[mdlug] Question on Spam

Wed Sep 5 23:05:43 EDT 2007

Dave Arbogast wrote:
> I've noticed some providers outside the Federation of the USA have ID'd 
> our IP addresses are US and prevent full access to their site...
> 
> with that in mind, is it possible for Postfix to not accept any 
> connection from CN or RU ?

Heh.
Good idea .... although the whacking solution has been used in .ru-land.

> 
> -dave
> 
> Aaron Kulkis wrote:
>> Carl T. Miller wrote:
>>   
>>> A. Kalten wrote:
>>>     
>>>> Quite frequently I receive spam that seems to originate from
>>>> bona fide IP addresses that would not likely be in the spamming
>>>> business.  For example, just today I noticed a spam message with
>>>> both the "From:" and "Reply-to:" fields containing abacus21.com,
>>>> which is a legitimate business located in Buffalo, NY, serving the
>>>> hospitality industry.  Of course, these fields can be spoofed, but
>>>> the complete header does show the message as originating at
>>>> abacus21.com:
>>>>       
>>> Not really.  The only header that you can believe is the
>>> first Received header.  If it says it came from a server
>>> you can trust, you can then believe the next Received
>>> header.  Keep doing this until you come to the first
>>> server you don't know or trust.  Notice that means you
>>> can't trust that the Return-Path, To, From or Reply-To
>>> headers, unless you trust every Received header.
>>>
>>>     
>>>> Return-Path: <a-8 at abacus21.com>
>>>> Received: from barium.ypsi.provide.net (root at localhost)
>>>> 	by xxxxxxxxxxx.xxx (8.12.11/8.12.11) with ESMTP id l678eaDn013984
>>>> 	for <info at xxxxxxxxxxx.xxx>; Sat, 7 Jul 2007 04:40:36 -0400
>>>> X-ClientAddr: 221.133.163.182
>>>> Received: from [221.133.163.182] ([221.133.163.182])
>>>> 	by barium.ypsi.provide.net (8.12.11.20060308/8.12.11) with ESMTP id
>>>> l678eWWn013906
>>>> 	for <info at xxxxxxxxxxxx.xxx>; Sat, 7 Jul 2007 04:40:33 -0400
>>>> Received: from [221.133.163.182] by abacus21.com.inbound20.mxlogic.net;
>>>> Sat, 7 Jul 2007 08:40:35 -0900
>>>>       
>>> Let's look at your headers.  The first Received shows
>>> that xxxxxxxxxxxx.xxx (this must be your mail server)
>>> received it from barium.ypsi.provide.net.  We can likely
>>> trust them, since they are likely your ISP.  The second
>>> header says it came from 221.133.163.182.  Since we don't
>>> know who that is and they don't have a hostname associated
>>> with that address, we can't trust anything else in this
>>> message to be accurate.  Thus we don't know whether or
>>> not it did come from abacus21.com.
>>>
>>>     
>>>> The host command indicates that the originating address is definitely
>>>> abacus21.com:
>>>>
>>>> [/]# host abacus21.com
>>>> abacus21.com mail is handled by 20 abacus21.com.inbound20.mxlogic.net.
>>>> abacus21.com mail is handled by 20 abacus21.com.inbound20.mxlogicmx.net.
>>>> abacus21.com mail is handled by 30 abacus21.com.inbound30.mxlogic.net.
>>>> abacus21.com mail is handled by 30 abacus21.com.inbound30.mxlogicmx.net.
>>>> abacus21.com mail is handled by 10 abacus21.com.inbound10.mxlogic.net.
>>>> abacus21.com mail is handled by 10 abacus21.com.inbound10.mxlogicmx.net.
>>>>       
>>> All the host command shows is what IP addresses abacus21.com
>>> uses to accept email.  It doesn't tell us a thing about the
>>> message you received.
>>>
>>>     
>>>> Whenever I take the time to check, I can find many other examples
>>>> of this.  Just last week, I spotted joespools.com, a swimming pool
>>>> installer from Georgia, as another source of spam.  There have been
>>>> countless other cases.
>>>>
>>>> Is this an example of the fabled Botnet or Zombie operation?  That is,
>>>> could abacus21.com have been hijacked for the purpose of sending spam?
>>>> Or is the explanation just a simple matter of abacus21.com being
>>>> a relay?
>>>>       
>>> It's most likely from a botnet or zombie.  There's big money
>>> out there for people who can automate the delivery of spam
>>> while hiding their identities.
>>>     
>>
>> Until they get whacked or arrested.
>>