer's machine to assist them in building a case to
shut them down.

The 1000 to 3000 messages is probably a small percentage of the total
spam these people are generating as only a small percentage of
receiving systems bounce the messages (10 - 20%?).

Because I have to manually cut and paste the IP address into
www.samspade.org, I limit my responses to IP addresses
with 20 or more messages. Since Samspade.org obviously is
automated, I should be able to do the same thing to automate
my submissions to the subject ISP abuse reporting addresses.


>
> SPF FAQ: http://www.openspf.org/FAQ
> Common mistakes: http://www.openspf.org/FAQ/Common_mistakes
>
>> Unfortunately, whois on SCO does not provide the necessary information.
>
> You can compile the Open Source version and run it. It works really well.
> I currently do not have an OSR 5.0.7 machine available to do compiles.
>
>> Any suggestions on how to lookup the information I need
>> automatically with tools on the SCO 5.0.7 system?
>>
>> Or is there an open source tool that can be compiled for SCO
>> that will provide the information I need?
>
> I really like
>
> python-pydns
> python-pydspam
> python-pyspf
> python-pygossip
> python-pysrs
>
> I use the above to automate the whole process. Look at what
>
> Stuart D. Gathman
>
> He has really perfected them. He is the developer.
>
>
> --
> Boyd Gerber
> ZENEZ 1042 East Fort Union #135, Midvale Utah 84047
>
>

--
Steve Fabac
S.M. Fabac & Associates
816/765-1670

Bill Campbell wrote:
> On Wed, Mar 05, 2008, Steve M. Fabac, Jr. wrote:
>> I'm flooded with returned messages from e-mail servers
>> bouncing spam messages where the spammer uses fake "From:"
>> tags with random names on my 24by7webstores.com site:
>> "From: "Mort tikkanen" "
>
> You should be able to build the current version of whois on SCO
> systems without much problem.

Is there a command string to whois that will accept an IP address
and return something that looks like this?:

(Asked whois.apnic.net:43 about 117.11.60.63)

inetnum: 117.8.0.0 - 117.15.255.255
netname: CNCGROUP-TJ
descr: CNC Group Tianjin province network
descr: China Network Communications Group Corporation
descr: No.156 Fu-Xing-Men-Nei Street
descr: Beijing 100031
country: CN
admin-c: CH455-AP
tech-c: HZ19-AP
remarks: service provider
mnt-by: APNIC-HM
mnt-lower: MAINT-CNCGROUP-TJ
mnt-routes: MAINT-CNCGROUP-RR
status: ALLOCATED PORTABLE
remarks: --------------------------
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: --------------------------
changed: hm-changed@apnic.net 20070525
source: APNIC
route: 117.8.0.0/13
descr: CNC Group CHINA169 Tianjin Province Network
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: abuse@cnc-noc.net 20070525
source: APNIC
role: CNCGroup Hostmaster
e-mail: abuse@cnc-noc.net



>
> On the other hand, dealing with idiots who don't control the
> blowback resulting from forge From and Sender in spam, is
> generally a waste of your time and effort (a good bit of what I
> see here if from Barracuda boxes, and I don't know whether that's
> the default setting on current Barracudas).

Bill, I welcome the bounced messages. It give me a chance to submit
them to the ISP's where the open relays or spammer's lurk.

As I indicated to Boyd, I am angered by someone cloaking their
spam as from my domain. Unstopped, they will eventually result
in my domain being added to rbl so I'll have to take action
to have my site removed from the black list.

>
> Is it possible that your web site has a vulnerable formail.pl
> script (are there any non-vulnerable ones :-) so the messages are
> actually being sent through the web server?

No, examination of the bounced messages headers show the
originating IP addresses of the spam. I collect all messages
identified by originating IP address and then submit them
to the ISP for the IP address.

