On Thu, 6 Mar 2003 [EMAIL PROTECTED] wrote:
> Sorry I forgot to quote headers:
> I supposed that everybody body in the list would receive it !
> It was send thorough Arachne.
> Isn't it ?
Probably. I may not have seen it if procmail and/or
SpamAssassin recognized it for what it is and sent it to
/dev/null. newskies.net does sound familiar though, so I
may have seen it in the spam file and either reported and
deleted, or simply deleted... depends on what kind of mood
I was in.
> ***************
>
> X-Track: 1: 100
> Return-Path: <[EMAIL PROTECTED]>
> Received: from 212.24.129.58 (EHLO ns.arachne.cz) (212.24.129.58)
> by mta530.mail.yahoo.com with SMTP; 05 Mar 2003 03:39:11 -0800 (PST)
> Received: from okey61083.com (63-109-249-173.reverse.newskies.net
> [63.109.249.173])
> by ns.arachne.cz (8.12.8/8.12.6) with SMTP id h25BFhmk002940
> for <[EMAIL PROTECTED]>; Wed, 5 Mar 2003 12:15:45 +0100
> Message-Id: <[EMAIL PROTECTED]>
> From: "Mohammed Abacha" <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Date: Wed, 5 Mar 2003 12:15:43 +0100
>
> *******
>
> I did some basic WHOIS search.
>
> "from okey61083.com (63-109-249-173.reverse.newskies.net [63.109.249.173])"
>
> To be sincere I won't doubt inmediately of something being ( or resembling )
> a NL domain ! (the full qualified domain, not the canonical name CNAME)
First, the part outside the [square brackets] can easily
be forged. I check to see if it is:
-----
$ host 63.109.249.173
173.249.109.63.in-addr.arpa domain name pointer 63-109-249-173.reverse.newskies.net
-----
Not forged.
Then, I like to see how big the IP block is.
-----
$ whois [EMAIL PROTECTED]
[whois.arin.net]
New Skies Satellites N.V. UU-63-109-240 (NET-63-109-240-0-1)
63.109.240.0 - 63.109.255.255
BT Limited BT-LIMITED (NET-63-109-249-160-1)
63.109.249.160 - 63.109.249.191
UUNET Technologies, Inc. UUNET63 (NET-63-64-0-0-1)
63.64.0.0 - 63.127.255.255
-----
If the IP block is very small, say a single class C or
smaller, I'll often report to the abuse address at the
domain, as well as CC: the abuse address next up on the
chain.
> Should I report to he above message code ? to [EMAIL PROTECTED]
Check at http://abuse.net/lookup.phtml
They have an extensive database of abuse reporting
addresses. You'll see the abuse address for this domain is
[EMAIL PROTECTED]
If it's not in the abuse.net database, the registry info
often has an abuse address.
And yes, reporting spam often does some good. Here's the
latest positive reply I got:
---------- Forwarded Abuse Reply ----------
>From [EMAIL PROTECTED] Thu Mar 6 21:19:08 2003
Date: Wed, 5 Mar 2003 14:58:10 +0100 (CET)
From: Richard van der Tweel <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: In response to your complaint about spam from 193.67.179.110
Hello,
Thank you for your report concerning Spam/UCE relayed
through the mailserver with this IP-address.
This open-relay has been closed.
PS Complaining about spam is very useful for us and it does get
many spam/relay problems solved. Relatively few people complain
about spam. If it is not reported, it won't get noted and solved.
Please keep on sending those complaints if you get spam!
Best Regards,
--
Richard van der Tweel
- WorldCom SE/NL Abuse Team <[EMAIL PROTECTED]>
---------- End Forwarded Message ---------
So, it actually *does* do some good sometimes. There'll
always be more spammers, and more open relays, but the more
we can close down, the better.
--
Steve Ackman
http://twoloonscoffee.com (Need green beans?)
http://twovoyagers.com (glass, linux & other stuff)
