Jump to content

Adriaan

Members
  • Content Count

    9
  • Joined

  • Last visited

Community Reputation

0 Neutral

About Adriaan

  • Rank
    Newbie
  1. Adriaan

    SpamCop Maintenance

    For those unfamiliar with the "PDT-0700" notation, that means that the PDT time zone is 7 hours behind UTC/GMT. $ env TZ=UTC date; env TZ=PST8PDT date Thu Jul 19 12:06:47 UTC 2007 Thu Jul 19 05:06:47 PDT 2007
  2. Adriaan

    Best way to report blog/guestbook spam?

    That only would be an issue if it is your priorty to report the sender,. For reporting the spamvertized websites it is not.. In email spam the sending IP can be found by parsing the email header. This header has been standardized and is separated from the email body by an empty line. However, the spamvertized websites have to extracted from the email body, which is a free undefined format, just like forum messages. And although it seems not be be Spamcop's priority, it still scans this free format for URLs. RE: logs as 'evidence' The email logs provide kind of proof. But for forum spam messages the messages which made it to other boards, and which have been cached by Coogle can provide this proof. For forum spam, I would forget about the sender. Just focus on the spamvertised websites and report them to the domain name registrar. I do that manually now, using the whois from the OpenBSD command line. Seems like the ultimate solution to stop email spam We are moving to approve/moderate the first 5 posts of all newly joined members. That will stop spam from being publicly viewable.But I think the dissapproved spam posts could be a great resource for data-mining anti-spam intelligence.
  3. Adriaan

    Best way to report blog/guestbook spam?

    I am member and moderator of bsdforums.org, a discussion forum for BSD Unix-like operating systems, and during the last months we see a huge increase in spam posted by what appear to be bots. It would be nice to have if Spamcop could provide a way to report this type of spam. The following google links will give you an impression of this type of spam posted to our and other forums 354 google hits for sport shoes spam : http://www.google.nl/search?hl=nl&q=1s...oeken&meta= A new kid on the block with 43 google hits: http://www.google.nl/search?q=davidfoxson%...tart=0&sa=N WARNING: the following is for adult 18+ X-rated material 15.500 google hits for this porno spam : http://www.google.nl/search?hl=nl&q=+%...oeken&meta= As some of these spams, already may have been removed, you will have to use the page cached by google. And please don't click on the links of the spamvertised sites.That will show up in their webserver logs and you don't want to give them the impression that their spam is successful It would be nice if Spamcop could provide a way to report this type of spam because the current reporiting system is only suitable for email spam. =Adriaan=
  4. Adriaan

    No source IP address found, cannot proceed.

    The gmail mail header shows IP addresses in the header, but these are special ones, to be used only privately. From one of the links posted: Received: by 10.78.148.13 with SMTP id v13cs207394hud; Wed, 7 Mar 2007 21:22:17 -0800 (PST) Received: by 10.90.25.3 with SMTP id 3mr1592agy.1173331336759; Wed, 07 Mar 2007 21:22:16 -0800 (PST) Received: by 10.90.120.2 with HTTP; Wed, 7 Mar 2007 21:22:16 -0800 (PST) This header shows IP addresses starting with 10 and these are reserved for private use and are only valid on an internal network. 10.x.x.x addresses will never be routed to the public Internet. From RFC 1918 http://tools.ietf.org/html/rfc1918 3. Private Address Space The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets: 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) [snip] An enterprise that decides to use IP addresses out of the address space defined in this document can do so without any coordination with IANA or an Internet registry. The address space can thus be used by many enterprises. Addresses within this private address space will only be unique within the enterprise, or the set of enterprises which choose to cooperate over this space so they may communicate with each other in their own private internet. On my small private home network I use addresses starting with 192.168 for my private domain "utp.xnet" and I run a local mail server and nameserver. An example name lookup of my private mail server: nslookup mail.utp.xnet ns.utp.xnet Server: ns.utp.xnet Address: 192.168.222.11#53 Name: mail.utp.xnet Address: 192.168.222.10 You can try the same nslookup command on your own Windows/Unix computer but you never will get an answer, because the 192.168.222.10 and 10 addresses are private. Likewise Spamcop will not get an answer to the lookup of the private address 10.78.148.13, used internally by Gmail. nslookup 10.78.148.13 Server: 192.168.222.11 Address: 192.168.222.11#53 ** server can't find 13.148.78.10.in-addr.arpa: NXDOMAIN Because of a similar error Spamcop says "No source IP address found, cannot proceed"
  5. Adriaan