>
> ...
> Bill
> --
> INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
> URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
> FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
>
> Liberals love to say things like, 'We're just asking everyone to pay
> their fair share.' But government is not about asking. It is about telling.
> The difference is fundamental. It is the difference between making love and
> being raped, between working for a living and being a slave.
> Dr. Thomas Sowell, Forbes, July 1994
>
>

--
Steve Fabac
S.M. Fabac & Associates
816/765-1670

On Wed, Mar 05, 2008, Steve M. Fabac, Jr. wrote:
>Bill Campbell wrote:
>> On Wed, Mar 05, 2008, Steve M. Fabac, Jr. wrote:
>>> I'm flooded with returned messages from e-mail servers
>>> bouncing spam messages where the spammer uses fake "From:"
>>> tags with random names on my 24by7webstores.com site:
>>> "From: "Mort tikkanen" "
>>
>> You should be able to build the current version of whois on SCO
>> systems without much problem.
>
>Is there a command string to whois that will accept an IP address
>and return something that looks like this?:
>
>(Asked whois.apnic.net:43 about 117.11.60.63)

I'm running whois 4.7.24 on a Linux box here, and the command is simply
``whois ipaddress''

whois 117.11.60.63
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 117.8.0.0 - 117.15.255.255
netname: CNCGROUP-TJ
descr: CNC Group Tianjin province network
descr: China Network Communications Group Corporation
descr: No.156,Fu-Xing-Men-Nei Street,
descr: Beijing 100031
country: CN
admin-c: CH455-AP
tech-c: HZ19-AP
remarks: service provider
mnt-by: APNIC-HM
mnt-lower: MAINT-CNCGROUP-TJ
mnt-routes: MAINT-CNCGROUP-RR
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20070525
source: APNIC

route: 117.8.0.0/13
descr: CNC Group CHINA169 Tianjin Province Network
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: abuse@cnc-noc.net 20070525
source: APNIC

role: CNCGroup Hostmaster
e-mail: abuse@cnc-noc.net
address: No.156,Fu-Xing-Men-Nei Street,
address: Beijing,100031,P.R.China
nic-hdl: CH455-AP
phone: +86-10-82993155
fax-no: +86-10-82993102
country: CN
admin-c: CH444-AP
tech-c: CH444-AP
changed: abuse@cnc-noc.net 20041119
mnt-by: MAINT-CNCGROUP
source: APNIC

person: huang zheng
nic-hdl: HZ19-AP
e-mail: ipaddr@ywb.online.tj.cn
address: 76 NO, ShiZiLin Street ,HeBei district of Tianjin,China
phone: +86-22-24459190
fax-no: +86-22-24454499
country: CN
changed: ipaddr@ywb.online.tj.cn 20050721
mnt-by: MAINT-CNCGROUP-TJ
source: APNIC

....
Bill
--
INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676

I don't care how little your country is, you got a right to run it like
you want to. When the big nations quit meddling, then the world will have
peace. -- Will Rogers

In article <47CEF8FE.7050100@att.net>,
Steve M. Fabac, Jr. wrote:
>Boyd Lynn Gerber wrote:
>> On Wed, 5 Mar 2008, Steve M. Fabac, Jr. wrote:
>>> I'm flooded with returned messages from e-mail servers
>>> bouncing spam messages where the spammer uses fake "From:"
>>> tags with random names on my 24by7webstores.com site:
>>> "From: "Mort tikkanen" "
>>
>> I use spf. It allows domain owners to specify their outgoing email
>> servers and thus allow receives to decide how to handle. I discard email
>> on SPF Fail. It allows you to do a lot of other things. There are some
>> python filters that really assist/automate reputations for email. You
>> could search the SPF Discuss list to find them. I use a combination of
>> things. But having a SPF record cuts down on bounces.
>
>Boyd,
>
>You miss my point. I don't have a problem with bounced messages coming back.
>None of the original spam messages is coming from my website or from me.

Boyd may have confused you by referring to both the application and publishing
of SPF records. Applying SPF to incoming mail acceptance policy won't help
with your immediate problem, but publishing SPF records for your domain might,
by allowing any mail systems that *do* use SPF to know whether incoming mail
with a return address in your domain actually originated from a host authorized
to send such mail.

> As I indicated to Boyd, I am angered by someone cloaking their
> spam as from my domain. Unstopped, they will eventually result
> in my domain being added to rbl so I'll have to take action
> to have my site removed from the black list.

