---------- Forwarded Message ---------- Return-Path: wlug-admin@mail.wlug.org Received: from paramount.ind.wpi.edu (root@paramount.ind.WPI.EDU [130.215.24.199]) by acestes-fe0.ultra.net (8.8.8/ult/n26500/mtc.v2) with ESMTP id HAA01415; Sun, 30 Jun 2002 07:06:22 -0400 (EDT) Received: from paramount.ind.WPI.EDU (IDENT:mailman@localhost [127.0.0.1]) by paramount.ind.wpi.edu (8.11.6/8.11.6) with ESMTP id g5UB1Tn02769; Sun, 30 Jun 2002 07:01:29 -0400 Received: from smtp.WPI.EDU (root@smtp.WPI.EDU [130.215.24.62]) by paramount.ind.wpi.edu (8.11.6/8.11.6) with ESMTP id g5UB0En02743 for <wlug@mail.wlug.org>; Sun, 30 Jun 2002 07:00:14 -0400 Received: from chat.ru ([194.143.190.11]) by smtp.WPI.EDU (8.12.5/8.12.5) with SMTP id g5UB46wx028128 for <wlug@mail.wlug.org>; Sun, 30 Jun 2002 07:04:07 -0400 (EDT) Message-Id: <200206301104.g5UB46wx028128@smtp.WPI.EDU> From: "Arcady 28412" <MAILER-DAEMON8898@chat.ru> To: <wlug@mail.wlug.org> X-Priority: 3 X-Mailer: The Bat! (v1.54d) Date: Sun, 30 Jun 2002 15:06:57 +0400 Mime-Version: 1.0 Content-Type: text/html; charset="ISO-8859-2" X-UIDL: ae92ef1fea768b8ce77d61b44fbde8c9 Status: R X-Status: N X-Warning: zoxjCpdlo1zoxj1ruj@30577 Subject: [Wlug] Real ZOO web site, welcome! <zoxjCpdlo1zoxj1ruj> Sender: wlug-admin@mail.wlug.org Errors-To: wlug-admin@mail.wlug.org X-BeenThere: wlug@mail.wlug.org X-Mailman-Version: 2.0beta5 Precedence: bulk Reply-To: wlug@mail.wlug.org List-Id: Worcester Linux Users Group <wlug.mail.wlug.org> <html> <!--12405--> <body text="#000000" bgcolor="#FFFFFF"> I got your email from ICQ, may be it will be interested?<br> The BEST zoo site on the @net! <br> <!--14853--> Sex With Dogs<br> Horse Blow Jobs.<br> <!--16187--> Snake Fuck.<br> <a href="http://rol.rape-sexy.com/?refid=zoxjCpdlo1zoxj1ruj">REAL ANIMAL FUCKING!</a><br> <b>100% HARDCORE!<br> <!--28424--> <a href="http://rol.rape-sexy.com/?refid=zoxjCpdlo1zoxj1ruj">rol.rape-sexy.com</a><br> <hr> <i><a href="http://rol.rape-sexy.com/unsub.cgi?em=wlug@mail.wlug.org">unsub</a></i><br> Good luck.<br><br> <!--16071--> </body></html> _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug <html> <!--12405--> <body text="#000000" bgcolor="#FFFFFF"> I got your email from ICQ, may be it will be interested?<br> The BEST zoo site on the @net! <br> <!--14853--> Sex With Dogs<br> Horse Blow Jobs.<br> <!--16187--> Snake Fuck.<br> <a href="http://rol.rape-sexy.com/?refid=zoxjCpdlo1zoxj1ruj">REAL ANIMAL FUCKING!</a><br> <b>100% HARDCORE!<br> <!--28424--> <a href="http://rol.rape-sexy.com/?refid=zoxjCpdlo1zoxj1ruj">rol.rape-sexy.com<; /a><br> <hr> <i><a href="http://rol.rape-sexy.com/unsub.cgi?em=wlug@mail.wlug.org">unsub</a></i
<br> Good luck.<br><br> <!--16071--> </body></html>
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug -------------------------------------------------------
And now I just received this same spam... Indeed it did come through wlug. We could prevent this sort of thing by only allowing subscribers of the list to post to the list. How does everyone feel about that? I usually look up the IP address in the Received line of the most trusted mail server (usually the one closest to the destination, in this case smtp.wpi.edu). Don't rely on the hostname, always use the bracketed IP address, and look it up in the ARIN whois database: Received: from chat.ru ([194.143.190.11]) by smtp.WPI.EDU (8.12.5/8.12.5) with SMTP id g5UB46wx028128