    Hows Spamcop blocking myths are propogated

    I just encountered a similar perception at http://www.bsdforums.org/forums/showthread.php?t=47925 BTW I am the J65nko trying to enlighten him
  6. I received this spam a couple of days ago on one of my gmail accounts. Nice example of how they randomize their spam using a template. And in this case also waste their botnet-rental fee Delivered-To: XXXXX[at]gmail.com Received: by 10.65.211.18 with SMTP id n18cs562239qbq; Sun, 25 Feb 2007 13:36:32 -0800 (PST) Received: by 10.35.43.10 with SMTP id v10mr10231577pyj.1172439392045; Sun, 25 Feb 2007 13:36:32 -0800 (PST) Return-Path: <mahoney[at]shrieve.com> Received: from nadya ([82.179.169.118]) by mx.google.com with ESMTP id 19si8759887nzp.2007.02.25.13.36.20; Sun, 25 Feb 2007 13:36:32 -0800 (PST) Received-SPF: error (google.com: error in processing during lookup of mahoney[at]sh rieve.com: DNS timeout) Date: Sun, 25 Feb 2007 13:36:22 -0800 (PST) Received: from 192.168.0.%RND_DIGIT (203-219-%DIGSTAT2-%STATDIG.%RND_FROM_DOMAIN [203.219.%DIGSTAT2.%STATDIG]) by mail%SINGSTAT.%RND_FROM_DOMAIN (envelope-from %FROM_EMAIL) (8.13.6/8.13.6) with SMTP id %STATWORD for <%TO_EMAIL>; %CURRENT_DA TE_TIME Message-Id: <%RND_DIGIT[10].%STATWORD[at]mail%SINGSTAT.%RND_FROM_DOMAIN> From: "%FROM_NAME" <%FROM_EMAIL> %MESSAGE_BODY
  7. Adriaan

    212.187.57.51 Blocked

    That IP address is still on several blacklists 51.57.187.212.bl.spamcop.net : 127.0.0.2 51.57.187.212.zen.spamhaus.org : 127.0.0.11 51.57.187.212.combined.njabl.org : 127.0.0.3 Just being curious I entered the address http://212.187.57.51/ in my browser and things started to become clear. That (Dutch language) web page shows that the OP runs a "hotspot" where people having a subscription can log in through their wireless NIC. It is also possible to buy a card which gives you access for a limited time. http://212.187.57.51/index.php?id=3 shows the prices of these access cards. So that is the reason, why Krijn, the OP, doesn't know everybody who connects to his network The solution to the problem, would be to block all port SMTP traffic originated from his network. The subscribing customers, authenticated through a password, can be allowed to submit mail , via SSL on port 587/tcp of his (mail)server. This mail having an audit trail, can be safely relayed to it's destination. In case one this category of customers gets "botnetted" he can call the customer and tell him to clean or reinstall his box. Those who just buy a card with an access code for a single day should not be allowed to submit and relay mail through his server. Because these people are not traceable, they will have to use a similar authenticated procedure with their own "home" ISP. Another example, how a lack of information, can result in well meant, but not completely applicable advice
  8. Adriaan

    What Kind Of Spam Is This?

    They transfer money into your bank account, or send you a check of say 2000 dollars. You transfer that money out, minus a commission of say 10%, 2000 - 200 = 1800. Usually they ask you to use Western Union or something like that. Then after a couple of weeks, the bank calls you that the check was false, and that the bank will have to debit your account for those 2000 dollars. Now it is your job to get the 1800 dollars from those criminals, who in the mean time will have dissappeared into thin air
  9. Adriaan