Mail forged in the manner described above won't result in your domain being
added to any responsibly maintained blacklist. Any that would make such a
mistake will be little used for that very reason.

John
--
John DuBois spcecdt@armory.com KC6QKZ/AE http://www.armory.com/~spcecdt/

On Wed, 5 Mar 2008, Steve M. Fabac, Jr. wrote:
> > On the other hand, dealing with idiots who don't control the
> > blowback resulting from forge From and Sender in spam, is
> > generally a waste of your time and effort (a good bit of what I
> > see here if from Barracuda boxes, and I don't know whether that's
> > the default setting on current Barracudas).
>
> Bill, I welcome the bounced messages. It give me a chance to submit
> them to the ISP's where the open relays or spammer's lurk.
>
> As I indicated to Boyd, I am angered by someone cloaking their
> spam as from my domain. Unstopped, they will eventually result
> in my domain being added to rbl so I'll have to take action
> to have my site removed from the black list.

Foegery and stopping is why SPF exists.

--
Boyd Gerber
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

On Wed, 5 Mar 2008, John DuBois wrote:
> In article <47CEF8FE.7050100@att.net>,
> Steve M. Fabac, Jr. wrote:
> >Boyd Lynn Gerber wrote:
> >> On Wed, 5 Mar 2008, Steve M. Fabac, Jr. wrote:
> >>> I'm flooded with returned messages from e-mail servers
> >>> bouncing spam messages where the spammer uses fake "From:"
> >>> tags with random names on my 24by7webstores.com site:
> >>> "From: "Mort tikkanen" "
> >>
> >> I use spf. It allows domain owners to specify their outgoing email
> >> servers and thus allow receives to decide how to handle. I discard
> >> email on SPF Fail. It allows you to do a lot of other things.
> >> There are some python filters that really assist/automate reputations
> >> for email. You could search the SPF Discuss list to find them. I
> >> use a combination of things. But having a SPF record cuts down on
> >> bounces.
> >
> >You miss my point. I don't have a problem with bounced messages coming back.
> >None of the original spam messages is coming from my website or from me.
>
> Boyd may have confused you by referring to both the application and
> publishing of SPF records. Applying SPF to incoming mail acceptance
> policy won't help with your immediate problem, but publishing SPF
> records for your domain might, by allowing any mail systems that *do*
> use SPF to know whether incoming mail with a return address in your
> domain actually originated from a host authorized to send such mail.

From the last informal seach there are over 10,000,000 domains with SPF v1
records. SPF has 2 parts. Domain owner publish of record. Receiver
acting on SPF record. Spamassassin uses SPF to rate emails.

> > As I indicated to Boyd, I am angered by someone cloaking their spam as
> > from my domain. Unstopped, they will eventually result in my domain
> > being added to rbl so I'll have to take action to have my site removed
> > from the black list.
>
> Mail forged in the manner described above won't result in your domain being
> added to any responsibly maintained blacklist. Any that would make such a
> mistake will be little used for that very reason.

+1

--
Boyd Gerber
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

> Unfortunately, whois on SCO does not provide the necessary information.
>
> Any suggestions on how to lookup the information I need
> automatically with tools on the SCO 5.0.7 system?
>
> Or is there an open source tool that can be compiled for SCO
> that will provide the information I need?

Here ya go:
http://www.aljex.com/bkw/sco/#whois

It's also uploaded here but new uploads take a day to show up
ftp://pcunix.com/pub/bkw/

--
Brian K. White brian@aljex.com http://www.myspace.com/KEYofR
+++++[>+++[>+++++>+++++++<<-]<-]>>+.>.+++++.+++++++.-.[>+<---]>++.
filePro BBx Linux SCO FreeBSD #callahans Satriani Filk!

----- Original Message -----
From: "Brian K. White"
Newsgroups: comp.unix.sco.misc
To:
Sent: Wednesday, March 05, 2008 7:32 PM
Subject: Re: Need automatic spam reporting tool


>
>> Unfortunately, whois on SCO does not provide the necessary information.
>>
>> Any suggestions on how to lookup the information I need
>> automatically with tools on the SCO 5.0.7 system?
>>
>> Or is there an open source tool that can be compiled for SCO
>> that will provide the information I need?
>
> Here ya go:
> http://www.aljex.com/bkw/sco/#whois

Initially I had 4.7.20 up, just upped to 4.7.24 .

