[mdlug] Question on Spam

Dave Arbogast mdlug2 at arb.net
Wed Sep 5 22:52:37 EDT 2007


I've noticed some providers outside the Federation of the USA have ID'd 
our IP addresses are US and prevent full access to their site...

with that in mind, is it possible for Postfix to not accept any 
connection from CN or RU ?

-dave

Aaron Kulkis wrote:

>Carl T. Miller wrote:
>  
>
>>A. Kalten wrote:
>>    
>>
>>>Quite frequently I receive spam that seems to originate from
>>>bona fide IP addresses that would not likely be in the spamming
>>>business.  For example, just today I noticed a spam message with
>>>both the "From:" and "Reply-to:" fields containing abacus21.com,
>>>which is a legitimate business located in Buffalo, NY, serving the
>>>hospitality industry.  Of course, these fields can be spoofed, but
>>>the complete header does show the message as originating at
>>>abacus21.com:
>>>      
>>>
>>Not really.  The only header that you can believe is the
>>first Received header.  If it says it came from a server
>>you can trust, you can then believe the next Received
>>header.  Keep doing this until you come to the first
>>server you don't know or trust.  Notice that means you
>>can't trust that the Return-Path, To, From or Reply-To
>>headers, unless you trust every Received header.
>>
>>    
>>
>>>Return-Path: <a-8 at abacus21.com>
>>>Received: from barium.ypsi.provide.net (root at localhost)
>>>	by xxxxxxxxxxx.xxx (8.12.11/8.12.11) with ESMTP id l678eaDn013984
>>>	for <info at xxxxxxxxxxx.xxx>; Sat, 7 Jul 2007 04:40:36 -0400
>>>X-ClientAddr: 221.133.163.182
>>>Received: from [221.133.163.182] ([221.133.163.182])
>>>	by barium.ypsi.provide.net (8.12.11.20060308/8.12.11) with ESMTP id
>>>l678eWWn013906
>>>	for <info at xxxxxxxxxxxx.xxx>; Sat, 7 Jul 2007 04:40:33 -0400
>>>Received: from [221.133.163.182] by abacus21.com.inbound20.mxlogic.net;
>>>Sat, 7 Jul 2007 08:40:35 -0900
>>>      
>>>
>>Let's look at your headers.  The first Received shows
>>that xxxxxxxxxxxx.xxx (this must be your mail server)
>>received it from barium.ypsi.provide.net.  We can likely
>>trust them, since they are likely your ISP.  The second
>>header says it came from 221.133.163.182.  Since we don't
>>know who that is and they don't have a hostname associated
>>with that address, we can't trust anything else in this
>>message to be accurate.  Thus we don't know whether or
>>not it did come from abacus21.com.
>>
>>    
>>
>>>The host command indicates that the originating address is definitely
>>>abacus21.com:
>>>
>>>[/]# host abacus21.com
>>>abacus21.com mail is handled by 20 abacus21.com.inbound20.mxlogic.net.
>>>abacus21.com mail is handled by 20 abacus21.com.inbound20.mxlogicmx.net.
>>>abacus21.com mail is handled by 30 abacus21.com.inbound30.mxlogic.net.
>>>abacus21.com mail is handled by 30 abacus21.com.inbound30.mxlogicmx.net.
>>>abacus21.com mail is handled by 10 abacus21.com.inbound10.mxlogic.net.
>>>abacus21.com mail is handled by 10 abacus21.com.inbound10.mxlogicmx.net.
>>>      
>>>
>>All the host command shows is what IP addresses abacus21.com
>>uses to accept email.  It doesn't tell us a thing about the
>>message you received.
>>
>>    
>>
>>>Whenever I take the time to check, I can find many other examples
>>>of this.  Just last week, I spotted joespools.com, a swimming pool
>>>installer from Georgia, as another source of spam.  There have been
>>>countless other cases.
>>>
>>>Is this an example of the fabled Botnet or Zombie operation?  That is,
>>>could abacus21.com have been hijacked for the purpose of sending spam?
>>>Or is the explanation just a simple matter of abacus21.com being
>>>a relay?
>>>      
>>>
>>It's most likely from a botnet or zombie.  There's big money
>>out there for people who can automate the delivery of spam
>>while hiding their identities.
>>    
>>
>
>Until they get whacked or arrested.
>
>
>_______________________________________________
>mdlug mailing list
>mdlug at mdlug.org
>http://mdlug.org/mailman/listinfo/mdlug
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mdlug.org/pipermail/mdlug/attachments/20070905/3ac31416/attachment-0001.html>


More information about the mdlug mailing list