whois 194.143.190.11@whois.arin.net
This reveals that the owner of that IP address isn't in the Americas (ARIN), but in Europe (RIPE), so you have to look it up again. (For Asian hosts look it up again in APNIC, whois.apnic.net):
whois 194.143.190.11@whois.ripe.net
For RIPE hosts, I usually complain to the admin-c: and tech-c: e-mail: addresses: jonr@hedgehognet.co.uk noc@uk.xo.com tc@uk.concentric.com In this case, the e-mail addresses don't look like generic abuse contacts, so I tried abuse@ their domains first: abuse@hedgehognet.co.uk abuse@uk.xo.com abuse@uk.concentric.com (For virus e-mails I use security@domain.) If those bounce, then I'll try the real e-mail addresses. On Sun, Jun 30, 2002 at 10:44:04AM -0400, Gregory Avedissian wrote: avedis> Return-Path: wlug-admin@mail.wlug.org avedis> Received: from paramount.ind.wpi.edu (root@paramount.ind.WPI.EDU avedis> [130.215.24.199]) by acestes-fe0.ultra.net (8.8.8/ult/n26500/mtc.v2) with avedis> ESMTP id HAA01415; Sun, 30 Jun 2002 07:06:22 -0400 (EDT) avedis> Received: from paramount.ind.WPI.EDU (IDENT:mailman@localhost [127.0.0.1]) avedis> by paramount.ind.wpi.edu (8.11.6/8.11.6) with ESMTP id g5UB1Tn02769; avedis> Sun, 30 Jun 2002 07:01:29 -0400 avedis> Received: from smtp.WPI.EDU (root@smtp.WPI.EDU [130.215.24.62]) avedis> by paramount.ind.wpi.edu (8.11.6/8.11.6) with ESMTP id g5UB0En02743 avedis> for <wlug@mail.wlug.org>; Sun, 30 Jun 2002 07:00:14 -0400 avedis> Received: from chat.ru ([194.143.190.11]) avedis> by smtp.WPI.EDU (8.12.5/8.12.5) with SMTP id g5UB46wx028128 avedis> for <wlug@mail.wlug.org>; Sun, 30 Jun 2002 07:04:07 -0400 (EDT) avedis> Message-Id: <200206301104.g5UB46wx028128@smtp.WPI.EDU>
Thanks, Charles. If we don't normally get serious email from people off the list, then it seems reasonable for us to only allow list members to post. I assumed that's how it already was. Greg Charles R. Anderson wrote:
And now I just received this same spam... Indeed it did come through wlug. We could prevent this sort of thing by only allowing subscribers of the list to post to the list. How does everyone feel about that?
I usually look up the IP address in the Received line of the most trusted mail server (usually the one closest to the destination, in this case smtp.wpi.edu). Don't rely on the hostname, always use the bracketed IP address, and look it up in the ARIN whois database:
Received: from chat.ru ([194.143.190.11]) by smtp.WPI.EDU (8.12.5/8.12.5) with SMTP id g5UB46wx028128
whois 194.143.190.11@whois.arin.net
This reveals that the owner of that IP address isn't in the Americas (ARIN), but in Europe (RIPE), so you have to look it up again. (For Asian hosts look it up again in APNIC, whois.apnic.net):
whois 194.143.190.11@whois.ripe.net
For RIPE hosts, I usually complain to the admin-c: and tech-c: e-mail: addresses:
jonr@hedgehognet.co.uk noc@uk.xo.com tc@uk.concentric.com
In this case, the e-mail addresses don't look like generic abuse contacts, so I tried abuse@ their domains first:
abuse@hedgehognet.co.uk abuse@uk.xo.com abuse@uk.concentric.com
(For virus e-mails I use security@domain.)