--
Brian K. White brian@aljex.com http://www.myspace.com/KEYofR
+++++[>+++[>+++++>+++++++<<-]<-]>>+.>.+++++.+++++++.-.[>+<---]>++.
filePro BBx Linux SCO FreeBSD #callahans Satriani Filk!

Brian K. White wrote:
> ----- Original Message -----
> From: "Brian K. White"
> Newsgroups: comp.unix.sco.misc
> To:
> Sent: Wednesday, March 05, 2008 7:32 PM
> Subject: Re: Need automatic spam reporting tool
>
>
>>> Unfortunately, whois on SCO does not provide the necessary information.
>>>
>>> Any suggestions on how to lookup the information I need
>>> automatically with tools on the SCO 5.0.7 system?
>>>
>>> Or is there an open source tool that can be compiled for SCO
>>> that will provide the information I need?
>> Here ya go:
>> http://www.aljex.com/bkw/sco/#whois
>
> Initially I had 4.7.20 up, just upped to 4.7.24 .
>

Thanks Brian !!!

That should save me a lot of work (trying to find it,
compiling it then getting it to run).

--
Steve Fabac
S.M. Fabac & Associates
816/765-1670

Steve M. Fabac, Jr. wrote:
> I'm flooded with returned messages from e-mail servers
> bouncing spam messages where the spammer uses fake "From:"
> tags with random names on my 24by7webstores.com site:
> "From: "Mort tikkanen" "
>

Note: this is not the "From:" line causing this. It's the "FROM " line, the
bounce address sent by the SMTP client submitting the message. This can, but
need not, be the same as the "From:" address. Don't get confused by the
distinction: tools like SPF help avoid this by filtering on the "FROM " line,
and establishing whether the connecting host is permitted or expected to send
email with the hostname published for the "FROM " address.

On Sat, 8 Mar 2008, Nico Kadel-Garcia wrote:
> Steve M. Fabac, Jr. wrote:
> > I'm flooded with returned messages from e-mail servers
> > bouncing spam messages where the spammer uses fake "From:"
> > tags with random names on my 24by7webstores.com site:
> > "From: "Mort tikkanen" "
>
> Note: this is not the "From:" line causing this. It's the "FROM " line,
> the bounce address sent by the SMTP client submitting the message. This
> can, but need not, be the same as the "From:" address. Don't get
> confused by the distinction: tools like SPF help avoid this by filtering
> on the "FROM " line, and establishing whether the connecting host is
> permitted or expected to send email with the hostname published for the
> "FROM " address.

You need to be a bit clearer. SPF works on the RFC 821/2821 Mail From.
The From above looks like it is about the RFC 822/2822 From. Sender ID
and DKIM both attempt to protect the RFC 822/2822 From. DKIM also uses a
method to validate the Data of the SMPT data. Forwarding requires a new
Validate stamp as well.


--
Boyd Gerber
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

Nico Kadel-Garcia wrote:
> Steve M. Fabac, Jr. wrote:
>> I'm flooded with returned messages from e-mail servers
>> bouncing spam messages where the spammer uses fake "From:"
>> tags with random names on my 24by7webstores.com site:
>> "From: "Mort tikkanen" "
>>
>
> Note: this is not the "From:" line causing this. It's the "FROM " line,
> the bounce address sent by the SMTP client submitting the message. This
> can, but need not, be the same as the "From:" address. Don't get
> confused by the distinction: tools like SPF help avoid this by filtering
> on the "FROM " line, and establishing whether the connecting host is
> permitted or expected to send email with the hostname published for the
> "FROM " address.
>
>

The "From: " tag was an expedient in my post. It is possibly not
responsible for the bounced message getting bounced to postmaster
at 24by7webstores.com

More likely the: "Return-Path: "
in the sample message below (one of the 3169 bounced messages
collected in /tmp/218.236.142.180.collect) is bouncing the message
to me.

