HzM

Members
  • Content count

    2
  • Joined

  • Last visited

Community Reputation

0 Neutral

About HzM

  • Rank
    Newbie
  1. I have a scheduled job going through the impacted mail file each hour, extracting the original sending server names, their IP address, their port and on behalf of whom they are sending. So it's by no means "old data" - it's filtered out while the thing is happening. It's pretty frustrating to have this detailled knowledge and not being able to put it to proper usage. If each of the targets were to report, we should have maybe 10.000 real end users activated, which will not happen. Instead, the spreadsheet with all the info collected in one spot is frawned upon. True, I could forward the reponses (in bunches of, say 1000). Maybe I should do so and then let the utility come to the same result as "my" list. /Per
  2. I've been hit by the same problem. My mail host reports nicely back on each undeliverable mail - in the thousands now. As described above, the original mails (including the original headers) are appended to the "Mail delivery failed: returning message to sender" mails I get. And, of course, it doesn't make sense to report my own mail host as spammer... Using Thunderbird as mail client, I have developed a scri_pt which parses the Thunderbird INBOX file and extracts the original "Received: from" lines. Seems like there are to kinds: "Received: from mail.xxxx.com ([123.456.789.123]:<port number> helo=exploited.site.com)" "Received: from [123.456.789.123] (port=34176 helo=exploited.site)" (mail.xxx.com would be the name of the mail server sending on behalf of the exploited site.) It seems like - in my case - that they come in groups of up to 5, and then the source changes. In a sample of 2070 there were a total of 782 unique IP sender addresses. The text included in the original mail (spoofing my mail ID) varies sligthly - I've seen French, English, Polish, Italian texts, but more or less to the same adult point. Now, this is all very interesting, because now I have a view of the bot net used. But then what to do next? Since it's not doable to copy/paste each individual original header into some reporting tool - and since, in principle, the exploited domain owner should report the spam - can I then take this extracted information (mail server ID + IP address + exploited domain name) and report this on SpamCop or somewhere else? Ideas? /Per