If those bounce, then I'll try the real e-mail addresses.
On Sun, Jun 30, 2002 at 10:44:04AM -0400, Gregory Avedissian wrote: avedis> Return-Path: wlug-admin@mail.wlug.org avedis> Received: from paramount.ind.wpi.edu (root@paramount.ind.WPI.EDU avedis> [130.215.24.199]) by acestes-fe0.ultra.net (8.8.8/ult/n26500/mtc.v2) with avedis> ESMTP id HAA01415; Sun, 30 Jun 2002 07:06:22 -0400 (EDT) avedis> Received: from paramount.ind.WPI.EDU (IDENT:mailman@localhost [127.0.0.1]) avedis> by paramount.ind.wpi.edu (8.11.6/8.11.6) with ESMTP id g5UB1Tn02769; avedis> Sun, 30 Jun 2002 07:01:29 -0400 avedis> Received: from smtp.WPI.EDU (root@smtp.WPI.EDU [130.215.24.62]) avedis> by paramount.ind.wpi.edu (8.11.6/8.11.6) with ESMTP id g5UB0En02743 avedis> for <wlug@mail.wlug.org>; Sun, 30 Jun 2002 07:00:14 -0400 avedis> Received: from chat.ru ([194.143.190.11]) avedis> by smtp.WPI.EDU (8.12.5/8.12.5) with SMTP id g5UB46wx028128 avedis> for <wlug@mail.wlug.org>; Sun, 30 Jun 2002 07:04:07 -0400 (EDT) avedis> Message-Id: <200206301104.g5UB46wx028128@smtp.WPI.EDU> _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
On Sun, Jun 30, 2002 at 11:32:14AM -0400, Charles R. Anderson wrote:
And now I just received this same spam... Indeed it did come through wlug. We could prevent this sort of thing by only allowing subscribers of the list to post to the list. How does everyone feel about that?
It's fine by me. Alternately, if we don't want to go that route, I've developed a small set of tools (procmail/some perl/spamassassin) to filter out spam from mailing lists. It was written for use with majordomo, but it's generic enough that it should work with most any mailing list software. One of these days I'll actually finish the article I was writing about it. :| It doesn't catch 100% of the spam, but it does catch the vast majority, including the one that got through. I'd be happy to share for the wlug list if interested. -- Randomly Generated Tagline: When will I learn? The answers to life's problems aren't at the bottom of a bottle. They're on TV! -- Homer Simpson There's No Disgrace Like Home
On Sunday 30 June 2002 1:03 pm, Theo Van Dinter wrote:
On Sun, Jun 30, 2002 at 11:32:14AM -0400, Charles R. Anderson wrote:
And now I just received this same spam... Indeed it did come through wlug. We could prevent this sort of thing by only allowing subscribers of the list to post to the list. How does everyone feel about that?
I think it is perfectly reasonable to limit posting to the list to list members only. I would prefer not to have to do that, but I really don't want the spam. Hypothetically speaking, what stops folks like this from subscribing, posting their garbage, and then unsubscribing? Are the spam generating robots that smart? I knew this would happen eventually. Perhaps we should consider ourselves lucky that it hasn't been more prevalent. Hopefully, Chuck and others can track this down and get it stopped (at least at this one source). Thanks - your efforts are appreciated! Later, Andy -- Andy Stewart, Founder Worcester Linux Users' Group Worcester, MA USA http://www.wlug.org
I 2nd or 4th or whatever that you limit posters to list members. It works well on every other mailing list that I've used. On Sun, 30 Jun 2002, Andy Stewart wrote:
On Sunday 30 June 2002 1:03 pm, Theo Van Dinter wrote:
On Sun, Jun 30, 2002 at 11:32:14AM -0400, Charles R. Anderson wrote:
And now I just received this same spam... Indeed it did come through wlug. We could prevent this sort of thing by only allowing subscribers of the list to post to the list. How does everyone feel about that?
