Jump to content


  • Posts

  • Joined

  • Last visited

Contact Methods

  • Website URL
  • ICQ

Profile Information

  • Location
    Orlando, FL

jms1's Achievements


Newbie (1/6)



  1. I own the domain "delete.net", and use it as a honeypot- the idea is that any messages sent to an email address in the domain are automatically reported to spamcop, UNLESS they are bounces. The program which decides whether or not a given message is a bounce, and does the spamcop report if not, is a perl scri_pt I have written (and am more than willing to share under the GPL, once I'm happy with how it works.) About a week ago, some (insert expletive of choice) spammer decided to send an entire run of spam with "{random letters}[at]delete.net" as the forged "From" addresses... and they apparently continue to do so even as we speak. As a result, my server was automatically reporting a lot of auto-responses (autoresponder messages, vacation messages, non-standard bounce messages, etc.) to spamcop and I got my hand slapped for it. Looking through my logs I can see that about 90% of what I had reported over the previous week was in fact not spam. The auto-reporting routine is currently disabled, and all messages which it classifies as spam are going to a folder which I am having to continually check (it receives about 15-20 new messages every hour.) On top of this is the fact that my quick reporting is disabled right now, because I'm in the process of registering mailhosts for the first time, which means I'm having to manually submit every single message. I am working on adding some intelligence to the function which classifies a message as "auto-response" (which is dropped and ignored) or "spam" (which gets reported, and the relevant IP is added to my "rbl.delete.net" blacklist- which I cannot safely recommend that anybody else use at this time.) The idea is that once I reach the point of having no false positives for about a week, I want to turn the auto-reporting routine back on and not have to deal with it anymore. I know spamcop's parser searches for certain patterns and refuses to process messages which it considers to be bounces, auto-responses, and other non-spam messages. I'm wondering if it's possible to get a copy of the list they are using... and/or if not, is there anywhere else I could find a reasonably complete list of what to search for as a marker for "automated reply" messages?
  2. One of the accounts from which I will be reporting spam is handled by an ISP whose MX record points to one name which resolves to multiple IP addresses. I've done the test message several times now, in an attempt to gather the server IPs, but as yet it's only picking up one of the IP addresses. I have manually inspected the headers of the messages being sent to me and they are being processed by the other servers. My question is this: should I have to keep trying the test messages over and over until the IP list is populated with all of the IP addresses of their servers? And will I have to re-register the mailhost every time they add a new server to their pool? Or is just having the shared name on the "names" list good enough, and the parser will recognize any of the IP's which that name points to as valid mailhosts for my reporting account? Woud it help to change from a single MX record to multiple equal-priority MX records pointing to the individual machines? If so, I can have them do this (I built the servers involved and still assist them with various issues on a consulting basis.) The ISP in this case is kua.net, if somebody wants to check the DNS records to verify what I'm describing here. They currently have two servers in the pool and are in the process of upgrading the others (there are four altogether.)
  3. I own two domain names which are no longer used for their original purposes, and have not been for several years. One of them is "delete.net", which has long been a favourite of spammers who want to look like they include a way to stop the flow of pink stuff. If you visit www.delete.net you will see that I have written a page which explains more about the situation. It also explains the fact that any email sent to any "xxx[at]delete.net" address will cause the sending IP address to be added to the "rbl.delete.net" blacklist, which my server uses (along with spamcop and njabl) as an IP-based filter against spam. The RBL is updated every five minutes. I set up the auto-blacklist functions back in January, and it has caught over 24,000 IP addresses since then. A search of the database shows 151 IP's being blocked within the range, and a massive grep through the messages themselves (yes, I have every one of them archived in case a question comes up) shows 530 messages which originated from this IP block (and none from the others on the original list.) I still need to check each one to verify that they are spam, but there is very little doubt in my mind that every one will prove to be spam. I've already eyeballed the first 20 or so and they're all spam, sent to email addresses which do not exist, and from which I (who have always been the registrant of both domain names) have never requested anything- advertisements or otherwise. I am more than happy to submit these messages as evidence, however I'm not sure how much paper it's going to take to print out these emails... my printer is already looking at me with this really hateful look in its eye (it's an HP-1100 and the "big button" kinda looks like an eye, work with me here...)
  • Create New...