PhilS32767 Posted May 3, 2004 Posted May 3, 2004 I enabled Mailhosts yesterday -- so far so good. I notice now that the parser identifies the first IP in the Received: header chain *beyond* my registered mail hosts as the point of origin of the spam (as expected), and labels all subsequent Received: headers as probable forgeries. At first I wondered about this, because some of the Received: headers discarded as untrustworthy look quite plausible: the "by" IP address matches the "from" IP address of the preceding Received: header in the chain, and the "from" IP address looks at minimum well-formed. But even supposing those headers were legitimate, it makes sense to report that first IP address beyond the chain of registered mail hosts -- because if it isn't the source, then it is a relay. Most often, when there are plausible-looking Received: headers after that first IP address beyond the chain of registered mail hosts, that first IP address is in the namespace of one of the big broadband ISPs. Which means that that first IP address may well be a Trojan-infected subscriber's PC. My only question is this: how are the major ISPs responding to those reports? Is it clear to them, when they get such reports, that what has been identified might be a Trojan-infected subscriber's PC? Are they by and large willing to take steps to disinfect or at least disconnect such Trojan-infected PCs? I think that is critical. If we don't succeed in identifying and shutting down or cleaning up as many such Trojan-infected PCs as possible, the spammers will win, because they will have a never-ending supply of anonymizing relay points.
Wazoo Posted May 3, 2004 Posted May 3, 2004 news://news.spamcop.net - many threads on this topic, COMCAST is at the top of the list ... Google for spamhaus, ROKSO, SPEWS, NANAE .... There are ISPs that take immediate action, there are those that do squat ...
PhilS32767 Posted May 3, 2004 Author Posted May 3, 2004 This is really a matter of making sure that the reports that Spamcop generates identify disinfecting or disconnecting subscriber PCs that have been infected by Trojans and are functioning as unwitting open relays as the required action to take. -- Phil
Wazoo Posted May 3, 2004 Posted May 3, 2004 The next time you verify an outgoing report, check the "Preview Reports" button ... you'll see the outgoing report, IP or URL, and specific data as to why, what, etc .... recipient ISP has a number of links to follow up on if more data is required/desired.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.