I think it is perfectly reasonable to limit posting to the list to list members only. I would prefer not to have to do that, but I really don't want the spam.
Hypothetically speaking, what stops folks like this from subscribing, posting their garbage, and then unsubscribing? Are the spam generating robots that smart?
I knew this would happen eventually. Perhaps we should consider ourselves lucky that it hasn't been more prevalent. Hopefully, Chuck and others can track this down and get it stopped (at least at this one source). Thanks - your efforts are appreciated!
Later,
Andy
-- ¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø Karl Hiramoto <karl@hiramoto.org> Work: 978-425-2090 ext 25 Cell: 508-517-4819 Personal web page: http://karl.hiramoto.org/ Zoop Productions: http://www.zoop.org/ KTEQ Rapid City: http://www.kteq.org/ AOL IM ID = KarlH420 Yahoo_IM = karl_hiramoto ¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø A fail-safe circuit will destroy others. -- Klipstein
Do you have a project created for this software? Distribute it? I have a spam problem @ work. Looking into solutions. I looked at maps rbl http://mail-abuse.org/rbl/ not sure on using it in a production environment though (where the most spam goes to) My main worry is someone sending e-mail to sales@company.com and it gettting rejected, and comany.com loses a sale. Is this an issue? On Sun, 30 Jun 2002, Theo Van Dinter wrote:
It's fine by me. Alternately, if we don't want to go that route, I've developed a small set of tools (procmail/some perl/spamassassin) to filter out spam from mailing lists. It was written for use with majordomo, but it's generic enough that it should work with most any mailing list software. One of these days I'll actually finish the article I was writing about it. :|
It doesn't catch 100% of the spam, but it does catch the vast majority, including the one that got through. I'd be happy to share for the wlug list if interested.
-- ¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø Karl Hiramoto <karl@hiramoto.org> Work: 978-425-2090 ext 25 Cell: 508-517-4819 Personal web page: http://karl.hiramoto.org/ Zoop Productions: http://www.zoop.org/ KTEQ Rapid City: http://www.kteq.org/ AOL IM ID = KarlH420 Yahoo_IM = karl_hiramoto ¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø A fail-safe circuit will destroy others. -- Klipstein
Karl Hiramoto said:
Do you have a project created for this software? Distribute it? I have a spam problem @ work. Looking into solutions. I looked at maps rbl http://mail-abuse.org/rbl/ not sure on using it in a production environment though (where the most spam goes to)
My main worry is someone sending e-mail to sales@company.com and it gettting rejected, and comany.com loses a sale. Is this an issue?
If you feel it might be an issue, I'm sure it'd be a simple matter to "hold" the messages instead of rejecting them. Mailman supports a similar feature, iirc. (that is being able to hold certain messages for moderator approval) -- Aaron Haviland orion [at] tribble [dot] dyndns [dot] org orion [at] parsed [dot] net Release the Mongoose!
On Sun, Jun 30, 2002 at 10:38:24PM -0400, Karl Hiramoto wrote:
Do you have a project created for this software? Distribute it? I have a spam problem @ work. Looking into solutions. I looked at maps rbl http://mail-abuse.org/rbl/ not sure on using it in a production environment though (where the most spam goes to)
No, since it's mainly SpamAssassin with a little bit of procmail frosting and a small perl script on top. I was planning to just make it all available with the perpetually unfinished article I'm working on. (It doesn't help that there were 2.5 new versions of SA released since I started writing it ... <grrrr> ;) )
My main worry is someone sending e-mail to sales@company.com and it gettting rejected, and comany.com loses a sale. Is this an issue?
