On Wed, 5 Mar 2008, Steve M. Fabac, Jr. wrote:
> Boyd Lynn Gerber wrote:
> > On Wed, 5 Mar 2008, Steve M. Fabac, Jr. wrote:
> > > I'm flooded with returned messages from e-mail servers
> > > bouncing spam messages where the spammer uses fake "From:"
> > > tags with random names on my 24by7webstores.com site:
> > > "From: "Mort tikkanen" "

> >
> > I use spf. It allows domain owners to specify their outgoing email
> > servers and thus allow receives to decide how to handle. I discard email
> > on SPF Fail. It allows you to do a lot of other things. There are some
> > python filters that really assist/automate reputations for email. You
> > could search the SPF Discuss list to find them. I use a combination of
> > things. But having a SPF record cuts down on bounces.

>
> You miss my point. I don't have a problem with bounced messages coming back.
> None of the original spam messages is coming from my website or from me.
> What angers me is that someone or some group of people have misappropriated
> my domain to facilitate their spamming.


No, I did not miss your point. You missed mine. That is my point
exactly. Forgery. I used to have between 10,000 to 50,000 emails per
day, that were all forgeries of my domain. With SPF I do not see any of
the domain forgeries. People know what IP addresses are valid for my
domain and can safely reject email that does not come from my domain.

> Because the volume ranges from 1000 to 3000 bounced messages being
> sent back to the bogus From: address, I seek to build a tool to
> automate dropping these messages back on the ISP hosting the open
> relays or spammer's machine to assist them in building a case to
> shut them down.


The tool already exists. You publish a SPF record and be done with it.
Spammer/forgers of you domain will vary by the bot net. The only way to
protect your self is with SPF. There is an RFC 4408. use it to protect
your domain names.

> The 1000 to 3000 messages is probably a small percentage of the total
> spam these people are generating as only a small percentage of
> receiving systems bounce the messages (10 - 20%?).
>
> Because I have to manually cut and paste the IP address into
> www.samspade.org, I limit my responses to IP addresses
> with 20 or more messages. Since Samspade.org obviously is
> automated, I should be able to do the same thing to automate
> my submissions to the subject ISP abuse reporting addresses.


Where/How do you think they can automate. People have to know what is
a valid IP. Only the domain owner can tell everyone what is valid or
not. That is the whole reason behind SPF. How is anyone to know that
an email from your domain is not a forgery? You have not defined who
is authorized to email from your domain. Once you define it then you
create a honey pot and send any email that does not come from an
authorized source to the various reporting services. Unless others know
what is authorized and what is not they can not know. Only you can let
them know. Everything has to be manually done. That is why SPF is so
valueable. Hence the references below.

> >
> > SPF FAQ: http://www.openspf.org/FAQ
> > Common mistakes: http://www.openspf.org/FAQ/Common_mistakes
> >
> > > Unfortunately, whois on SCO does not provide the necessary information.

> >
> > You can compile the Open Source version and run it. It works really well.
> > I currently do not have an OSR 5.0.7 machine available to do compiles.
> >
> > > Any suggestions on how to lookup the information I need
> > > automatically with tools on the SCO 5.0.7 system?
> > >
> > > Or is there an open source tool that can be compiled for SCO
> > > that will provide the information I need?

> >
> > I really like
> >
> > python-pydns
> > python-pydspam
> > python-pyspf
> > python-pygossip
> > python-pysrs
> >
> > I use the above to automate the whole process. Look at what
> >
> > Stuart D. Gathman
> >
> > He has really perfected them. He is the developer.


You really need to look into SPF.

--
Boyd Gerber
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047