3169 218.236.142.180.collect abuse@hanaro.com
336 61.88.180.137.collect 61.88.0.0 - 61.88.255.255 abuse@optus.net.au
11 64.18.6.14.collect 64.18.0.0 - 64.18.15.255 noc@postinicorp.com

One message from 218.236.142.180.collect:

* From smf Thu Mar 6 00:30:01 2008
* X-Originating-IP: [207.115.20.67]
* X-Originating-IP: [216.57.213.233]
* Delivered-To: 24by7webstores.com-postmaster@24by7webstores.com
* Message-ID: <20080306053001.1687.qmail@innuitymail.com>
* Delivered-To: uozniihs1975@24by7webstores.com
* Date: 5 Mar 2008 21:30:07 -0800
* From: MAILER-DAEMON@roswell.stimulusdesign.com
* To: uozniihs1975@24by7webstores.com
* Subject: failure notice
* Status: O

Hi. This is the qmail-send program at roswell.stimulusdesign.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

:
This address no longer accepts mail.

--- Below this line is a copy of the message.

* Return-Path:
* Received: (qmail 98968 invoked from network); 5 Mar 2008 21:30:07 -0800
> Received: from unknown (HELO ?218.236.142.180?) (218.236.142.180)
by pacificballooncharters.com with SMTP; 5 Mar 2008 21:30:06 -0800
* Message-ID: <000f01c87f4b$1f360d90$b48eecda@leeig>
* From: "Jasan dunaway"
* To: petgord34truew@pacificballooncharters.com
* Subject: Upsize today
* Date: Thu, 6 Mar 2008 14:30:00 +0900
* MIME-Version: 1.0
* Content-Type: multipart/alternative;
boundary="--------=_NextPart_000_000B_01C87F96.8F1B4490"
* X-Priority: 3
* X-MSMail-Priority: Normal
* X-Mailer: Microsoft Outlook Express 6.00.2900.3138
* X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

* ----------=_NextPart_000_000B_01C87F96.8F1B4490
* Content-Type: text/plain;
charset="iso-8859-1"
* Content-Transfer-Encoding: quoted-printable

Discover the secret to pleasuring your partner and giving her multiple =
orgasms every single time
* ----------=_NextPart_000_000B_01C87F96.8F1B4490
* Content-Type: text/html;
charset="iso-8859-1"
* Content-Transfer-Encoding: quoted-printable

*
*
* * charset=3Diso-8859-1">
*
*
*
*
* Discover the secret to pleasuring =
* your partner=20
* and giving her multiple orgasms every single time
* ----------=_NextPart_000_000B_01C87F96.8F1B4490--

--
Steve Fabac
S.M. Fabac & Associates
816/765-1670

On Sat, Mar 08, 2008, Steve M. Fabac, Jr. wrote:
>Nico Kadel-Garcia wrote:
>> Steve M. Fabac, Jr. wrote:
>>> I'm flooded with returned messages from e-mail servers
>>> bouncing spam messages where the spammer uses fake "From:"
>>> tags with random names on my 24by7webstores.com site:
>>> "From: "Mort tikkanen" "
>>>
>>
>> Note: this is not the "From:" line causing this. It's the "FROM " line,
>> the bounce address sent by the SMTP client submitting the message. This
>> can, but need not, be the same as the "From:" address. Don't get
>> confused by the distinction: tools like SPF help avoid this by filtering
>> on the "FROM " line, and establishing whether the connecting host is
>> permitted or expected to send email with the hostname published for the
>> "FROM " address.
>>
>>
>
>The "From: " tag was an expedient in my post. It is possibly not
>responsible for the bounced message getting bounced to postmaster
>at 24by7webstores.com
>
>More likely the: "Return-Path: "
>in the sample message below (one of the 3169 bounced messages
>collected in /tmp/218.236.142.180.collect) is bouncing the message
>to me.

Looking at the headers below, the mail came into the recipient's
system from IP address 218.236.142.180, which (a) has no relation
to your networks, (b) has no reverse DNS, and is on at least four
DNSRBLs including dul.dnsbl.sorbs.net, korea.services.net,
ubl.unsubscore.com, and blackholes.five-ten-sg.com.