Well, that's the difference between a filter like SpamAssassin and a blacklist like the RBL. Personally, I use several blacklists for open-relays at the SMTP level, since it's unusual to have a false-positive from an open-relay test (depending on the test of course). For a company, I would use a filter (like SA) and just let it mark up likely spam. You can then leave it up to the users to decide what they want to do with it. (SA adds headers indicating how likely a message is to be spam (the score/number of hits), and what tests matched a given message.) Anything else that makes it through to delivery goes through SpamAssassin. Spams gets sorted into a seperate mail folder, and I then go through it and report the spammers, etc. There's some information about what I do for general filtering at: http://www.kluge.net/mailfiltering/ -- Randomly Generated Tagline: "And that's the success of Windows-it's mediocre, but it's easy." - Linus Torvalds
This would be an excellent meeting topic! On Tue, 2 Jul 2002, Theo Van Dinter wrote:
On Sun, Jun 30, 2002 at 10:38:24PM -0400, Karl Hiramoto wrote:
Do you have a project created for this software? Distribute it? I have a spam problem @ work. Looking into solutions. I looked at maps rbl http://mail-abuse.org/rbl/ not sure on using it in a production environment though (where the most spam goes to)
No, since it's mainly SpamAssassin with a little bit of procmail frosting and a small perl script on top. I was planning to just make it all available with the perpetually unfinished article I'm working on. (It doesn't help that there were 2.5 new versions of SA released since I started writing it ... <grrrr> ;) )
My main worry is someone sending e-mail to sales@company.com and it gettting rejected, and comany.com loses a sale. Is this an issue?
Well, that's the difference between a filter like SpamAssassin and a blacklist like the RBL. Personally, I use several blacklists for open-relays at the SMTP level, since it's unusual to have a false-positive from an open-relay test (depending on the test of course).
For a company, I would use a filter (like SA) and just let it mark up likely spam. You can then leave it up to the users to decide what they want to do with it. (SA adds headers indicating how likely a message is to be spam (the score/number of hits), and what tests matched a given message.)
Anything else that makes it through to delivery goes through SpamAssassin. Spams gets sorted into a seperate mail folder, and I then go through it and report the spammers, etc. There's some information about what I do for general filtering at:
-- ¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø Karl Hiramoto <karl@hiramoto.org> Work: 978-425-2090 ext 25 Cell: 508-517-4819 Personal web page: http://karl.hiramoto.org/ Zoop Productions: http://www.zoop.org/ KTEQ Rapid City: http://www.kteq.org/ AOL IM ID = KarlH420 Yahoo_IM = karl_hiramoto ¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø It's not so hard to lift yourself by your bootstraps once you're off the ground. -- Daniel B. Luten
On Tuesday 02 July 2002 3:18 pm, Karl Hiramoto wrote:
This would be an excellent meeting topic!
I agree. If someone is willing to present this topic at a future WLUG meeting, let me know! Later, Andy -- Andy Stewart, Founder Worcester Linux Users' Group Worcester, MA USA http://www.wlug.org
On Tue, Jul 02, 2002 at 11:27:14PM -0400, Andy Stewart wrote: andystewart> On Tuesday 02 July 2002 3:18 pm, Karl Hiramoto wrote: andystewart> > This would be an excellent meeting topic! andystewart> andystewart> I agree. If someone is willing to present this topic at a future WLUG andystewart> meeting, let me know! Theo, you know you want to do this July 17th so Lee can be at the Wireless one the next month :) -- Charles R. Anderson <cra@wpi.edu> / http://angus.ind.wpi.edu/~cra/ PGP Key ID: 49BB5886 Fingerprint: EBA3 A106 7C93 FA07 8E15 3AC2 C367 A0F9 49BB 5886
On Tue, Jul 09, 2002 at 03:37:37PM -0400, Charles R. Anderson wrote:
Theo, you know you want to do this July 17th so Lee can be at the Wireless one the next month :)
Actually I was planning on August for the spam thing since July is a fairly hectic month for me. :| Maybe we should combine presentations and talk about wireless spam? (I deal with spam that way all the time at home...) ;) -- Randomly Generated Tagline: "The highest patriotism is not a blind acceptance of official policy, but a love of one's country deep enough to call her to a higher standard." - George McGovern
participants (7)
-
Aaron Haviland -
Andy Stewart -
avedis@ma.ultranet.com -
Charles R. Anderson -
Gregory Avedissian
-
Karl Hiramoto -
Theo Van Dinter