[mdlug] Question on Spam
Aaron Kulkis
akulkis3 at HotPOP.com
Wed Sep 5 23:05:43 EDT 2007
Dave Arbogast wrote:
> I've noticed some providers outside the Federation of the USA have ID'd
> our IP addresses are US and prevent full access to their site...
>
> with that in mind, is it possible for Postfix to not accept any
> connection from CN or RU ?
Heh.
Good idea .... although the whacking solution has been used in .ru-land.
>
> -dave
>
> Aaron Kulkis wrote:
>> Carl T. Miller wrote:
>>
>>> A. Kalten wrote:
>>>
>>>> Quite frequently I receive spam that seems to originate from
>>>> bona fide IP addresses that would not likely be in the spamming
>>>> business. For example, just today I noticed a spam message with
>>>> both the "From:" and "Reply-to:" fields containing abacus21.com,
>>>> which is a legitimate business located in Buffalo, NY, serving the
>>>> hospitality industry. Of course, these fields can be spoofed, but
>>>> the complete header does show the message as originating at
>>>> abacus21.com:
>>>>
>>> Not really. The only header that you can believe is the
>>> first Received header. If it says it came from a server
>>> you can trust, you can then believe the next Received
>>> header. Keep doing this until you come to the first
>>> server you don't know or trust. Notice that means you
>>> can't trust that the Return-Path, To, From or Reply-To
>>> headers, unless you trust every Received header.
>>>
>>>
>>>> Return-Path: <a-8 at abacus21.com>
>>>> Received: from barium.ypsi.provide.net (root at localhost)
>>>> by xxxxxxxxxxx.xxx (8.12.11/8.12.11) with ESMTP id l678eaDn013984
>>>> for <info at xxxxxxxxxxx.xxx>; Sat, 7 Jul 2007 04:40:36 -0400
>>>> X-ClientAddr: 221.133.163.182
>>>> Received: from [221.133.163.182] ([221.133.163.182])
>>>> by barium.ypsi.provide.net (8.12.11.20060308/8.12.11) with ESMTP id
>>>> l678eWWn013906
>>>> for <info at xxxxxxxxxxxx.xxx>; Sat, 7 Jul 2007 04:40:33 -0400
>>>> Received: from [221.133.163.182] by abacus21.com.inbound20.mxlogic.net;
>>>> Sat, 7 Jul 2007 08:40:35 -0900
>>>>
>>> Let's look at your headers. The first Received shows
>>> that xxxxxxxxxxxx.xxx (this must be your mail server)
>>> received it from barium.ypsi.provide.net. We can likely
>>> trust them, since they are likely your ISP. The second
>>> header says it came from 221.133.163.182. Since we don't
>>> know who that is and they don't have a hostname associated
>>> with that address, we can't trust anything else in this
>>> message to be accurate. Thus we don't know whether or
>>> not it did come from abacus21.com.
>>>
>>>
>>>> The host command indicates that the originating address is definitely
>>>> abacus21.com:
>>>>
>>>> [/]# host abacus21.com
>>>> abacus21.com mail is handled by 20 abacus21.com.inbound20.mxlogic.net.
>>>> abacus21.com mail is handled by 20 abacus21.com.inbound20.mxlogicmx.net.
>>>> abacus21.com mail is handled by 30 abacus21.com.inbound30.mxlogic.net.
>>>> abacus21.com mail is handled by 30 abacus21.com.inbound30.mxlogicmx.net.
>>>> abacus21.com mail is handled by 10 abacus21.com.inbound10.mxlogic.net.
>>>> abacus21.com mail is handled by 10 abacus21.com.inbound10.mxlogicmx.net.
>>>>
>>> All the host command shows is what IP addresses abacus21.com
>>> uses to accept email. It doesn't tell us a thing about the
>>> message you received.
>>>
>>>
>>>> Whenever I take the time to check, I can find many other examples
>>>> of this. Just last week, I spotted joespools.com, a swimming pool
>>>> installer from Georgia, as another source of spam. There have been
>>>> countless other cases.
>>>>
>>>> Is this an example of the fabled Botnet or Zombie operation? That is,
>>>> could abacus21.com have been hijacked for the purpose of sending spam?
>>>> Or is the explanation just a simple matter of abacus21.com being
>>>> a relay?
>>>>
>>> It's most likely from a botnet or zombie. There's big money
>>> out there for people who can automate the delivery of spam
>>> while hiding their identities.
>>>
>>
>> Until they get whacked or arrested.
>>
More information about the mdlug
mailing list