    212.187.57.51 Blocked

    Krijn, I have an OpenBSD firewall between my Speedtouch ADSL modem/router and my home network switch. All outgoing network traffic has to go through this box (an old Pentium 200Mhz with 2 network cards) To monitor my network I use a pf firewall rule to log all port 25 connections initiated from my network. This info ends up in a log file which I check regulary. A snippet from this log Jan 31 11:29:43.901527 rule 1..23/0(match): pass out on xl0: 10.0.0.200.4411 > 62.251.0.47.25: tcp 0 (DF) Feb 01 11:43:03.606101 rule 1..23/0(match): pass out on xl0: 192.168.222.210.11181 > 66.249.93.114.25: tcp 0 (DF) Feb 01 12:23:38.763041 rule 1..23/0(match): pass out on xl0: 192.168.222.44.14495 > 202.83.166.115.25: tcp 0 (DF) [tos 0x10] Feb 02 02:34:47.472237 rule 1..23/0(match): pass out on xl0: 192.168.222.210.45094 > 66.249.93.27.25: tcp 0 (DF) Feb 02 08:29:56.186860 rule 1..23/0(match): pass out on xl0: 10.0.0.200.46741 > 62.251.0.47.25: tcp 0 (DF) Feb 02 09:36:54.896581 rule 1..23/0(match): pass out on xl0: 10.0.0.200.19573 > 62.251.0.29.25: tcp 0 (DF) Feb 02 09:53:09.693025 rule 1..23/0(match): pass out on xl0: 10.0.0.200.23579 > 62.251.0.47.25: tcp 0 (DF) Feb 02 15:44:01.883023 rule 1..23/0(match): pass out on xl0: 10.0.0.200.44940 > 62.251.0.29.25: tcp 0 (DF) Feb 02 15:55:56.850053 rule 1..23/0(match): pass out on xl0: 10.0.0.200.4480 > 62.251.0.47.25: tcp 0 (DF) Feb 02 19:53:38.569941 rule 1..23/0(match): pass out on xl0: 10.0.0.200.14084 > 62.251.0.29.25: tcp 0 (DF) Feb 02 20:05:02.780961 rule 1..23/0(match): pass out on xl0: 10.0.0.200.31082 > 62.251.0.47.25: tcp 0 (DF) Feb 02 21:27:19.596962 rule 1..23/0(match): pass out on xl0: 192.168.222.210.46381 > 66.249.93.27.25: tcp 0 (DF) Feb 03 01:22:05.911073 rule 1..23/0(match): pass out on xl0: 10.0.0.200.42254 > 62.251.0.29.25: tcp 0 (DF) As you can see it doesn't look like I have spambot infected boxes To be able to monitor your network, you need an appliance through which all network traffic has to pass through. If all your network traffic goes through your Linux server, then you can monitor your network on your server. If it doesn't, you could start with checking whether the Linux server is the culprit. Frequently cracked insecure PHP mailing scripts are a source of spam problems. Check the mail logs of the mail server progam, to see if the mail server program is being abused to send mail. In case the server mail log files give no indication of abuse, you could use tcpdump to log port 25 traffic . The following is rather crude and has the disadvantage that it will log all port 25 packets sent by the server. So you better make sure you have enough space in "/var/log" tcpdump -ttt -n -i ne3 -w /var/log/port25 "tcp dst port 25" Explanation -ttt : print the timestamp -n : don't resolve IP addresses to names -i ne3 : use network card "ne3". For Linux you will have to use "-i eth0" instead -w /var/log/port25 : write the data to the file "/var/log/port25" "tcp dst port 25" : select TCP protocol data with destination port 25 To read the file with the paging program "less" tcpdump -ttt -n -r /var/log/port25 | less BTW your IP is still being blocked $ ./zen.spamhaus 212.187.57.51 ; <<>> DiG 9.3.2-P1 <<>> -t a 51.57.187.212.zen.spamhaus.org ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47175 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;51.57.187.212.zen.spamhaus.org. IN A ;; ANSWER SECTION: 51.57.187.212.zen.spamhaus.org. 1800 IN A 127.0.0.11 ;; Query time: 168 msec ;; SERVER: 192.168.222.10#53(192.168.222.10) ;; WHEN: Sat Feb 24 06:48:27 2007 ;; MSG SIZE rcvd: 64 This is the output of a simple scri_pt that uses the same method used by mailservers to check if the IP address they are about to receive mail from is on a RBL list. An answer in the loopback range 127.x.x.x means it is on such a list. PS I am from Holland too, I live in the neighourhood of -'s-Hertogenbosch
×