218.236.142.180 is a dynamic assigned IP in hananet.net, an ISP
not noted for their anti-spam competence.

The fact that the recipient actually allowed mail from this IP into
their system is a pretty good indication that they don't know
what they're doing so sending them notices would be a total waste
of time.

....
>* Return-Path:
>* Received: (qmail 98968 invoked from network); 5 Mar 2008 21:30:07 -0800
>> Received: from unknown (HELO ?218.236.142.180?) (218.236.142.180)
> by pacificballooncharters.com with SMTP; 5 Mar 2008 21:30:06 -0800

This is the Received: header showing the incoming IP address.

....
Bill
--
INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676

What's this script do?
unzip ; touch ; finger ; mount ; gasp ; yes ; umount ; sleep
Hint for the answer: not everything is computer-oriented. Sometimes you're
in a sleeping bag, camping out.
(Contributed by Frans van der Zande.)

Bill Campbell wrote:
> On Sat, Mar 08, 2008, Steve M. Fabac, Jr. wrote:
>> Nico Kadel-Garcia wrote:
>>> Steve M. Fabac, Jr. wrote:
>>>> I'm flooded with returned messages from e-mail servers
>>>> bouncing spam messages where the spammer uses fake "From:"
>>>> tags with random names on my 24by7webstores.com site:
>>>> "From: "Mort tikkanen" "
>>>>
>>> Note: this is not the "From:" line causing this. It's the "FROM " line,
>>> the bounce address sent by the SMTP client submitting the message. This
>>> can, but need not, be the same as the "From:" address. Don't get
>>> confused by the distinction: tools like SPF help avoid this by filtering
>>> on the "FROM " line, and establishing whether the connecting host is
>>> permitted or expected to send email with the hostname published for the
>>> "FROM " address.
>>>
>>>
>> The "From: " tag was an expedient in my post. It is possibly not
>> responsible for the bounced message getting bounced to postmaster
>> at 24by7webstores.com
>>
>> More likely the: "Return-Path: "
>> in the sample message below (one of the 3169 bounced messages
>> collected in /tmp/218.236.142.180.collect) is bouncing the message
>> to me.
>
> Looking at the headers below, the mail came into the recipient's
> system from IP address 218.236.142.180, which (a) has no relation
> to your networks, (b) has no reverse DNS, and is on at least four
> DNSRBLs including dul.dnsbl.sorbs.net, korea.services.net,
> ubl.unsubscore.com, and blackholes.five-ten-sg.com.

Good, that agrees with my bounced mail processing scrips that collected
this message in file 218.236.142.180.collect. Your analysis verifies
that what I thought I was doing (identifying the originating IP
address, collecting all messages originating from that IP address
into a file named with the IP_address.collect tag) appears to be
working.

>
> 218.236.142.180 is a dynamic assigned IP in hananet.net, an ISP
> not noted for their anti-spam competence.

Also good. My count of bounced messages (people rejecting these
messages) and the scripts to perform the whois lookup also appear
to be working having identified the abuse@hanaro.com address in
message we are discussing:

3169 218.236.142.180.collect abuse@hanaro.com

3169 bounced messages received today from people rejecting
messages from 218.236.142.180.

Org Name : Hanaro Telecom Inc.
Service Name : HANANET
Org Address : Yeoeuido-dong Yeongdeungpo-gu SEOUL
Org Detail Address: 17-7 Asia One Bldg.
[ ISP IPv4 Admin Contact Information ]
Name : IP manager
Phone : 82-2-106-2
E-Mail : ip-adm@hanaro.com
[ ISP IPv4 Tech Contact Information ]
Name : IP manager
Phone : 82-2-106-2
E-mail : ip-adm@hanaro.com
[ ISP Network Abuse Contact Information ]
Name : manager
Phone : 82-2-106-2
> E-mail : abuse@hanaro.com




>
> The fact that the recipient actually allowed mail from this IP into
> their system is a pretty good indication that they don't know
> what they're doing so sending them notices would be a total waste
> of time.

You missread my post. I'm not sending the response to the recipient
that bounced the spam, I'm sending the report to abuse@hanaro.com
even though they likely will not take action to resolve the problem.
Once the script is working, I can dump a 1.3M zip file attachment
of the day's bounced messages to their e-mail every day as long
as I keep getting the bounced messages.

>
> ...
>> * Return-Path:
>> * Received: (qmail 98968 invoked from network); 5 Mar 2008 21:30:07 -0800
>>> Received: from unknown (HELO ?218.236.142.180?) (218.236.142.180)
>> by pacificballooncharters.com with SMTP; 5 Mar 2008 21:30:06 -0800
>
> This is the Received: header showing the incoming IP address.
>
> ...
> Bill
> --
> INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
> URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
> FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
>
> What's this script do?
> unzip ; touch ; finger ; mount ; gasp ; yes ; umount ; sleep
> Hint for the answer: not everything is computer-oriented. Sometimes you're
> in a sleeping bag, camping out.
> (Contributed by Frans van der Zande.)
>
>

--
Steve Fabac
S.M. Fabac & Associates
816/765-1670

I'm not sure if the original question was answered but I've been using
SpamCop for several years for reporting individual messages. I still use
it for for the handful of messages that have made it past DNS blacklists,
SpamAssassin, and bayesian filtering tools on my server.

-Gary

Gary wrote:
> I'm not sure if the original question was answered but I've been using
> SpamCop for several years for reporting individual messages. I still use
> it for for the handful of messages that have made it past DNS blacklists,
> SpamAssassin, and bayesian filtering tools on my server.
>
> -Gary
>
>

Thanks Gary. I looked at www.spamcop.net after reading
your message and it looks interesting.

However, this part of the FAQ is a stopper:

"You may attach multiple spams to a single submission.
You should not exceed 20 spams attached to a submission.
The maximum size for the overall submission must not exceed 50 KB."

This is an example of the results I get with scripts that I have
written. The numbers to the left of the IP address is a count of
individual messages received from the IP part of the IP.collect
file:

>
> # 286 200.143.92.247.collect 200.143.64/18 mail-abuse@cert.br
> # 1 200.169.19.67.collect 200.169.16/20 mail-abuse@cert.br
> # 2 200.205.41.250.collect 200.205/16 mail-abuse@cert.br
> # 99 201.8.41.93.collect 201.8/16 mail-abuse@cert.br
>
> Attached is a zip archive of messages originating on your
> network.
>
> zip spam_abuse_to_mail-abuse@cert.br.zip 200.143.92.247.collect 200.169.19.67.c
> ollect 200.205.41.250.collect 201.8.41.93.collect

And

>
> # 111 77.125.27.195.collect 77.124.0.0 - 77.127.255.255 abuse@smile.net.il
> # 1277 77.127.162.78.collect 77.124.0.0 - 77.127.255.255 abuse@smile.net.il
>
> Attached is a zip archive of messages originating on your
> network.
>
> zip spam_abuse_to_abuse@smile.net.il.zip 77.125.27.195.collect 77.127.162.78.co
> llect

The above are examples of processing one day's worth of the
e-mail I receive forwarded from the postmaster@24by7webstores
account that are diverted prior to Spamassassin process my
incoming e-mail. They are collected in ~HOME/mailfolders/returned_mail
and then processed to segregate original spam mail directed
to any_user@24by7webstores.com and bounced e-mails to
postmaster@24by7webstores.com or the faked user@24by7webstores.com.

I don't care about the original spam directed to xxxx@24by7webstores.com,
those I just delete. I concentrate on reporting the bounced
messages due to the spamer appropriating From addresses with
the 24by7webstores.com domain.

It is my hope that my reports with the volume of messages originating
from a single IP will move the ISP to take appropriate action
quicker then they might in the case of receiving reports from several
individuals reporting original spam and having to accumulate sufficient
evidence to take action.

I have taken steps to add an SPF record to the DNS for 24by7webstores
as suggested by Boyd, but since I don't control DNS I have submitted
the request but it has not been implemented as of today.

But SpamCop looks interesting for reporting the messages that get
past Spamassassin that are original spam to my e-mail. Presently
I'm just deleting those after running sa-learn on them.


--
Steve Fabac
S.M. Fabac & Associates
816/765-1670